Re: Core draft last call update.

To: Bill Sommerfeld <sommerfeld%orchard.arlington.ma.us@localhost>
Subject: Re: Core draft last call update.
From: Bodo Moeller <moeller%cdc.informatik.tu-darmstadt.de@localhost>
Date: Tue, 12 Mar 2002 16:05:22 +0100

On Tue, Mar 12, 2002 at 09:52:54AM -0500, Bill Sommerfeld wrote:

>> What about the attack described in Appendix C of
>> <URL:http://eprint.iacr.org/2001/045/>, which appears to be
>> applicable to the SSH binary packet protocol as specified in
>> draft-ietf-secsh-transport-13.txt (no matter if CBC or OFB or
>> counter mode is used)?

> This attack has greatly increased difficulty for SSH because the SSH
> MAC also covers the random pad at the end of the message.  As a
> result, you can only tell if m and m' are identical if the random
> padding appended by the sender is identical.

I see.  Actually the current draft only says that the padding 'SHOULD'
be random, not that it 'MUST' be random.  Also the minimum padding
length of 32 bits isn't large enough to make the attack really
intractable, so the protocol should eventually be fixed.


-- 
Bodo Möller <moeller%cdc.informatik.tu-darmstadt.de@localhost>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036

References:
- Re: Core draft last call update.
  - From: Bill Sommerfeld

Prev by Date: Re: Core draft last call update.
Next by Date: Re: Core draft last call update.
Previous by Thread: Re: Core draft last call update.
Next by Thread: Re: Core draft last call update.
Indexes:

Home | Main Index | Thread Index | Old Index