Re: Albrecht/Paterson/Watson's attack

To: mdb%juniper.net@localhost, nisse%lysator.liu.se@localhost
Subject: Re: Albrecht/Paterson/Watson's attack
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Tue, 06 May 2014 22:00:54 +1200

Niels MÃ¶ller <nisse%lysator.liu.se@localhost> writes:

>I think that would be good.

+1 (conflict-of-interest disclaimer: I'm the author of the TLS EtM draft). 

One thing that SSH would then need to do is to stop encrypting the header
(that is, the length information) so you can run the MAC over the packet
without having to pick apart bits of it via decryption first, which is what
helps the Paterson et al attack work.  The TLS draft explicitly tells
implementers to read the length, read that many bytes from the network, run
the MAC, and discard the packet immediately if the MAC fails to verify.  If
you still need to run crypto ops before you can verify the MAC you're not
actually doing EtM, or at least not getting the security benefits that it
provides.

Peter.

Follow-Ups:
- Re: Albrecht/Paterson/Watson's attack
  - From: Mouse
- Re: Albrecht/Paterson/Watson's attack
  - From: Simon Tatham

References:
- Re: Albrecht/Paterson/Watson's attack
  - From: Niels Möller

Prev by Date: Re: Albrecht/Paterson/Watson's attack
Next by Date: Re: Albrecht/Paterson/Watson's attack
Previous by Thread: Re: Albrecht/Paterson/Watson's attack
Next by Thread: Re: Albrecht/Paterson/Watson's attack
Indexes:

Home | Main Index | Thread Index | Old Index