Re: latest drafts

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: latest drafts
From: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Date: Mon, 21 Mar 2005 12:02:17 -0500 (EST)

>> architecture-22 9.3.5 says that publickey makes no server security
>> assumptions.  But this is not quite true; a compromised server may
>> be able to use a publickey authentication attempt to play MitM to
>> authenticate to another host as if it held a public key it does not
>> in fact hold.

I must have been short of sleep when I wrote this.  What I had in mind
was authenticating via some other protocol, not via ssh, using the ssh
client connection as a public-key engine.  But of course the defenses
put in place to prevent MitM use this way for ssh also prevent its use
as a general-purpose signing engine - anything that allows an ssh
client connection to be used as a generic public-key engine will of
necessity work perfectly well to perform MitM attacks on ssh as well.

So please ignore that paragraph.

>> Various specifications in transport-24 break rather badly if the
>> cipher in use has a block size that is less than 8 bytes but which
>> does not divide evenly into 8 bytes.  [...]
> I think the simple answer is that you can't use such a cipher with
> SSH, which seems fine to me.

Yes, but I would prefer to see this stated explicitly.  Otherwise
someone reading it could wonder, as I did, "but what about, say, a
cipher with 7-byte blocks, how would I add that to my implementation?".
Or a cipher with a block size that's not a multiple of 8 bits.

Before you laugh too hard at the idea that such a cipher might exist,
note that DES has 7-byte keys (though they're normally stored as 8
bytes with 7 bits/byte, for hysterical raisins).  While keys != blocks,
it does indicate to me that there is nothing holy about powers of two.
I could imagine, for example, a cipher depending on number-theoretic
properties of 2^56 that 2^64 doesn't have.  (I'm thinking in particular
of the way IDEA dependens on 2^16+1 being prime, and the difficulty of
converting it to 32-bit basic blocks because 2^32+1 isn't.)

I'm perfectly satisfied with "you can't do that with ssh" as the
response; I just think it'd be good to see it stated explicitly.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: latest drafts
  - From: Bill Sommerfeld

References:
- latest drafts
  - From: der Mouse
- Re: latest drafts
  - From: Ben Harris

Prev by Date: Re: latest drafts
Next by Date: Re: latest drafts
Previous by Thread: Re: latest drafts
Next by Thread: Re: latest drafts
Indexes:

Home | Main Index | Thread Index | Old Index