Re: SSH paper and a possible transport layer extension [was: aside on formal methods]

To: ietf-ssh%netbsd.org@localhost
Subject: Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
From: Heikki Nousiainen <htn%sumu.org@localhost>
Date: Sat, 17 May 2003 21:28:44 +0300 (EEST)

On Sat, 17 May 2003, Nicolas Williams wrote:
> It is bad to let sequence numbers wrap around while using the same key.
> Rekeying takes care of this problem.

Oh yes, the rekeying is required, but with a 64bit counter, a suitable MAC 
algorithm and a suitable cipher, we can bump up the re-keying requirement 
up to every 2^64 packets. Excessive? Maybe as for today, but modularising 
this aspect of the protocol paves way for future changes if so needed.

Here's some motivation behind the proposed change, something I should have 
included in the earlier post already:
 - modularising integrity protection of the protocol, making future 
    changes easy to incorporate
 - lifting the re-keying constraints on the MAC algorithm (e.g. 64bit 
    counter, cipher with blocksize of 256 bits => rekey after 2^64 
    packets)
 - authentication of either plaintext or ciphertext (or even both
    for that matter) at the selection of a MAC algorithm
 - complete backward compatibility with careful specification of the MAC 
    algorithms


Best regards,
 Heikki Nousiainen


> On Sat, May 17, 2003 at 01:48:30AM +0300, Heikki Nousiainen wrote:
[snip]
> > The paper raises a question about the length of the sequence number used
> > in conjunction with MACs and the possibilty of using encrypt-then-mac to
> > check the authenticity of the ciphertext. Now, as far as I see, both of
> > these limitations could be lifted by defining the size and the use of
> > sequence number and the order in which the MAC is applied as properties
> > of the selected MAC algorithm (similiar of the mode of operation for the
> > ciphers). Backward compatibility with the current implementations could
> > be maintained by careful selection of the initial counter values even
> > when a MAC algorithm is changed during re-keying.
[snip]
> > 
> > Examples:
> > 
> > hmac-sha1
> > 
> > Initial sequence number is  number-of-sent-packets modulo 2^32. Sequence
> > number, 32 bit unsigned integer, is incremented for each packet and wraps
> > around to zero after reaching 2^32-1. MAC is calculated as
> > MAC = HMACsha1_K(sequence_number || unencrypted_packet)
> > 
> > 
> > hmac-sha2-64_bit_sequence-encrypt_then_authenticate
> > 
> > Initial sequence number is  number-of-sent-packets modulo 2^32. Sequence
> > number, 64 bit unsigned integer, is incremented for each packet and wraps
> > around to zero after reaching 2^64-1. MAC is caclulated as
> > MAC = HMACsha2_K(sequence_number || encrypted_packet)

Follow-Ups:
- Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
  - From: Nicolas Williams

References:
- Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
  - From: Nicolas Williams

Prev by Date: Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
Next by Date: Re: rekeying, host key verification, and gssapi
Previous by Thread: Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
Next by Thread: Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
Indexes:

Home | Main Index | Thread Index | Old Index