IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IESG feedback on core drafts.



Some detailed comments,

"Joseph Galbraith" <galb-list%vandyke.com@localhost> writes:
>    So long as the "none" cipher is not used, this protocol
>    provides confidentiality.  Older, smaller ciphers, such
Why do you say "smaller". How is 3DES smaller than AES?

>    as 3des and arcfour MAY be less secure from attack than
>    ciphers such as AES.  Implementors SHOULD prefer ciphers
>    such as twofish, serpent, or AES over blowfish, 3des and
>    arcfour.
Why would you recommend twofish and serpent over 3DES?
3DES has received vastly more analysis than either.

>    With ciphers operating in CBC mode is theoretically
>    vulnerable to choosen cipher-text attacks because of
>    the high predicability of the start of packet sequence.
>    However, this attack is still relatively hard enough, and
>    requires a sufficiently high number of packets, to be safe
>    in the short term.  Ciphers with larger block sizes are
>    less vulnerable the ciphers with smaller block sizes.
>    [Is this true?]
What attack are you talking about here? The Rogaway attack?
Perhaps you need a citation and some explanation?


>    Effort is underway to standardize the use of CTR mode
>    ciphers in the SSH protocol.  When this work is completed,
>    implementors SHOULD support it.
>    
>    In addition, the CBC mode attack can be mitigated by
>    ensuring the an SSH_MSG_IGNORE packet preceeds any real
>    data at the start of a TCP packet.
A TCP packet? How is the TCP mapping relevant?

>    Because MACs use a 32 bit sequence number, they may
>    start to leak information after 2**32 packets have
>    been sent. 
You should be specific here about how they leak data.

> 11.1.3 Replay
> 
>    This protocol binds each session key to the session
>    by including random data that is specific to the
>    session in the hash used to produce session keys.
> 
>    This session id is used by higher level protocols
>    to prevent replay of packets form previous sessions.
                                  ^^^^
from.

>    In addition, the use of cipher chaining prevents
>    replay of packets within the session.  Cipher chaining
>    also prevents the insertion or deletion of packets.
I'm not sure this is true if the MAC is disabled.

> 11.3.2 Proxy forwarding
> 
>    The ssh connection protocol allows proxy forwarding
>    of other protocols.  The proxy forwarding functionality
>    can be used to circumvent firewall protections.  Implementors
>    SHOULD provide a mechanism to disable to administratively
>    control the proxy forwarding funcitonality.
This sentence is ungrammatical.

-Ekr

-- 
[Eric Rescorla                                   ekr%rtfm.com@localhost]
                http://www.rtfm.com/



Home | Main Index | Thread Index | Old Index