IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
RE: New version of rsa-sha2-256 draft: Back to PKCS#1 v1.5
denis bider <ietf-ssh3%denisbider.com@localhost> writes:
>We default to CTR mode only now, given that OpenSSH disabled CBC last year,
>and our customers want to follow external recommendations, which are to
>disable CBC.
I've never used CTR for the reason I mentioned earlier, it may be worse than
the problem it's meant to be fixing. If you look at Wei Dai's attack, it's
pretty difficult to actually carry out, it's a chosen-plaintext attack that
assumes an attacker controls the plaintext, and requires that they wait around
observing a huge number of packets to get a collision on the bits they don't
control. Yeah, it's a theoretical weakness, but not one I'm losing much sleep
over.
OTOH CTR mode, which is a keystream generator (KSG), gives the attacker
complete control over the decrypted plaintext. Because of SSH's unfortunate
choice of MAC-then-encrypt, the victim has to act on attacker-controlled
metadata in order to verify the MAC and discover that the data was in fact
manipulated. Try the same thing in CBC mode and you'll just end up garbling
the block.
So my staying with CBC isn't laziness, it's because I consider the practical
(not theoretical, I mean CTR even has a security proof) risks of CBC to be
lower than CTR.
Peter.
Home |
Main Index |
Thread Index |
Old Index