Re: applying AES-GCM to secure shell: proposed "tweak"

To: Nicolas.Williams%sun.com@localhost, pgut001%cs.auckland.ac.nz@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 09 Apr 2009 16:26:24 +1200

Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

>Not with a flag day.  Implementors will have to keep implementing the old
>thing for a long time.

I meant with a bit-flag day, not a flag day.  In other words if the uint32 at
the end of the SSH_MSG_KEXINIT contains a 1-bit (say in the LSB) for both
sides' KEXINIT then things proceed with unencrypted lengths.

(This isn't entirely satisfactory because encryption is turned on before MITM
detection occurs so you're vulnerable for at least one message, but at least
it massively constrains the attack surface from "any message" to "one fixed
message during the handshake").

Peter.

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index