On Mon, 29 Aug 2005, Bill Sommerfeld wrote:
The motivation for the counter-mode ciphers in newmodes is to avoid the known, but generally considered minor, security hole from the use of CBC with known IV values. I'd expect that users concerned with this attack will therefore want to move to a world where it is possible to disable CBC-mode ciphers. I think that, alone, justifies making one or more of the ciphers REQUIRED, to avoid a situation where two implementations would be required to fall back to 3des-cbc because neither implements the same counter-mode cipher.
Making one of the ciphers REQUIRED, though, isn't sufficient to ensurethat CBC-mode ciphers aren't used. To take a concrete example, PuTTY's preference order for AES is currently "aes256-ctr,aes256-cbc,aes192-ctr, aes192-cbc,aes128-ctr,aes128-cbc", so even though PuTTY supports aes128-ctr, it'll get aes256-cbc if the server supports that. To get the effect you want, you'd have to require clients to provide an option to prefer CTR-mode ciphers over CBC-mode (and presumably over other ciphers as well). As yet, the SSH drafts have avoided this kind of requirement on the configurability of clients, and I think this is probably a good thing.
Incidentally, I'm not opposed to making 3des-ctr REQUIRED, for all that I think it's unnecessary. I _am_ opposed to making aes128-ctr REQUIRED.
-- Ben Harris