Re: draft minutes from meeting at ietf50..

To: sommerfeld%east.sun.com@localhost
Subject: Re: draft minutes from meeting at ietf50..
From: Niels Provos <provos%citi.umich.edu@localhost>
Date: Fri, 20 Apr 2001 15:06:47 -0400

I suggest that the following paragraphs be included in the transport
draft.  They contain recommendations for the size of private exponent
in the DH key exchange, and mention security problems related to
traffic analysis.

Greetings,
  Niels.

Implementation Notes:

To increase the speed of the key exchange, both client and server may
reduce the size of their private exponents. It should be at least
twice as long as the key material that is generated from the shared
secret.  For more details see the paper by van Oorschot and Wiener
[A].

[A]  P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
     agreement with short exponents, In Advances in Cryptology -
     EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.

An adversary can listen to SSH network traffic to determine the length
of authentication passwords typed during login and interactive shell
sessions [B].  Using packet timing analysis, it is also possible to
infer the probability of letter combinations in the typed passwords
[C].  SSH servers and clients MAY send SSH_MSG_IGNORE messages to
mitigate the impact of traffic analysis.

[B] OpenWall Security Advisory, Passive Analysis of SSH (Secure
    Shell) Traffic,
    http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

[C] Dawn Song, David Wagner and Xuqing Tian, Keystroke Analysis and
    SSH Timing Attacks, 10th USENIX Security Symposium, August 2001

Follow-Ups:
- Re: draft minutes from meeting at ietf50..
  - From: Tom Holroyd

Prev by Date: New draft editor.
Next by Date: Re: draft minutes from meeting at ietf50..
Previous by Thread: Re: draft minutes from meeting at ietf50..
Next by Thread: Re: draft minutes from meeting at ietf50..
Indexes:

Home | Main Index | Thread Index | Old Index