Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Apr 15, 2009 at 08:54:21PM +0200, Niels Möller wrote:
> Nicolas Williams <Nicolas.Williams%Sun.COM@localhost> writes:
> 
> > There has been a security vulnerability that resulted from information
> > leaks that take place when the encrypted packet length is decrypted and
> > checked before the MAC is verified.  The leak was enormously compounded
> > by sending the decrypted packet length in a DISCONNECT packet, but also
> > by syslog()ing the decrypted packet length as well.
> 
> Thanks. Do you have a pointer to more details?

http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

> > I've not looked at how PKCS#11 deals with AEAD, but I'm pretty sure that
> > it does not have any support for encrypted pacaket lengths.
> 
> I think it would be valuable if you could check that. Other APIs and toolkits

I did, and I posted on that a few hours ago.  And lo and behold, PKCS#11
does indeed require that the length be provided by the application at
decrypt time -- or at least that's my interpretation of the draft, but
I'll re-read it in case you're correct that it's online, that one could
call C_DecryptUpdate() once to get the length (and padding, ...) then
again to get the rest.

Nico
--