Re: draft-miller-secsh-umac-00.txt

To: Wei Dai <weidai%weidai.com@localhost>
Subject: Re: draft-miller-secsh-umac-00.txt
From: Damien Miller <djm%mindrot.org@localhost>
Date: Mon, 18 Jun 2007 09:50:09 +1000 (EST)

On Thu, 14 Jun 2007, Damien Miller wrote:

> On Wed, 13 Jun 2007, Wei Dai wrote:
>
> > Both UMAC and VMAC require unique nonces. Using the sequence number
> > as the nonce as in your draft may cause nonces to be reused if
> > someone takes a snapshot of an active SSH connection running an a
> > virtual machine, and when that snapshot is restored, the SSH program
> > sends out new packets before realizing that the connection is no
> > longer valid.
> >
> > Unless there is a good reason to believe this can't occur, it would
> > be safer to use random nonces instead.

Markus Friedl suggested a good compromise: use the KEX PRF to extract
192 bits of MAC key, give the first 128 to UMAC and use the remaining 64
bits as a "nonce seed".

The nonce that is supplied to UMAC can be nonce_seed + sequence_number.
The seed would be private like the other keying material and, while the
nonces would still be reused under this attack, the actual nonce values
would be not be known to the attacker.

This tweak does not need any new PRF, and it preserves UMACs
optimisation when the nonce is a monotonic big endian counter.

Thoughts?

-d

Follow-Ups:
- Re: draft-miller-secsh-umac-00.txt
  - From: Ben Harris

References:
- draft-miller-secsh-umac-00.txt
  - From: Damien Miller
- Re: draft-miller-secsh-umac-00.txt
  - From: Wei Dai
- Re: draft-miller-secsh-umac-00.txt
  - From: Damien Miller

Prev by Date: Re: draft-miller-secsh-umac-00.txt
Next by Date: Re: draft-miller-secsh-umac-00.txt
Previous by Thread: Re: draft-miller-secsh-umac-00.txt
Next by Thread: Re: draft-miller-secsh-umac-00.txt
Indexes:

Home | Main Index | Thread Index | Old Index