IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Albrecht/Paterson/Watson's attack



Niels Möller <nisse%lysator.liu.se@localhost> writes:

>I think that would be good.

+1 (conflict-of-interest disclaimer: I'm the author of the TLS EtM draft). 

One thing that SSH would then need to do is to stop encrypting the header
(that is, the length information) so you can run the MAC over the packet
without having to pick apart bits of it via decryption first, which is what
helps the Paterson et al attack work.  The TLS draft explicitly tells
implementers to read the length, read that many bytes from the network, run
the MAC, and discard the packet immediately if the MAC fails to verify.  If
you still need to run crypto ops before you can verify the MAC you're not
actually doing EtM, or at least not getting the security benefits that it
provides.

Peter.



Home | Main Index | Thread Index | Old Index