Re: applying AES-GCM to secure shell: proposed "tweak"

To: tri%ssh.com@localhost, Niels Möller <nisse%lysator.liu.se@localhost>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Thu, 16 Apr 2009 08:27:27 -0400

--On Thursday, April 16, 2009 12:35:15 PM +0300 "Timo J. Rinne"<tri%ssh.com@localhost> wrote:

Niels Möller wrote:

b) Allow a MAC algorithm to depend on encrpytion algorithm properties,
  in the way that keyex algorithms depend on properties of host key
  algorithms.  This means that such an algorithm can be considered
  only if the selected encryption algorithm has whatever property it
  depends on.  Then specify a single do-nothing MAC algorithm which
  depends on AEAD encrpytion algorithm.


This makes sense to me. I'd prefer this option, then. The name could
be "none-if-aead".


I must say I really hate this one.  Instead of one simply defined "magic"
cipher algorithm name that would have, if selected, a side effect of
abolishing MAC, we would have a "magic" MAC name with much more
complicated interdependency to cipher list.

To make it even more clear, the cipher name for aead could me something
like "aes128-aead-nomac".  Then if someone likes to implement aead with
additional mac (I don't know why anyone would do that) then
"aes128-aead%foo.bar@localhost" kind of name could be used.

The problem is, it's not _one_ simply defined "magic" algorithm. It's anarbitrarily large number of them.

But if we're going to go with Nico's "simpler" proposal, we need to addressthe question Niels brought up -- does selecting an AEAD type mean we don'tdo MAC selection at all, or does it mean we do MAC selection and then don'tactually do anything with the resulting MAC?

The question is important because it controls what happens when an AEADalgorithm is selected but there is no mutually-supported MAC algorithm.One answer is simpler to implement, because it doesn't actually change theselection algorithm at all, but the other provides more interoperability.And, Niels brings up a third possibility of somehow noticing when only anAEAD encryption algorithm will work and filtering out all of the others,which seems really complicated to me.


-- Jeff

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Timo J. Rinne

References:
- applying AES-GCM to secure shell: proposed "tweak"
  - From: Tim Polk
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Timo J. Rinne

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak" (fwd)
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index