Re: RNG using AES CTR as encryption algorithm
On Wed, 9 Sep 2009, Peter Gutmann wrote: I was just going to reply with a variation of this, if you're implementing a full protocol that uses AES-CTR (or any algorithm/mode for that matter), find other implementations that do it too and make sure that you can talk to them. In theory everyone could end up implementing it wrong, but that's somewhat unlikely. (This has already caught AES-CTR implementation bugs in the past, for example one particular version of OpenSSL 0.9.8 got AES-CTR keying wrong and it was noticed when SSH users couldn't connect to OpenSSH servers using this mode). The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I don't think OpenSSL even supports a CTR mode through its EVP API. Any mistakes in implementing CTR mode in OpenSSH are therefore our own. -d - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: RNG using AES CTR as encryption algorithm
Damien Miller d...@mindrot.org writes: The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I don't think OpenSSL even supports a CTR mode through its EVP API. I first saw it reported on the Putty bugs list [0], a good place to track interop problems with implementations since it's so widely used, which in turn points to https://bugzilla.mindrot.org/show_bug.cgi?id=1291: Connections from OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006 to OpenSSH_4.5p1, OpenSSL 0.9.8e 23 Feb 2007 using aes256-ctr fail with Bad packet length. The same problem occurs when using PuTTY 0.59 against the newer server. PuTTY users have reported this problem too, with servers on both FreeBSD and Linux, and with OpenSSH versions back to 4.0. In fact it was listed as closed and resolved by, uh, one Damien Miller :-). Peter. [0] Meaing bugs encountered while using Putty, not necessarily bugs in Putty. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: RNG using AES CTR as encryption algorithm
On Mon, 14 Sep 2009, Peter Gutmann wrote: Damien Miller d...@mindrot.org writes: The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I don't think OpenSSL even supports a CTR mode through its EVP API. I first saw it reported on the Putty bugs list [0], a good place to track interop problems with implementations since it's so widely used, which in turn points to https://bugzilla.mindrot.org/show_bug.cgi?id=1291: Actually, I'm half-wrong (or half-right) - there was a bug in OpenSSL, just not in AES-CTR specifically. It was a mildly obscure bug in the EVP interface that showed up when plugging in one's own ciphers. We now have automated interop regression tests againt PuTTY to catch this sort of thing... -d - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: how to encrypt and integrity-check with only one key
following-up to my own post: On Monday,2009-09-14, at 10:22 , Zooko Wilcox-O'Hearn wrote: David-Sarah Hopwood suggested the improvement that the integrity- check value V could be computed as an integrity check (i.e. a secure hash) on the K1_enc in addition to the file contents. Oops, that's impossible. What David-Sarah Hopwood actually said was that this would be nice if it were possible, but since it isn't then people should pass around the tuple of (v, K1_enc) whenever they want to verify the integrity of the ciphertext. http://allmydata.org/pipermail/tahoe-dev/2009-September/002798.html Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com