Re: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Thu, 12 Nov 2015 18:14:12 +0000

Alright - I have enabled CBC mode algorithms to make testing easier.

We default to CTR mode only now, given that OpenSSH disabled CBC last year, and our customers want to follow external recommendations, which are to disable CBC.

Our implementation actually implements a defense for the CBC problem - but that only works for incoming data, not outgoing. And folks who still only have CBC probably do not implement a defense...

----- Original Message -----
From: Peter Gutmann
Sent: Thursday, November 12, 2015 09:51
To: denis bider ; ietf-ssh%netbsd.org@localhost
Cc: djm%mindrot.org@localhost ; terrafrost%gmail.com@localhost ; thierry.moreau%connotech.com@localhost
Subject: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>I have posted a new version of the draft, which switches back to PKCS#1 v1.5:

Phew, thanks, that makes things much easier to deal with.

>I have also updated the experimental server so it implements the latest draft
>version (with PKCS#1 v1.5):
>
>experiment.bitvise.com:10712
>
>To test host authentication, set the list of host key algorithms in your
>KEXINIT to "rsa-sha2-256" or "rsa-sha2-512". You will need at least one of
>these for successful key exchange - the server doesn't offer anything else.

It also only provides CTR modes, but none of the modes listed in RFC 4253:

Attempt to activate SSH client session failed with error code -20, line 1129.
Error message =
'No algorithm compatible with the remote system's selection was found:
'aes256-ctr,aes192-ctr,aes128-ctr,3des-ctr''.

I do the REQUIRED and RECOMMENDED's from the original SSHv2 spec, RFC 4253,
but not the 4344 ones yet.

(Yeah, I know, I should probably add them, but given that CTR mode makes it
possible for an attacker to trivially set the plaintext to any value they
want, I've never really been convinced that the cure isn't worse than the
problem).

Peter.

Follow-Ups:
- RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
  - From: Peter Gutmann
- RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
  - From: Peter Gutmann

Prev by Date: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Next by Date: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Previous by Thread: Re: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Next by Thread: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Indexes:

Home | Main Index | Thread Index | Old Index