Re: applying AES-GCM to secure shell: proposed "tweak"

To: der Mouse <mouse%Rodents-Montreal.ORG@localhost>, ietf-ssh%NetBSD.org@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Thu, 09 Apr 2009 22:17:22 -0400

--On Thursday, April 09, 2009 10:33:52 AM -0400 der Mouse<mouse%Rodents-Montreal.ORG@localhost> wrote:

I think any option that changes the binary packet format would need
to be included in the kex hash to prevent downgrade/upgrade attacks.
This is somewhat annoying implementation-wise if it is a separate
packet.

Is there any way of doing some sort of pre-auth to prevent tampering
with the options packets?


You could simply decree that options packets for the option in question
are not acceptable if sent before the first kex completes.  (I'd
hesitate to do that for all options packets, but it may be necessary.)

The problem with doing it for all option packets is that doing so precludesnegotiating cleartext-packet-lengths before the first kex completes, whichis necessary if the first kex selects an encryption algorithm requiringcleartext packet lengths.

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index