Re: applying AES-GCM to secure shell: proposed "tweak"

[nisse%lysator.liu.se@localhost (Niels Möller)]

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> I'd prefer not to have that particular rule.  I think it would be better
> to explicitly describe a MAC algorithm which does nothing has no effect,
> and do one of these:

[...]

> b) Allow a MAC algorithm to depend on encrpytion algorithm properties,
>   in the way that keyex algorithms depend on properties of host key
>   algorithms.  This means that such an algorithm can be considered
>   only if the selected encryption algorithm has whatever property it
>   depends on.  Then specify a single do-nothing MAC algorithm which
>   depends on AEAD encrpytion algorithm.

This makes sense to me. I'd prefer this option, then. The name could
be "none-if-aead".

>> Implementations not supporting AEAD need of course not know or care
>> about this rule. A party that advertises only AEAD-algorithms for
>> encryption can safely list "none" as the only MAC algorithm (IIRC,
>> it's not allowed to send an empty list, and any value, not just
>> "none", will work just as well), negotiation with a party not
>> supporting AEAD will then fail in an orderly manner.
>
> ... unless someone decides to implement "none" and not AEAD.

In this scenario, the mac selection may end up with "none", but the
intersection of the encryption algorithm lists will be empty, and
hence negotiation fails. Right?

Regards,
/Niels