Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Thu, Apr 16, 2009 at 10:07:18AM +0200, Niels Möller wrote:
> Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:
> 
> > I'd prefer not to have that particular rule.  I think it would be better
> > to explicitly describe a MAC algorithm which does nothing has no effect,
> > and do one of these:
> 
> [...]
> 
> > b) Allow a MAC algorithm to depend on encrpytion algorithm properties,
> >   in the way that keyex algorithms depend on properties of host key
> >   algorithms.  This means that such an algorithm can be considered
> >   only if the selected encryption algorithm has whatever property it
> >   depends on.  Then specify a single do-nothing MAC algorithm which
> >   depends on AEAD encrpytion algorithm.
> 
> This makes sense to me. I'd prefer this option, then. The name could
> be "none-if-aead".

That's fine with me too.  Though I don't see how it solves this problem:

Client ciphers = des3-cbc, aes-gcm
       MACs    = hmac-md5, none-if-aead
Server ciphers = des3-cbc, aes-gcm
       MACs    = hmac-sha1, none-if-aead

I.e., we still have the problem you found.