IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Authenticated cipher modes



Derek Fawcus wrote:
I've not read Helix.  However in general I'd assumed that use of a encryption
including integrity algorithm could always simply be used with SSH by choosing
a SSH MAC of "none".  Certainly that's what I thought when I was considering
hacking in use of OCB.

I see two problems with that.

Firstly, what happens if the client lists both an OCB mode encryption
algorithm and the "none" data integrity algorithm on top, and the server
turns out not to support the OCB mode encryption algorithm? It seems the
outcome of the algorithm negotiation would be an encryption algorithm
that doesn't support data integrity, coupled with the "none" data
integrity algorithm. Should the client simply disconnect if this
happens, or what? It seems to me that would only result in unnecessary
round-trips.

Secondly, using the "none" data integrity algorithm implies that the
implicit message counter is simply unprocessed (since this is what the
"none" data integrity algorithm does with the message counter), which
would open up for replay attacks.


--
Henrick Hellström
www.streamsec.com





Home | Main Index | Thread Index | Old Index