Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Apr 15, 2009 at 04:20:46PM -0400, der Mouse wrote:
> > There has been a security vulnerability that resulted from
> > information leaks that take place when the encrypted packet length is
> > decrypted and checked before the MAC is verified.
> 
> Which actually is mostly unavoidable, since the MAC can't be even
> _located_ until the packet length is known.
> 
> > The leak was enormously compounded by sending the decrypted packet
> > length in a DISCONNECT packet,
> 
> !!  It's hardly the fault of the protocol if implementations
> gratuitously leak cribs for attacking the crypto!

Even without the DISCONNECT and syslogging you still leak quite a bit
IFF the packet length decodes to something less than max packet.  Yes,
it's unlikely for an active attacker to cause that, since max packet
will usually be on the order of 2^16 but the truly max packet length is
on the order of 2^32, but surely you see the point.

Nico
--