IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: draft-miller-secsh-umac-00.txt
[Today is a bad day for forgetting to Cc the list.]
In article <01a601c7ade2$140a9340$0300a8c0%weidai.com@localhost> you write:
>Both UMAC and VMAC require unique nonces. Using the sequence number as the
>nonce as in your draft may cause nonces to be reused if someone takes a
>snapshot of an active SSH connection running an a virtual machine, and when
>that snapshot is restored, the SSH program sends out new packets before
>realizing that the connection is no longer valid.
Many of the SSH algorithms break in those circumstances. For instance,
any stream cipher (including block ciphers in SDCTR mode) will leak
hugely if the keystream gets reused.
>Unless there is a good reason to believe this can't occur, it would be safer
>to use random nonces instead.
Would that help? I'd expect the restored PRNG to at least start in sync
with its former self.
In general, I think SSH assumes that time is linear, and isn't designed
to work in the presence of forking time-streams. This should probably
have been mentioned in its Security Considerations.
--
Ben Harris
Home |
Main Index |
Thread Index |
Old Index