Re: Authenticated cipher modes

To: ietf-ssh%netbsd.org@localhost
Subject: Re: Authenticated cipher modes
From: Henrick Hellström <henrick%streamsec.se@localhost>
Date: Mon, 18 Apr 2005 12:09:57 +0200

Derek Fawcus wrote:

I've not read Helix.  However in general I'd assumed that use of a encryption
including integrity algorithm could always simply be used with SSH by choosing
a SSH MAC of "none".  Certainly that's what I thought when I was considering
hacking in use of OCB.


I see two problems with that.

Firstly, what happens if the client lists both an OCB mode encryption
algorithm and the "none" data integrity algorithm on top, and the server
turns out not to support the OCB mode encryption algorithm? It seems the
outcome of the algorithm negotiation would be an encryption algorithm
that doesn't support data integrity, coupled with the "none" data
integrity algorithm. Should the client simply disconnect if this
happens, or what? It seems to me that would only result in unnecessary
round-trips.

Secondly, using the "none" data integrity algorithm implies that the
implicit message counter is simply unprocessed (since this is what the
"none" data integrity algorithm does with the message counter), which
would open up for replay attacks.


--
Henrick Hellström
www.streamsec.com

References:
- Authenticated cipher modes
  - From: Henrick Hellström
- Re: Authenticated cipher modes
  - From: Derek Fawcus

Prev by Date: Re: Authenticated cipher modes
Next by Date: Re: Authenticated cipher modes
Previous by Thread: Re: Authenticated cipher modes
Next by Thread: Re: Authenticated cipher modes
Indexes:

Home | Main Index | Thread Index | Old Index