Re: applying AES-GCM to secure shell: proposed "tweak"

[Damien Miller <djm%mindrot.org@localhost>]

On Wed, 15 Apr 2009, Nicolas Williams wrote:

> On Wed, Apr 15, 2009 at 03:52:46PM -0400, Jeffrey Hutzelman wrote:
> > What I'd suggest instead is defining a unique MAC alogrithm for each AEAD 
> > encryption algorithm, which has the same effects as null but is usable 
> > _only_ when the corresponding encryption algorithm is selected.  This is a 
> > simple and straightforward modification to the negotiation rules which 
> 
> But not simpler than my proposal:
> 
>    IF an AEAD cipher is selected THEN no MAC alg is selected (since the
>    cipher provides integrity protection all by its lonesome).
> 
> We should pick the simplest solution that does the job.  I don't think
> you'll find one simpler than the above.

+1

This seems to be the least horrible solution to the problem. It is
certainly the easiest to implement, which makes me think that it won't
be stuffed up.

-d