IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Ben Harris's individual submissions: arcfour-fixes and rsa-kex



> I've just noticed:
> 	http://www.ietf.org/internet-drafts/draft-harris-ssh-arcfour-fixes-00.txt

I've implemented these, and also arcfour-64k%rodents.montreal.qc.ca@localhost,
which is just like stock arcfour except it drops the first 65536 bytes
of the keystream.  I'd be happy to do interop testing with anyone else
who's done any of them.

> and Ben recently mentioned:
> 	http://www.ietf.org/internet-drafts/draft-harris-ssh-rsa-kex-01.txt

I haven't implemented this yet, but I certainly intend to.

> rsa-kex is a weaker kex (as it allows the client to completely
> determine the session key);

Well, it's weaker in some respects, perhaps, but the parenthetical note
is false; see the last paragraph of section 8 of the draft.

Note that there is no point trying to defend against a malicious
client producing weak secrecy, since the client has direct access to
the decrypted data stream and can leak it any way it pleases -
especially since the protocol is full of opportunities for covert
channels, including covert channels between an endpoint and a passive
eavesdropper.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



Home | Main Index | Thread Index | Old Index