IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: applying AES-GCM to secure shell: proposed "tweak"
On Thu, 16 Apr 2009, Niels M?ller wrote:
> Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:
>
> > But not simpler than my proposal:
> >
> > IF an AEAD cipher is selected THEN no MAC alg is selected (since the
> > cipher provides integrity protection all by its lonesome).
>
> To be precise, does this mean that the mac-list is ignored, or that
> the *result* of that selection is ignored? Consider the following
> advertised lists:
>
> Client: enc="aead", mac="hmac-sha1"
> Server: enc="aead", mac="hmac-md5"
>
> Should the algorithm selection succeed, settling on aead and no
> additional mac, or fail because there's no common mac?
>
> Or to make it more complicated, what should be the result of:
>
> Client: enc="3des-cbc,aead", mac="hmac-sha1"
> Server: enc="3des-cbc,aead", mac="hmac-md5"
>
> We can either fail, since is 3des-cbc selected for encryption, but
> there's no common mac, or succeed if we notice that there's no common
> mac, and then filter out all non-AEAD options for encryption.
Nice catch. Intuitively, the easiest way to avoid this is to specify
that symmetric cipher agreement must occur before MAC agreement.
Most implementations probably do this already.
-d
Home |
Main Index |
Thread Index |
Old Index