Re: Core draft last call update.

[Bill Sommerfeld <sommerfeld%orchard.arlington.ma.us@localhost>]

> What about the attack described in Appendix C of
> <URL:http://eprint.iacr.org/2001/045/>, which appears to be
> applicable to the SSH binary packet protocol as specified in
> draft-ietf-secsh-transport-13.txt (no matter if CBC or OFB or
> counter mode is used)?

Now that I've had some caffeine -- there's another reason why this
attack can't work for SSH.

The appendix C attack works only if the IV is carried with each
message -- each message is independant, with no initial state other
than the key.

This is emphatically not the case for the ssh transport protocol in
any of CBC, CFB, OFB, or counter modes.

CBC, CFB:
With ssh, the IV of message N comes from the last block of message
N-1.  If the attacker simply substitutes c1 for c1', the first block of
c will be garbled due to the wrong IV.

If the attacker attempts to substitute the previous cipherblock as
well so that the IV's match, this will garble the previous message and
cause the connection to drop before the attack can be attempted.

OFB, counter mode:

The attack simply can't work as described, since the keystream
generated by the cipher will be completely different for c and c'; if
you substitute c for c', the entire decryption will be garbled.

I may be mistaken but in order for the "OTP" version of the attack
described in the appendix to be possible, the system under attack
would need to be committing a much greater cryptographic sin: that of
allowing the reuse of a stream cipher!

						- Bill