IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: applying AES-GCM to secure shell: proposed "tweak"
[Followups trimmed somewhat]
Tim Polk <tim.polk%nist.gov@localhost> writes:
>(1) does the exposure of the ssh packet length have significant security
>implications for ssh itself?
Given the recent weakness discovered in OpenSSH (allowing recovery of limited
amounts of plaintext due to the length being encrypted), the only effect I can
think of is that'd it'd make it more secure, not less.
>(2) were applications that rely on ssh for security designed to take
>advantage of the encrypted packet length?
Not in my case. In fact it's actually a considerable pain since it messes up
the stream processing, you can't read and decrypt the entire packet in one
clean operation like SSL but have to read and decrypt a bit of it, extract
metadata from the start, buffer the rest that was decrypted, read and decrypt
the remainder, and then reattach the prevously-decrypted data to the start.
>(3) does the change in padding length calculation (caused by excluding the
>packet_length from the ciphertext) impose a significant impediment to
>migrating existing implementations?
Nope. In fact it significantly simplifies them, for the reason given above.
Peter.
Home |
Main Index |
Thread Index |
Old Index