IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: an attack against SSH2 protocol



On Fri, Feb 08, 2002 at 02:50:29PM -0500, Bill Sommerfeld wrote:
> 
>     Padding
>       Arbitrary-length padding, such that the total length of
>       (packet_length || padding_length || payload || padding) is a
>       multiple of the cipher block size or 8, whichever is larger.
>       There MUST be at least four bytes of padding.  The padding SHOULD
>       consist of random bytes.  The maximum amount of padding is 255
>       bytes.
> 
> With the 4-byte minimum, the random padding puts a floor on the
> difficulty of guessing the previous block (no better than one chance
> in 2**32).  An implementation could render the attack entirely
> meaningless by always sending a full cipherblock of padding...

This would pretty much be the equivalent of starting encrypted messages
with confounders. The "modern" Kerberos crypto spec relies on
confounders instead of explicit IVs (which are worse than implicit IVs).

So why not?

Alternatively a new global request could be spec'ed to negotiate the use
of confounders instead of implicit IVs.

> 					- Bill
> 

Nico



Home | Main Index | Thread Index | Old Index