Re: applying AES-GCM to secure shell: proposed "tweak"

To: <ietf-ssh%NetBSD.org@localhost>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: "denis bider \(Bitvise\)" <ietf-ssh2%denisbider.com@localhost>
Date: Wed, 15 Apr 2009 19:51:43 -0400

Even without the DISCONNECT and syslogging you still leak quite a bit
IFF the packet length decodes to something less than max packet.  Yes,
it's unlikely for an active attacker to cause that, since max packet
will usually be on the order of 2^16 but the truly max packet length is
on the order of 2^32, but surely you see the point.

It is not necessary to leak anything. If decoded packet length is invalid orexceeds MaxPacketLength (e.g. 2^16), then:

1. Select a random valid packet length between MinPacketLength andMaxPacketLength.


2. Read the randomly selected amount of data.

3. Choke as if MAC is incorrect.

This prevents the attacker from knowing whether the info they're getting isuseful or not, and the likelihood is 1 against 2^N that it's not.


denis

References:
- applying AES-GCM to secure shell: proposed "tweak"
  - From: Tim Polk
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

Prev by Date: SSH_MSG_KEXINIT extensions field [was Re: applying AES-GCM to secure shell: proposed "tweak"]
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index