Re: [ietf-tls] Re: an attack against SSH2 protocol

To: Hugo Krawczyk <hugo%ee.technion.ac.il@localhost>
Subject: Re: [ietf-tls] Re: an attack against SSH2 protocol
From: Wei Dai <weidai%eskimo.com@localhost>
Date: Thu, 14 Feb 2002 11:11:17 -0800

On Wed, Feb 13, 2002 at 03:57:59PM +0200, Hugo Krawczyk wrote:
> Thus, future revisions of TLS should also take this into account.
> That is, either transmit a fresh (unpredictable) IV with each msg,
> or implcitly compute this IV in an *unpredictable* way, for example by
> applying a  prf to the msg counter. 

I'll note that using CTR mode is more efficient than either of these
suggestions. It doesn't require unpredictable IVs.

> PS: since Wei Dai mentioned the case of SSH in this context, the bad news
> there is that even using CBC and fixing the problem of predictable IV
> leaves the protocol open to the attacks on authenticate-and-mac
> showed in my paper (e.g. the attack in appendix C)

Good point. If we want to fix SSH by using a per-packet unpredictable IV,
the IV would have to be added to the list of MAC inputs. I think that
would prevent the attack in appendix C.

I'm not very familiar with how IETF working groups work, so what's the
next step here?

Follow-Ups:
- Re: [ietf-tls] Re: an attack against SSH2 protocol
  - From: Stephen Sprunk

Prev by Date: Re: [ietf-tls] Re: an attack against SSH2 protocol
Next by Date: Re: [ietf-tls] Re: an attack against SSH2 protocol
Previous by Thread: Re: [ietf-tls] Re: an attack against SSH2 protocol
Next by Thread: Re: [ietf-tls] Re: an attack against SSH2 protocol
Indexes:

Home | Main Index | Thread Index | Old Index