IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: applying AES-GCM to secure shell: proposed "tweak"
Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:
> But, actually, I think I was wrong about PKCS#11, it does seem to allow
> online decryption with AEAD modes.
Good to hear, thanks for checking. If this is indeed a feature that is
typical of aead implementations (as seems to be the case), is there
any remaining reason not to use it and handle the encrypted length
field in the same way as for other encryption algorithms?
Do you reduce possibilities for attacks if you use separate ciphers
for the first blocks and the rest of the data? IIRC, the attacks that
has been mentioned all rely on cbc, so they are not effective against
aes-gcm.
Ideally, I guess it would be best to send
1. first block (encrypted and including length field),
2. mac of first block
3. rest of message (encrypted)
4. mac of complete message
but this is probably not the right time to make changes like that.
Regards,
/Niels
Home |
Main Index |
Thread Index |
Old Index