Re: applying AES-GCM to secure shell: proposed "tweak"

To: Nicolas.Williams%sun.com@localhost, tim.polk%nist.gov@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 09 Apr 2009 15:27:30 +1200

Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

>The fact that SSHv2 encrypts the packet length has been a cause of a
>significant protocol security vulnerability.  Let's kill this encrypt- the-
>packet-length notion.

If we're going to make this change, could we also consider moving *all*
ciphers to nonencrypted lengths?  This currently requires horribly complex
code to process, and it's the very first thing an attacker will hit (that is,
the first bit of client/server code an incoming, possibly hostile packet, will
encounter is the complex encrypted-length processing).  It'd be really nice to
be able to switch this off to reduce the attack surface, subject to
negotiation that the other side supports it, obviously.  There's a 32-bit
flags field in the handshake that's currently unused, one bit could be used to
indicate unencrypted lengths.

Peter.

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index