RE: Authenticated cipher modes

To: "'Ben Harris'" <bjh21%bjh21.me.uk@localhost>, <ietf-ssh%netbsd.org@localhost>
Subject: RE: Authenticated cipher modes
From: "denis bider" <ietf-ssh%denisbider.com@localhost>
Date: Mon, 18 Apr 2005 19:24:52 +0200

[Ben Harris]

> My understanding was that the nonce in Helix and OCB had the 
> same purpose as the sequence number in the usual SSH MAC, so 
> as to make the latter technically unnecessary if using those 
> modes.  It doesn't really matter, of course, since feeding an 
> extra four bytes into the MAC is hardly going to kill performance.

The problem is that a higher-level layer can rely on the SSH sequence number
- for example, it is used in SSH_MSG_UNIMPLEMENTED, so it must be there and
must be authenticated, or replaced by something 100% equivalent. Therefore
any Helix-in-SSH draft needs to spell out what happens to the SSH sequence
number:

- whether it is replaced entirely by some other field, in which case the SSH
sequence number is discarded and that other field needs to have the same
form and characteristics as the SSH sequence number (word32, incremented by
one, etc);

- or whether the SSH sequence number stays there but is also appended or
prepended to the plaintext before encryption, thereby authenticating it;

- or something else that works.

denis

Follow-Ups:
- Re: Authenticated cipher modes
  - From: Ben Harris

References:
- Re: Authenticated cipher modes
  - From: Ben Harris

Prev by Date: Re: Authenticated cipher modes
Next by Date: Re: Authenticated cipher modes
Previous by Thread: Re: Authenticated cipher modes
Next by Thread: Re: Authenticated cipher modes
Indexes:

Home | Main Index | Thread Index | Old Index