Re: KEX_OPTION (Re: applying AES-GCM to secure shell: proposed "tweak")

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Thu, Apr 16, 2009 at 02:13:42PM -0400, der Mouse wrote:
> >>>> IF a non-AEAD cipher is chosen AND there was no common MAC AND
> >>>> there was a common AEAD cipher THEN re-compute the cipher
> >>>> selection ignoring all non-AEAD ciphers.
> >> This rule interacts very badly with the implementation of any other
> >> encryption algorithm that similarly wants to ignore MACs, especially
> >> if it defines an analogous rule.
> > Surely such an encryption algorithm would be an AEAD algorithm,
> > therefore there is no such interaction (since the rule still
> > applies).
> 
> You truly believe that, for the entire lifetime of SSHv2, nobody will
> ever come up with another way to roll tamper-evident-ness in with
> encryption (or at least won't want to use such a thing with SSHv2)?
> 
> I find that...dubious, at best.

No, I'm saying that from where we stand such an algorithm would like
like any other AEAD algorithm.

> > Of course, Jeff's KEX_OPTION packet type needs negotiation too!
> 
> I don't see why.  Send it and let it get handled or rejected.

Hmmm, I have to re-read the spec.