IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: Authenticated cipher modes



[Ben Harris]

> My understanding was that the nonce in Helix and OCB had the 
> same purpose as the sequence number in the usual SSH MAC, so 
> as to make the latter technically unnecessary if using those 
> modes.  It doesn't really matter, of course, since feeding an 
> extra four bytes into the MAC is hardly going to kill performance.

The problem is that a higher-level layer can rely on the SSH sequence number
- for example, it is used in SSH_MSG_UNIMPLEMENTED, so it must be there and
must be authenticated, or replaced by something 100% equivalent. Therefore
any Helix-in-SSH draft needs to spell out what happens to the SSH sequence
number:

- whether it is replaced entirely by some other field, in which case the SSH
sequence number is discarded and that other field needs to have the same
form and characteristics as the SSH sequence number (word32, incremented by
one, etc);

- or whether the SSH sequence number stays there but is also appended or
prepended to the plaintext before encryption, thereby authenticating it;

- or something else that works.

denis





Home | Main Index | Thread Index | Old Index