Re: applying AES-GCM to secure shell: proposed "tweak"

To: nisse%lysator.liu.se@localhost, tim.polk%nist.gov@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 09 Apr 2009 22:52:33 +1200

nisse%lysator.liu.se@localhost (Niels =?iso-8859-1?Q?M=F6ller?=) writes:

>I admit that I haven't done any deep thinking of attacks based on partial
>decryption.

I have, and if you want to do it properly it makes the header read incredibly
complicated.  I've just had a look and it's about 700 lines of code to safely
process the packet header with appropriate checking and whatnot, with a lot of
awkward length-checking and data handling.  For TLS it's maybe 150 lines of
quite straightforward code (read length, check validity, read data, decrypt).
I'm still not sure I trust the equivalent SSH code, despite spending way more
time on it than the TLS code, because of its complexity.

>Are there any other relevant attacks?

I wouldn't even bother looking for a crypto weakness, I'd exploit the
complexity of the code required to handle this and look for overflows, off-by-
one errors, bounds checking, all the usual stuff.  For that the answer is
"yes, many", although it'd depend on the implementation you're going after.

Peter.

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: RE: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index