Re: applying AES-GCM to secure shell: proposed "tweak"

To: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Wed, 15 Apr 2009 10:36:08 -0500

On Wed, Apr 15, 2009 at 06:10:50AM -0400, der Mouse wrote:
> >    Maybe it's easier to say that if an AEAD-algorithm is chosen for
> >    encryption, the lists of mac algorithms (for that direction) are
> >    ignored).
> 
> That would be a rather unpleasant violation of the existing definition.
> I'd much rather just re-kex if using a none MAC is that important.

AEAD cipher modes clearly combine the MAC into the cipher.  That
means that the MAC can no longer be negotiated separately from the
cipher.

Therefore I believe Niels is correct: when an AEAD cipher is selected
then the MAC negotiation MUST be ignored.

Follow-Ups:
- RE: applying AES-GCM to secure shell: proposed "tweak"
  - From: James Blaisdell

References:
- applying AES-GCM to secure shell: proposed "tweak"
  - From: Tim Polk
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: RE: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: RE: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: RE: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index