Re: applying AES-GCM to secure shell: proposed "tweak"

To: mouse%Rodents-Montreal.ORG@localhost, Nicolas.Williams%sun.com@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Thu, 16 Apr 2009 16:21:42 +1200

Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

>    When a KEXINIT is received that has a non-zero value in the KEXINIT
>    reserved uint32 field, then the receiver MUST ignore both, the
>    reserved uint32 field and any additional bytes in the packet beyond
>    it.

I'm not sure that this length-extension will work.  The spec has always said
that the packet ends at the reserved field, but this would change it to say
that it can now continue more or less arbitrarily beyond this point.  What
will existing implementations do if they see garbage beyond this point? 

I'd also rephrase the above a bit to say:

    When a KEXINIT is received that has a non-zero value in the KEXINIT
	reserved uint32 field and the receiver can't process a non-zero value then
	it MUST ignore it.

The original text seems to say "this value must always be ignored", the new
text says "if you don't know what the significance of the flags are, ignore
them".  Well OK, it says it rather badly, I'm open to suggestions for better
phrasings.

Peter.

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Damien Miller

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: SSH_MSG_KEXINIT extensions field [was Re: applying AES-GCM to secure shell: proposed "tweak"]
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index