Re: potential disclaimer for the transport draft.

To: Bill Sommerfeld <sommerfeld%orchard.arlington.ma.us@localhost>
Subject: Re: potential disclaimer for the transport draft.
From: Wei Dai <weidai%eskimo.com@localhost>
Date: Wed, 20 Mar 2002 21:33:09 -0800

On Wed, Mar 20, 2002 at 08:24:07PM -0800, Wei Dai wrote:
> > We haven't decided on the fix.  If we choose to fix the problem by
> > introducing new ciphers, the document which specifies them can
> > deprecate the old ciphers.  We could investigate new ciphers,
> > determine we can't agree on the right ones, and fall back to fixing
> > the problem some other way (i.e., start each block of ciphertext with
> > an SSH_MSG_IGNORE).
> 
> Regarding the parenthetical suggestion, I thought each SSH packet can
> contain only one message. Is that incorrect?

I would still appreciate an answer to my question, but I now see that the
proposed fix works in either case. The sender could send two packets for
every normal message, the first one containing an SSH_MSG_IGNORE, and the
second one containing the actual message.

Following a suggestion David Hopwood posted to IETF-TLS, it seems a good
idea to implement this workaround for CBC mode in any case, so that at
least one direction of the connection is protected against the
predictable-IV attack even if the other side has not implemented the final
fix.

References:
- Re: potential disclaimer for the transport draft.
  - From: Bill Sommerfeld
- Re: potential disclaimer for the transport draft.
  - From: Wei Dai

Prev by Date: Re: potential disclaimer for the transport draft.
Next by Date: Re: potential disclaimer for the transport draft.
Previous by Thread: Re: potential disclaimer for the transport draft.
Next by Thread: Re: potential disclaimer for the transport draft.
Indexes:

Home | Main Index | Thread Index | Old Index