IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: applying AES-GCM to secure shell: proposed "tweak"



Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

>I don't recall where the attack is described.

It's in a conference paper that hasn't been published yet, to appear at the
IEEE Oakland conference in... May, I think.

[Pause]

Yup, see http://oakland09.cs.virginia.edu/papers.html.

>Briefly: an active attacker replaces what he/she knows to be an encrypted
>packet length with bytes that he/she knows correspond to an encrypted
>password, then after that sends the remainder of the packet (possibly
>garbage) one byte/block at a time.

It's interesting to note here that there have been a number of attacks (of
which this is the latest) on encrypted lengths, but none on plaintext lengths
as used by TLS.  In other words the "more secure" option used by SSH is
actually less secure than the "less secure" option of not encrypting, the
cause being the unnecessary complexity of processing that this introduces (see
my earlier posts in this thread, and I still owe people some replies for one
or two of those, sorry).

Peter.



Home | Main Index | Thread Index | Old Index