Re: applying AES-GCM to secure shell: proposed "tweak"

[der Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> There has been a security vulnerability that resulted from
> information leaks that take place when the encrypted packet length is
> decrypted and checked before the MAC is verified.

Which actually is mostly unavoidable, since the MAC can't be even
_located_ until the packet length is known.

> The leak was enormously compounded by sending the decrypted packet
> length in a DISCONNECT packet,

!!  It's hardly the fault of the protocol if implementations
gratuitously leak cribs for attacking the crypto!

Some information leakage is unavoidable; if nothing else, the placement
of error detection by the receiver can act as an oracle for whether the
decrypted length falls into certain ranges.  But that's a far cry from
blatantly leaking 32 of the cleartext bits for attacher-chosen
ciphertext.  (Though, even then, it's just a flavour of
chosen-ciphertext attack, and a relatively expensive one - got a
reference to the weakness in question?  Even though I'm just a
dilettante as a cryptographer, I'd like to have a look for myself.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B