Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Apr 15, 2009 at 08:56:28AM -0700, James Blaisdell wrote:
Nico> AEAD cipher modes clearly combine the MAC into the cipher.  That
Nico> means that the MAC can no longer be negotiated separately from the
Nico> cipher.

Nico> Therefore I believe Niels is correct: when an AEAD cipher is selected
Nico> then the MAC negotiation MUST be ignored.

James> It doesn't need to be ignored, but the order does matter.
James> AEAD-* algorithms must appear first in the order list.  And
James> AEAD-* algos must match cipher and MAC in order as well.  It's
James> easy to detect, if there is a mismatch between cipher and hmac.  

What I meant is that IF an AEAD mode cipher is selected THEN the MAC
algs negotiation is superfluous and thus to be ignored.  It would still
be the case that IF the chosen cipher is NOT an AEAD cipher THEN the MAC
alg nego would proceed as usual.

I see no point whatsoever in trying to force separate cipher mode and
MAC negotiation when using AEAD -- it's totally artificial and gains us
exactly nothing.

Nor should it be possible to use an AEAD cipher and an unrelated MAC --
what would be the point of that?

Just because SSHv2 algorithm negotiation made too many assumptions
doesn't mean we must beat everything new into the old mold.

Nico
--