Re: Core draft last call update.

To: Bill Sommerfeld <sommerfeld%orchard.arlington.ma.us@localhost>
Subject: Re: Core draft last call update.
From: Bodo Moeller <moeller%cdc.informatik.tu-darmstadt.de@localhost>
Date: Tue, 12 Mar 2002 17:04:22 +0100

On Tue, Mar 12, 2002 at 10:26:34AM -0500, Bill Sommerfeld wrote:

>> What about the attack described in Appendix C of
>> <URL:http://eprint.iacr.org/2001/045/>, which appears to be
>> applicable to the SSH binary packet protocol as specified in
>> draft-ietf-secsh-transport-13.txt (no matter if CBC or OFB or
>> counter mode is used)?

> The appendix C attack works only if the IV is carried with each
> message -- each message is independant, with no initial state other
> than the key.
> 
> This is emphatically not the case for the ssh transport protocol in
> any of CBC, CFB, OFB, or counter modes.

Yes, you are right.  For any given record in the stream, after
processing the previous record has been completed, the mapping between
ciphertexts and plaintexts is bijective.  Thus it is not possible to
substitute a different ciphertext corresponding to the same plaintext
because there *is* no different ciphertext corresponding to the same
plaintext.



-- 
Bodo Möller <moeller%cdc.informatik.tu-darmstadt.de@localhost>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036

References:
- Re: Core draft last call update.
  - From: Bill Sommerfeld

Prev by Date: Re: Application data during key re-exchange
Next by Date: Re: Application data during key re-exchange
Previous by Thread: Re: Core draft last call update.
Next by Thread: Re: Core draft last call update.
Indexes:

Home | Main Index | Thread Index | Old Index