Re: Core draft last call update.

To: ietf-ssh%netbsd.org@localhost
Subject: Re: Core draft last call update.
From: daw%mozart.cs.berkeley.edu@localhost (David Wagner)
Date: 12 Mar 2002 17:01:56 GMT

Bill Sommerfeld  wrote:
>This attack has greatly increased difficulty for SSH because the SSH
>MAC also covers the random pad at the end of the message.  As a
>result, you can only tell if m and m' are identical if the random
>padding appended by the sender is identical.

Do all implementations use truly random padding?
It wasn't clear to me from the draft that the randomness
of the padding is security-critical, so I could easily imagine
as an optimization using not-very-random randomness for the
padding if I were implementing.  But maybe I missed something,
or maybe it was more obvious to others.

Would it be prudent to make the draft say that the padding
MUST use high-quality randomness, and to describe the security
threat so that implementors are less likely to fall into this trap?

Follow-Ups:
- Re: Core draft last call update.
  - From: David Wagner

References:
- Re: Core draft last call update.
  - From: Bill Sommerfeld

Prev by Date: Re: Application data during key re-exchange
Next by Date: Re: Core draft last call update.
Previous by Thread: Re: Core draft last call update.
Next by Thread: Re: Core draft last call update.
Indexes:

Home | Main Index | Thread Index | Old Index