On Monday, May 12, 2003, at 16:11 America/Montreal, Heikki Nousiainen wrote:
I for one believe replay protection is an important property for the protocol and I would like this claim to remain in the documents.IpSec AH uses sequence number with HMAC for replay protection (rfc2085),so does TLS (rfc2246). HMAC security considerations are discussed in rfc2104. The documentdescribes security of the construct in general, and I believe the replayprotection scheme is a small subset compared to that, given the so many bits an attacker can affect (sequence number, padding). How about "to our best knowledge"?
Does someone want to try to construct a rationale for the document about why folks believe the attempted replay protection actually works ? Barring that, maybe the words should be more tentative (edit to taste): Through the use of a sequence number and ... and ..., the SSH specification seeks to provide protection against replay attacks. ???
Public key authentication is not vulnerable regardless of whether the server's public key has been securely distrubuted.[snip]Now, of course MITM Client can simply defer completing authentication with Server, and wait for client to request Agent forwarding. Then, using agent, obtain the signature it needs to complete the authentication with Server, and quickly bring MITM client --> Server state up to date with Client --> MITM Server state. Maybe the whole argument isn't worth including.In my opinion, this belongs into the agent spec, not here. [Don't do agent forwarding for the servers you don't trust.]
That would be OK with me. Ran