Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Thu, Apr 16, 2009 at 07:51:12AM +1000, Damien Miller wrote:
> On Wed, 15 Apr 2009, Nicolas Williams wrote:
> 
> > On Wed, Apr 15, 2009 at 03:52:46PM -0400, Jeffrey Hutzelman wrote:
> > > What I'd suggest instead is defining a unique MAC alogrithm for each AEAD 
> > > encryption algorithm, which has the same effects as null but is usable 
> > > _only_ when the corresponding encryption algorithm is selected.  This is a 
> > > simple and straightforward modification to the negotiation rules which 
> > 
> > But not simpler than my proposal:
> > 
> >    IF an AEAD cipher is selected THEN no MAC alg is selected (since the
> >    cipher provides integrity protection all by its lonesome).
> > 
> > We should pick the simplest solution that does the job.  I don't think
> > you'll find one simpler than the above.
> 
> +1
> 
> This seems to be the least horrible solution to the problem. It is
> certainly the easiest to implement, which makes me think that it won't
> be stuffed up.

Jeff Hutzelman objects that this violates the abstraction that the
transport layer defines the binary packet encoding.  I don't give a
damn.