IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

working group last call is complete.



We've now reached the defined end of the last call period.

At this point, my sense is that no respin of the documents is
necessary.  The next step in the process is for me to send the
documents to the area director in order to initiate an IETF-wide last
call.

Issues raised during working group last call:

 - Wei Dai: There is a known-IV chosen-plaintext attack allowing
plaintext-guess-verification attack possible against many protocols
using CBC based symmetric encryption modes, including SSH.

Proposed resolution: 

This is a flaw in CBC mode, not a flaw in the SSH protocol itself.
Details of how ssh does message framing seem to indicate that the
attack will be extremely difficult in practice.

The WG will investigate other encryption modes, but no technical
document change is appropriate at this stage, as the problem can be
fixed by defining new symmetric encryption types, which can easily be
done in a new draft.

If we come to consensus on a warning or disclaimer regarding the CBC
modes we can insert additional text in one of the core documents as
part of the RFC editor process.

 - Mats Andersson: existing text regarding certificates needs still more
   wordsmithing.

Proposed resolution: during the previous last call, the WG concluded
that certificate handling should be be described in a separate
document.  When that document exists, it can supply any necessary
clarifications; there's correspondingly no need to respin the core
drafts at this time.

 - Derek Fawcus: suggestion to allow optimistic sending of
post-userauth messages before the server accepts authentication.

Proposed resolution: as this is just an optimization (reducing round
trip delays at connection setup time), we can defer any work in this
area.

Several issues were raised but withdrawn:

 - Bodo Moeller: potential cipherblock subsitution attack from Hugo
K. paper.  Withdrawn since it doesn't actually apply to SSH because of
IV chaining.

 - Niels Moeller: request to change handling of rekey to allow
interleaving of rekey and user messages.  Not showstopper for now;
apparently withdrawn.  This is another optimization which we can add
later.

					- Bill



Home | Main Index | Thread Index | Old Index