Re: applying AES-GCM to secure shell: proposed "tweak"

[Simon Tatham <anakin%pobox.com@localhost>]

der Mouse  <mouse%Rodents-Montreal.ORG@localhost> wrote:
> Presumnably, the 2^-18, 2^-16, or 2^-14 probability of an attack being
> successful I've seen cited is due to that: it works only when the
> decrypted length has enough zero high-order bits that the attacker can
> tell it from random garbage.  But I've been staring at CBC and haven't
> been able to see how knowing that is useful to the attacker - except as
> a partial crib for attacking the bulk crypto, which is not what the
> descriptions sound like.

You don't use it to attack the bulk crypto: you use it to get a
partial decryption of a particular cipher block. So you start by
traffic-analysing the session to identify a block you'd like to know
the plaintext of (e.g. the one that occurs at the right point within
SSH_MSG_PASSWORD); then you inject that same cipher block in place
of the length-containing block of a later packet, in the hope of
finding out something about its contents. If you find out that the
block decrypts to some valid packet length in the latter context,
then you can XOR in the difference between the previous cipher
blocks in both contexts to determine part of what the same block
decrypted to the first time round.

(Since the attack can only be used against a block from the same
session and you expect to splatter 2^18 connections before getting a
result, you'd only want to use it against some data which reliably
occurs in lots of sessions and which you desperately want to know.
The password packet is probably the only practical target, in almost
all circumstances.)
-- 
Simon Tatham         "Imagine what the world would be like if
<anakin%pobox.com@localhost>    there were no hypothetical situations..."