Re: Authenticated cipher modes

[Derek Fawcus <dfawcus%cisco.com@localhost>]

On Mon, Apr 18, 2005 at 10:41:41PM +1200, Peter Gutmann wrote:
> Derek Fawcus <dfawcus%cisco.com@localhost> writes:
> 
> >I've not read Helix.  However in general I'd assumed that use of a encryption
> >including integrity algorithm could always simply be used with SSH by
> >choosing a SSH MAC of "none".  Certainly that's what I thought when I was
> >considering hacking in use of OCB.
> 
> That doesn't seem right, it implies there's no MAC at all, and could lead to
> problems with e.g. an encryption algorithm of 3DES and a MAC of none.  I think
> it'd be more intuitive (and safer) to require that both the crypto and MAC
> algorithm to have the same value, since crypto = MAC and MAC = crypto.

Well it depends upon what one is trying to convey.  Strictly there is no outer
SSH MAC in this case,  so I'd argue that "none" is correct.

Unfortunatly as has been pointed out the the selection rules rather mess things
up here wrt to the effect on other cypher+MAC combinations if a combined algorithm
ends up not being selected.

I guess the simplest approach is to say that if a combined algorithm is chosen,
then the MAC offered is simply ignored,  and the protocol then proceeds as if
both ends had offered "none" as their preferred MAC.

DF