IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: applying AES-GCM to secure shell: proposed "tweak"
nisse%lysator.liu.se@localhost (Niels =?iso-8859-1?Q?M=F6ller?=) writes:
>I admit that I haven't done any deep thinking of attacks based on partial
>decryption.
I have, and if you want to do it properly it makes the header read incredibly
complicated. I've just had a look and it's about 700 lines of code to safely
process the packet header with appropriate checking and whatnot, with a lot of
awkward length-checking and data handling. For TLS it's maybe 150 lines of
quite straightforward code (read length, check validity, read data, decrypt).
I'm still not sure I trust the equivalent SSH code, despite spending way more
time on it than the TLS code, because of its complexity.
>Are there any other relevant attacks?
I wouldn't even bother looking for a crypto weakness, I'd exploit the
complexity of the code required to handle this and look for overflows, off-by-
one errors, bounds checking, all the usual stuff. For that the answer is
"yes, many", although it'd depend on the implementation you're going after.
Peter.
Home |
Main Index |
Thread Index |
Old Index