Authenticated cipher modes

To: ietf-ssh%netbsd.org@localhost
Subject: Authenticated cipher modes
From: Henrick Hellström <henrick%streamsec.se@localhost>
Date: Mon, 18 Apr 2005 10:48:21 +0200

While trying to figure out how to support CCM, EAX and OCB cipher modesor the Helix cipher (http://www.schneier.com/paper-helix.pdf), I spottedan issue with SSH-TRANS. These cipher modes have built in dataintegrity, but the SSH-TRANS algorithm negotiation mechanism clearlyisn't designed to handle such encryption.


There are three reasons such encryption algorithms should be supported:

1. Performance. They are twice as fast since the encryption modeprovides data integrity by itself.2. Resources. Helix in particular consumes very little resources. Thereare no memory consuming s-boxes and the algorithm might be implementedto hold the entire state in CPU registers (at least on CPUs such asAMD64/EM64T and M680x0 that have a relatively high number of generalpurpose registers).3. Security. According to http://cr.yp.to/papers.html#cachetiming,encryption algorithms that use sboxes are vulnerable to timing attacks,and fixed time algorithms such as Helix should be used for onlinetransport encryption.


Here is the problem:

Suppose I define an encryption I name "helix%streamsec.com@localhost". I wouldthen want the following:

1. If the server and the client negotiate this encryption, they MUSTalso negotiate a designated data integrity name, which is specified tobe coupled with the encryption in question. There is no point in addinga second layer of data integrity to e.g. Helix encryption. This isunfortunately not consistent with the algorithm selection mechanismspecified in section 7.1 of SSH-TRANS. If the standard algorithmselection mechanism is followed, the client and the server might end upwith e.g. helix%streamsec.com@localhost for encryption and an unrelated dataintegrity algorithm. For example, this would happen if the client issending "rijndael128-ocb%streamsec.com@localhost,helix%streamsec.com@localhost,3des-cbc" forencryption and "hmac-sha1,helix%streamsec.com@localhost" for data integrity, andthe server is sending"twofish128-ocb%streamsec.com@localhost,helix%streamsec.com@localhost,3des-cbc" forencryption and "hmac-sha1,helix%streamsec.com@localhost" for data integrity.

2. The processing rules of section 6.4 "Data integrity" of SSH-TRANSMUST be integrated into the encryption processing, if e.g. Helixencryption is selected. That is, the message counter should be processedby the encryption as unencrypted header data, in accordance with theHelix specification. (One should note that CCM mode is less of an issuein this respect, since an implicit message counter is part of the modeitself. Selecting CCM mode and the "none" data integrity algorithm wouldresult in the desired state.)


--
Henrick Hellström
www.streamsec.com

Follow-Ups:
- Re: Authenticated cipher modes
  - From: Ben Harris
- Re: Authenticated cipher modes
  - From: Damien Miller
- Re: Authenticated cipher modes
  - From: Derek Fawcus

Prev by Date: Re: draft-ietf-secsh-newmodes-04: ready to go forward.
Next by Date: Re: Authenticated cipher modes
Previous by Thread: draft-ietf-secsh-newmodes-04: ready to go forward.
Next by Thread: Re: Authenticated cipher modes
Indexes:

Home | Main Index | Thread Index | Old Index