Re: applying AES-GCM to secure shell: proposed "tweak"

To: ietf-ssh%netbsd.org@localhost, tim.polk%nist.gov@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 09 Apr 2009 03:20:33 +1200

[Followups trimmed somewhat]

Tim Polk <tim.polk%nist.gov@localhost> writes:

>(1) does the exposure of the ssh packet length have significant security
>implications for ssh itself?

Given the recent weakness discovered in OpenSSH (allowing recovery of limited
amounts of plaintext due to the length being encrypted), the only effect I can
think of is that'd it'd make it more secure, not less.

>(2) were applications that rely on ssh for security designed to take
>advantage of the encrypted packet length?

Not in my case.  In fact it's actually a considerable pain since it messes up 
the stream processing, you can't read and decrypt the entire packet in one 
clean operation like SSL but have to read and decrypt a bit of it, extract 
metadata from the start, buffer the rest that was decrypted, read and decrypt 
the remainder, and then reattach the prevously-decrypted data to the start.

>(3) does the change in padding length calculation (caused by excluding the
>packet_length from the ciphertext) impose a significant impediment to
>migrating existing implementations?

Nope.  In fact it significantly simplifies them, for the reason given above.

Peter.

References:
- applying AES-GCM to secure shell: proposed "tweak"
  - From: Tim Polk

Prev by Date: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index