IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: applying AES-GCM to secure shell: proposed "tweak"



[Followups trimmed somewhat]

Tim Polk <tim.polk%nist.gov@localhost> writes:

>(1) does the exposure of the ssh packet length have significant security
>implications for ssh itself?

Given the recent weakness discovered in OpenSSH (allowing recovery of limited
amounts of plaintext due to the length being encrypted), the only effect I can
think of is that'd it'd make it more secure, not less.

>(2) were applications that rely on ssh for security designed to take
>advantage of the encrypted packet length?

Not in my case.  In fact it's actually a considerable pain since it messes up 
the stream processing, you can't read and decrypt the entire packet in one 
clean operation like SSL but have to read and decrypt a bit of it, extract 
metadata from the start, buffer the rest that was decrypted, read and decrypt 
the remainder, and then reattach the prevously-decrypted data to the start.

>(3) does the change in padding length calculation (caused by excluding the
>packet_length from the ciphertext) impose a significant impediment to
>migrating existing implementations?

Nope.  In fact it significantly simplifies them, for the reason given above.

Peter.



Home | Main Index | Thread Index | Old Index