IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Core draft last call update.



On Tue, Mar 12, 2002 at 10:26:34AM -0500, Bill Sommerfeld wrote:

>> What about the attack described in Appendix C of
>> <URL:http://eprint.iacr.org/2001/045/>, which appears to be
>> applicable to the SSH binary packet protocol as specified in
>> draft-ietf-secsh-transport-13.txt (no matter if CBC or OFB or
>> counter mode is used)?

> The appendix C attack works only if the IV is carried with each
> message -- each message is independant, with no initial state other
> than the key.
> 
> This is emphatically not the case for the ssh transport protocol in
> any of CBC, CFB, OFB, or counter modes.

Yes, you are right.  For any given record in the stream, after
processing the previous record has been completed, the mapping between
ciphertexts and plaintexts is bijective.  Thus it is not possible to
substitute a different ciphertext corresponding to the same plaintext
because there *is* no different ciphertext corresponding to the same
plaintext.



-- 
Bodo Möller <moeller%cdc.informatik.tu-darmstadt.de@localhost>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036



Home | Main Index | Thread Index | Old Index