Re: draft-miller-secsh-umac-00.txt

To: weidai%weidai.com@localhost
Subject: Re: draft-miller-secsh-umac-00.txt
From: Ben Harris <bjh21%bjh21.me.uk@localhost>
Date: Wed, 13 Jun 2007 22:30:21 +0100

[Today is a bad day for forgetting to Cc the list.]

In article <01a601c7ade2$140a9340$0300a8c0%weidai.com@localhost> you write:
>Both UMAC and VMAC require unique nonces. Using the sequence number as the 
>nonce as in your draft may cause nonces to be reused if someone takes a 
>snapshot of an active SSH connection running an a virtual machine, and when 
>that snapshot is restored, the SSH program sends out new packets before 
>realizing that the connection is no longer valid.

Many of the SSH algorithms break in those circumstances.  For instance, 
any stream cipher (including block ciphers in SDCTR mode) will leak 
hugely if the keystream gets reused.

>Unless there is a good reason to believe this can't occur, it would be safer 
>to use random nonces instead.

Would that help?  I'd expect the restored PRNG to at least start in sync 
with its former self.

In general, I think SSH assumes that time is linear, and isn't designed 
to work in the presence of forking time-streams.  This should probably 
have been mentioned in its Security Considerations.

-- 
Ben Harris

Follow-Ups:
- Re: draft-miller-secsh-umac-00.txt
  - From: der Mouse

References:
- draft-miller-secsh-umac-00.txt
  - From: Damien Miller
- Re: draft-miller-secsh-umac-00.txt
  - From: Wei Dai

Prev by Date: Re: draft-miller-secsh-umac-00.txt
Next by Date: Re: draft-miller-secsh-umac-00.txt
Previous by Thread: Re: draft-miller-secsh-umac-00.txt
Next by Thread: Re: draft-miller-secsh-umac-00.txt
Indexes:

Home | Main Index | Thread Index | Old Index