Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Apr 15, 2009 at 11:43:54AM -0400, der Mouse wrote:
> > Without offering a solution to the initial negotiation (all that I
> > have seen so far a ugly), I would observe that rekex is far to
> > expensive to be a good solution to this problem.
> 
> Agreed.  It's just the only solution I see that works within the
> existing protocol.  (IMO the _right_ answer is to invent/design a
> protocol that allows algorithms to be tied together for negotiation.)

IMO you're making things too hard.  To repeat myself:

IF an AEAD mode cipher is selected THEN the MAC algs negotiation is
superfluous and thus to be ignored.

That's really quite simple.

Similarly, IF an AEAD mode cipher is selected THEN the packet length
shall be sent unencrypted, with whatever other adjustments need to be
made.  Though here we can add support for the option that Niels proposed
(where the packet lengths are encrypted separately with a separately
keyed non-AEAD cipher that's associated with the AEAD cipher).

KISS.

Nico
--