IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: applying AES-GCM to secure shell: proposed "tweak"



--On Thursday, April 16, 2009 12:35:15 PM +0300 "Timo J. Rinne" <tri%ssh.com@localhost> wrote:

Niels Möller wrote:
b) Allow a MAC algorithm to depend on encrpytion algorithm properties,
  in the way that keyex algorithms depend on properties of host key
  algorithms.  This means that such an algorithm can be considered
  only if the selected encryption algorithm has whatever property it
  depends on.  Then specify a single do-nothing MAC algorithm which
  depends on AEAD encrpytion algorithm.

This makes sense to me. I'd prefer this option, then. The name could
be "none-if-aead".

I must say I really hate this one.  Instead of one simply defined "magic"
cipher algorithm name that would have, if selected, a side effect of
abolishing MAC, we would have a "magic" MAC name with much more
complicated interdependency to cipher list.

To make it even more clear, the cipher name for aead could me something
like "aes128-aead-nomac".  Then if someone likes to implement aead with
additional mac (I don't know why anyone would do that) then
"aes128-aead%foo.bar@localhost" kind of name could be used.

The problem is, it's not _one_ simply defined "magic" algorithm. It's an arbitrarily large number of them.

But if we're going to go with Nico's "simpler" proposal, we need to address the question Niels brought up -- does selecting an AEAD type mean we don't do MAC selection at all, or does it mean we do MAC selection and then don't actually do anything with the resulting MAC?

The question is important because it controls what happens when an AEAD algorithm is selected but there is no mutually-supported MAC algorithm. One answer is simpler to implement, because it doesn't actually change the selection algorithm at all, but the other provides more interoperability. And, Niels brings up a third possibility of somehow noticing when only an AEAD encryption algorithm will work and filtering out all of the others, which seems really complicated to me.

-- Jeff



Home | Main Index | Thread Index | Old Index