Re: applying AES-GCM to secure shell: proposed "tweak"

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Nicolas Williams <Nicolas.Williams%Sun.COM@localhost>
Date: Thu, 9 Apr 2009 12:49:20 -0500

On Thu, Apr 09, 2009 at 04:50:50PM +1000, Damien Miller wrote:
> On Wed, 8 Apr 2009, der Mouse wrote:
> 
> > I would suggest creating new packet type for negotiating options like
> > this.  As a strawman:
> > 
> >       byte         SSH_MSG_OPTION (value = 7)
> >       string       option name
> >       ...          option-specific data
> 
> I think any option that changes the binary packet format would need
> to be included in the kex hash to prevent downgrade/upgrade attacks.
> This is somewhat annoying implementation-wise if it is a separate packet.

I agree.  I see no reason to deviate from using alg names for this sort
of negotiation.

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Damien Miller

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index