Re: an attack against SSH2 protocol

To: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Subject: Re: an attack against SSH2 protocol
From: nico <nico%verizon.net@localhost>
Date: Sun, 24 Mar 2002 04:20:28 -0500

On Fri, Feb 08, 2002 at 02:50:29PM -0500, Bill Sommerfeld wrote:
> 
>     Padding
>       Arbitrary-length padding, such that the total length of
>       (packet_length || padding_length || payload || padding) is a
>       multiple of the cipher block size or 8, whichever is larger.
>       There MUST be at least four bytes of padding.  The padding SHOULD
>       consist of random bytes.  The maximum amount of padding is 255
>       bytes.
> 
> With the 4-byte minimum, the random padding puts a floor on the
> difficulty of guessing the previous block (no better than one chance
> in 2**32).  An implementation could render the attack entirely
> meaningless by always sending a full cipherblock of padding...

This would pretty much be the equivalent of starting encrypted messages
with confounders. The "modern" Kerberos crypto spec relies on
confounders instead of explicit IVs (which are worse than implicit IVs).

So why not?

Alternatively a new global request could be spec'ed to negotiate the use
of confounders instead of implicit IVs.

> 					- Bill
> 

Nico

Follow-Ups:
- Re: an attack against SSH2 protocol
  - From: Markus Friedl

References:
- an attack against SSH2 protocol
  - From: Wei Dai
- Re: an attack against SSH2 protocol
  - From: Bill Sommerfeld

Prev by Date: Re: Even more ways to fix the cbc-mode attack
Next by Date: Re: closing a channel
Previous by Thread: Re: an attack against SSH2 protocol
Next by Thread: Re: an attack against SSH2 protocol
Indexes:

Home | Main Index | Thread Index | Old Index