Re: Comments on the reviesed Security Section open issues.

[Heikki Nousiainen <htn%sumu.org@localhost>]

On Mon, 12 May 2003, RJ Atkinson wrote:
> 
> Does someone want to try to construct a rationale for the
> document about why folks believe the attempted replay
> protection actually works ?

I'm not much of an editor, but maybe someone can slash something out of 
the following:

Running sequence number gives us an unique input for the MAC 
function regardless of the contents of the packet, as long as the 
sequence number doesn't wrap. With rekeying before the sequence number 
wraps, we get an unique input into the MAC function (well, HMAC at least) 
regardless of the sequence counter wrapping.

If an attacker captures a packet and inserts it within the SSH stream in 
order to replay the packet, either the sequence number or the MAC key will 
be different, and the MAC check will fail.


We assume MAC is secure of course, specifically it being infeasible to
construct x' such that MAC(x) = MAC(x'). For HMACs it is discussed in
rfc 2104.
I don't know if it's relevant or not, but given that an attacker wants to
re-use data from the packet, there are even less bits to work with, and,
even less of a chance of succeeding in creating a valid MAC.


 Regards,
  Heikki Nousiainen