Re: draft-miller-secsh-umac-00.txt

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Jun 13, 2007 at 05:47:20PM -0400, der Mouse wrote:
> >> [...save and restore virtual machine state...]
> > Many of the SSH algorithms break in those circumstances.  For
> > instance, any stream cipher (including block ciphers in SDCTR mode)
> > will leak hugely if the keystream gets reused.
> 
> Only if the datastream isn't.  (Perhaps fortunately, the data stream is
> likely to be identical to the original in such a case...at least long
> enough for the connection to be torn down.)
> 
> > In general, I think SSH assumes that time is linear, and isn't
> > designed to work in the presence of forking time-streams.  This
> > should probably have been mentioned in its Security Considerations.
> 
> "Security considerations: this program assumes it is operating in a
> space-time continuum with only one time dimension." :-)

And with time running only in one direction (hereinafter: "forward" ;)

I don't think there's a dependence on time being monotonic and
non-discrete at a quantum level, just that it not go backward.

:)

But note that even in a VM save/restore case time goes forward (well,
from our p.o.v. anyways.  So we may need a more precise description of
the problem.

I propose that we say that SSHv2 (and probably most cryptographic
protocols) is not continuation reentrance safe ('continuation
reentrance' meaning, here, calling a Scheme-like continuation function
of indefinite extent more than once).

Nico
--