IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: an attack against SSH2 protocol
Wei Dai <weidai%eskimo.com@localhost> writes:
> The simplest way to do this would be to
> deprecate the CBC mode block ciphers, and instead specify ciphers in
> CFB, CTR or OFB mode.
Another simple "fix" for CBC might be to add one more encryption
operation between packets. If one packet consists of the ciphertext
blocks
b_1, b_2, ..., b_n,
ssh uses b_n as the iv for the next packet. Would it help to instead
use C_k(b_n) as the iv? This would be equivalent to inserting one
(plain text) block of zeroes between packets, and keeping the
corresponding ciphertext block secret. (The same trick could be used
in other contexts that needs to send an iv in the clear: Encrypt the
cleartext iv once before using it).
To me, this attack doesn't look like a reason for general panic, but
in any case it would be a good thing to specify how to use counter
mode in ssh (but I think we should stay with a small number of modes,
and not add *every* reasonable mode).
A problem with counter mode is that the FIPS document doesn't define
it fully; it doesn't say how you should increment the counter, you can
do it in little endian order or big endian order or using any
permutation of your choice. Is there any IETF wg that has tried to
define a single standard way of doing counter mode?
/Niels
Home |
Main Index |
Thread Index |
Old Index