Re: applying AES-GCM to secure shell: proposed "tweak"

To: mouse%Rodents-Montreal.ORG@localhost, Nicolas.Williams%sun.com@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 16 Apr 2009 16:15:33 +1200

Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

>I don't recall where the attack is described.

It's in a conference paper that hasn't been published yet, to appear at the
IEEE Oakland conference in... May, I think.

[Pause]

Yup, see http://oakland09.cs.virginia.edu/papers.html.

>Briefly: an active attacker replaces what he/she knows to be an encrypted
>packet length with bytes that he/she knows correspond to an encrypted
>password, then after that sends the remainder of the packet (possibly
>garbage) one byte/block at a time.

It's interesting to note here that there have been a number of attacks (of
which this is the latest) on encrypted lengths, but none on plaintext lengths
as used by TLS.  In other words the "more secure" option used by SSH is
actually less secure than the "less secure" option of not encrypting, the
cause being the unnecessary complexity of processing that this introduces (see
my earlier posts in this thread, and I still owe people some replies for one
or two of those, sorry).

Peter.

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index