Re: updated transport & userauth drafts

[Wei Dai <weidai%eskimo.com@localhost>]

It looks like the transport draft still does not deal with the attack I
pointed out a few weeks ago. To fix this, I suggest that the following
text be added to section 4.3:

(begin quote)

     aes256-ctr       OPTIONAL          AES (Rijndael) in CTR mode,   
                                        with 256-bit key
     aes192-ctr       OPTIONAL          AES with 192-bit key
     aes128-ctr       RECOMMENDED       AES with 128-bit key

[and similarly for all other block ciphers]

   The "aes256-ctr" cipher is AES (Advanced Encryption Standard),       
   formerly Rijndael, in CTR mode.  This version uses 256-bit key.

   The "aes192-ctr" cipher.  Same as above but with 192-bit key.      

   The "aes128-ctr" cipher.  Same as above but with 128-bit key.      

For any cipher in CTR mode, the counter used to encrypt each plaintext
block MUST be the IV if no previous plaintext block exists, or C+1 mod 2^N
where C is the counter used to encrypt the previous block, and N is the
block size of the cipher in bits.  Network order SHOULD be used to convert
the counter between its octet string form and its integer form for the
computation of C+1 mod 2^N. 

(end quote)

And that the following text be added to the security discussions section:

(begin quote)

The protocol may be susceptible to chosen plaintext attacks if a CBC-mode
cipher is used. It is RECOMMENDED that CBC-mode ciphers be avoided if the
protocol is used in a way that allows an attacker to control part or all
of the first N bits of the plaintext of each packet, where N is the cipher
block size.

(end quote)