IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: AEAD in ssh



I agree with Niels and Mark.

I have recently implemented AES-GCM, and I find the choice of unencrypted length fields dubious. It negates any means of obfuscating the lengths of some packets using SSH_MSG_IGNORE.

The alternative - to encrypt packet lengths using a parallel construction - seems much preferable.


----- Original Message -----
From: Mark D. Baushke
Sent: Tuesday, February 2, 2016 01:20
To: NielsMöller
Cc: denis bider ; Stephen Farrell ; ietf-ssh%NetBSD.org@localhost ; Watson Ladd ; Daniel Migault ; Curdle Chairs
Subject: Re: AEAD in ssh

Hi Niels & denis,

> 1. How to negotiate use of AEAD.

Rather than "n/a" as the atom, why not "AEAD" or "aead" so we are clear
about the intent? That said, I am fine with ignoring the Mac if the
'Cipher' is an AEAD like the OpenSSH folks do if that is helpful.

Technically, aren't both AES-GCM and ChaCha20-Poly1305 considered to be
Authenticated Encryption with Associated Data (AEAD) rather than being
either a Mac or a Cipher directly?

> 3. If and how to encrypt the length field.

+1 on encrypting the length field.

fwiw: I agree on the overall direction you have written.

-- Mark



Home | Main Index | Thread Index | Old Index