IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Core draft last call update.



On Tue, Mar 12, 2002 at 09:52:54AM -0500, Bill Sommerfeld wrote:

>> What about the attack described in Appendix C of
>> <URL:http://eprint.iacr.org/2001/045/>, which appears to be
>> applicable to the SSH binary packet protocol as specified in
>> draft-ietf-secsh-transport-13.txt (no matter if CBC or OFB or
>> counter mode is used)?

> This attack has greatly increased difficulty for SSH because the SSH
> MAC also covers the random pad at the end of the message.  As a
> result, you can only tell if m and m' are identical if the random
> padding appended by the sender is identical.

I see.  Actually the current draft only says that the padding 'SHOULD'
be random, not that it 'MUST' be random.  Also the minimum padding
length of 32 bits isn't large enough to make the attack really
intractable, so the protocol should eventually be fixed.


-- 
Bodo Möller <moeller%cdc.informatik.tu-darmstadt.de@localhost>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036



Home | Main Index | Thread Index | Old Index