RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5

To: denis bider <ietf-ssh3%denisbider.com@localhost>
Subject: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Fri, 13 Nov 2015 02:49:33 +0000

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>We default to CTR mode only now, given that OpenSSH disabled CBC last year,
>and our customers want to follow external recommendations, which are to
>disable CBC.

I've never used CTR for the reason I mentioned earlier, it may be worse than
the problem it's meant to be fixing.  If you look at Wei Dai's attack, it's
pretty difficult to actually carry out, it's a chosen-plaintext attack that
assumes an attacker controls the plaintext, and requires that they wait around
observing a huge number of packets to get a collision on the bits they don't
control.  Yeah, it's a theoretical weakness, but not one I'm losing much sleep
over.

OTOH CTR mode, which is a keystream generator (KSG), gives the attacker
complete control over the decrypted plaintext.  Because of SSH's unfortunate
choice of MAC-then-encrypt, the victim has to act on attacker-controlled
metadata in order to verify the MAC and discover that the data was in fact
manipulated.  Try the same thing in CBC mode and you'll just end up garbling
the block.

So my staying with CBC isn't laziness, it's because I consider the practical
(not theoretical, I mean CTR even has a security proof) risks of CBC to be
lower than CTR.

Peter.

References:
- Re: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
  - From: denis bider

Prev by Date: Re: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Next by Date: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Previous by Thread: Re: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Next by Thread: RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
Indexes:

Home | Main Index | Thread Index | Old Index