IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [ietf-tls] Re: an attack against SSH2 protocol
On Wed, Feb 13, 2002 at 03:57:59PM +0200, Hugo Krawczyk wrote:
> Thus, future revisions of TLS should also take this into account.
> That is, either transmit a fresh (unpredictable) IV with each msg,
> or implcitly compute this IV in an *unpredictable* way, for example by
> applying a prf to the msg counter.
I'll note that using CTR mode is more efficient than either of these
suggestions. It doesn't require unpredictable IVs.
> PS: since Wei Dai mentioned the case of SSH in this context, the bad news
> there is that even using CBC and fixing the problem of predictable IV
> leaves the protocol open to the attacks on authenticate-and-mac
> showed in my paper (e.g. the attack in appendix C)
Good point. If we want to fix SSH by using a per-packet unpredictable IV,
the IV would have to be added to the list of MAC inputs. I think that
would prevent the attack in appendix C.
I'm not very familiar with how IETF working groups work, so what's the
next step here?
Home |
Main Index |
Thread Index |
Old Index