Re: AEAD in ssh

To: NielsMöller <nisse%lysator.liu.se@localhost>, "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: Re: AEAD in ssh
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Wed, 3 Feb 2016 00:30:10 +0000

I agree with Niels and Mark.

I have recently implemented AES-GCM, and I find the choice of unencrypted length fields dubious. It negates any means of obfuscating the lengths of some packets using SSH_MSG_IGNORE.

The alternative - to encrypt packet lengths using a parallel construction - seems much preferable.

----- Original Message -----
From: Mark D. Baushke
Sent: Tuesday, February 2, 2016 01:20
To: NielsMöller
Cc: denis bider ; Stephen Farrell ; ietf-ssh%NetBSD.org@localhost ; Watson Ladd ; Daniel Migault ; Curdle Chairs
Subject: Re: AEAD in ssh

Hi Niels & denis,

> 1. How to negotiate use of AEAD.

Rather than "n/a" as the atom, why not "AEAD" or "aead" so we are clear
about the intent? That said, I am fine with ignoring the Mac if the
'Cipher' is an AEAD like the OpenSSH folks do if that is helpful.

Technically, aren't both AES-GCM and ChaCha20-Poly1305 considered to be
Authenticated Encryption with Associated Data (AEAD) rather than being
either a Mac or a Cipher directly?

> 3. If and how to encrypt the length field.

+1 on encrypting the length field.

fwiw: I agree on the overall direction you have written.

-- Mark

Follow-Ups:
- RE: AEAD in ssh
  - From: Peter Gutmann

Prev by Date: Re: AEAD in ssh
Next by Date: RE: AEAD in ssh
Previous by Thread: Re: suggestion for new ssh maintenance wg
Next by Thread: RE: AEAD in ssh
Indexes:

Home | Main Index | Thread Index | Old Index