Re: an attack against SSH2 protocol

To: Markus Friedl <markus%openbsd.org@localhost>
Subject: Re: an attack against SSH2 protocol
From: nico <nico%verizon.net@localhost>
Date: Mon, 25 Mar 2002 23:24:59 -0500

On Sun, Mar 24, 2002 at 05:02:30PM +0100, Markus Friedl wrote:
> On Sun, Mar 24, 2002 at 04:20:28AM -0500, nico wrote:
> > Alternatively a new global request could be spec'ed to negotiate the use
> > of confounders instead of implicit IVs.
> 
> you cannot use SSH_MSG_GLOBAL_REQUEST, it's part of
> the connection protocol, a different layer.

Yes, you're right, that would be a violation of the layer abstraction.

Fine, so come up with new enctypes matching the existing CBC enctypes
but whose semantics will be "same as previous version, but with this
enctype all messages must start with a confounder".

Also, I find it weird that the draft uses "SHOULD" wrt treating the last
cipher block of a message as the IV for the next message. I can't see
how two implementations can operate if one does and the other does not
treat the last block of each encrypted message as the IV for the next.

Of course, that must be a SHOULD because this implicit IV rule might not
apply to some enctypes, but then, that should be specified per-enctype,
and, for the ones that use implicit IVs it should be a MUST. I.e., this
part of the connection protocol draft probably needs revision.

Cheers,

Nico

References:
- an attack against SSH2 protocol
  - From: Wei Dai
- Re: an attack against SSH2 protocol
  - From: Bill Sommerfeld
- Re: an attack against SSH2 protocol
  - From: nico
- Re: an attack against SSH2 protocol
  - From: Markus Friedl

Prev by Date: Re: closing a channel
Next by Date: I-D ACTION:draft-ietf-secsh-transport-14.txt
Previous by Thread: Re: an attack against SSH2 protocol
Next by Thread: Re: an attack against SSH2 protocol
Indexes:

Home | Main Index | Thread Index | Old Index