Re: an attack against SSH2 protocol

To: Wei Dai <weidai%eskimo.com@localhost>
Subject: Re: an attack against SSH2 protocol
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 11 Feb 2002 17:02:36 +0100

Wei Dai <weidai%eskimo.com@localhost> writes:

> The simplest way to do this would be to 
> deprecate the CBC mode block ciphers, and instead specify ciphers in 
> CFB, CTR or OFB mode.

Another simple "fix" for CBC might be to add one more encryption
operation between packets. If one packet consists of the ciphertext
blocks

  b_1, b_2, ..., b_n,

ssh uses b_n as the iv for the next packet. Would it help to instead
use C_k(b_n) as the iv? This would be equivalent to inserting one
(plain text) block of zeroes between packets, and keeping the
corresponding ciphertext block secret. (The same trick could be used
in other contexts that needs to send an iv in the clear: Encrypt the
cleartext iv once before using it).

To me, this attack doesn't look like a reason for general panic, but
in any case it would be a good thing to specify how to use counter
mode in ssh (but I think we should stay with a small number of modes,
and not add *every* reasonable mode).

A problem with counter mode is that the FIPS document doesn't define
it fully; it doesn't say how you should increment the counter, you can
do it in little endian order or big endian order or using any
permutation of your choice. Is there any IETF wg that has tried to
define a single standard way of doing counter mode?

/Niels

Follow-Ups:
- Re: an attack against SSH2 protocol
  - From: Wei Dai

References:
- an attack against SSH2 protocol
  - From: Wei Dai

Prev by Date: Re: an attack against SSH2 protocol
Next by Date: Re: public key (was Re: consensus probe.)
Previous by Thread: Re: an attack against SSH2 protocol
Next by Thread: Re: an attack against SSH2 protocol
Indexes:

Home | Main Index | Thread Index | Old Index