IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: an attack against SSH2 protocol
On Sun, Mar 24, 2002 at 05:02:30PM +0100, Markus Friedl wrote:
> On Sun, Mar 24, 2002 at 04:20:28AM -0500, nico wrote:
> > Alternatively a new global request could be spec'ed to negotiate the use
> > of confounders instead of implicit IVs.
>
> you cannot use SSH_MSG_GLOBAL_REQUEST, it's part of
> the connection protocol, a different layer.
Yes, you're right, that would be a violation of the layer abstraction.
Fine, so come up with new enctypes matching the existing CBC enctypes
but whose semantics will be "same as previous version, but with this
enctype all messages must start with a confounder".
Also, I find it weird that the draft uses "SHOULD" wrt treating the last
cipher block of a message as the IV for the next message. I can't see
how two implementations can operate if one does and the other does not
treat the last block of each encrypted message as the IV for the next.
Of course, that must be a SHOULD because this implicit IV rule might not
apply to some enctypes, but then, that should be specified per-enctype,
and, for the ones that use implicit IVs it should be a MUST. I.e., this
part of the connection protocol draft probably needs revision.
Cheers,
Nico
Home |
Main Index |
Thread Index |
Old Index