Re: applying AES-GCM to secure shell: proposed "tweak"

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Thu, Apr 16, 2009 at 08:27:27AM -0400, Jeffrey Hutzelman wrote:
> But if we're going to go with Nico's "simpler" proposal, we need to address 
> the question Niels brought up -- does selecting an AEAD type mean we don't 
> do MAC selection at all, or does it mean we do MAC selection and then don't 
> actually do anything with the resulting MAC?
> 
> The question is important because it controls what happens when an AEAD 
> algorithm is selected but there is no mutually-supported MAC algorithm. 

No, the question is irrelevant since it's truly obvious what to do (if
AEAD cipher chosen -> no MAC negotiation takes place).  The real problem
is the unrelated problem that Niels found where the client and server
would choose a non-AEAD cipher but have no common MAC and could have
chosen an AEAD cipher.

> And, Niels brings up a third possibility of somehow noticing when only an 
> AEAD encryption algorithm will work and filtering out all of the others, 
> which seems really complicated to me.

See my other replies.