IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: applying AES-GCM to secure shell: proposed "tweak"



Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

>Not with a flag day.  Implementors will have to keep implementing the old
>thing for a long time.

I meant with a bit-flag day, not a flag day.  In other words if the uint32 at
the end of the SSH_MSG_KEXINIT contains a 1-bit (say in the LSB) for both
sides' KEXINIT then things proceed with unencrypted lengths.

(This isn't entirely satisfactory because encryption is turned on before MITM
detection occurs so you're vulnerable for at least one message, but at least
it massively constrains the attack surface from "any message" to "one fixed
message during the handshake").

Peter.




Home | Main Index | Thread Index | Old Index