Re: AEAD in ssh

[nisse%lysator.liu.se@localhost (Niels Möller)]

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

> I think lengths in AEAD
> should just be encrypted with the same underlying block cipher in CTR
> mode. No AEAD instance required.

What do you think of the way it is specified in the draft? Which
is well defined for an arbitrary AEAD, but boils down to plain CTR mode for
typical AEAD block cipher modes, and boils down to plain cacha encryption
for chacha-poly1305? 

I think it is elegant, but it's not the only way of course. Closest
alternative would be to use a separately keyed cipher (i.e., a larger
output from session key generation) and leave to the particular AEAD to
specify the cipher and how to use it.

Thinking aloud, I think the drawback of doing that is that it leaves
several arbitrary choices open, e.g., should lengths conceptually be
packed back to back into a stream to be encrypted four bytes at a time
(with AES-CTR, using the same block for four messages, and 16 messages
for chacha), or should we use one underlying "block" per message? I
would prefer consistency, and I don't see any drawback in trying to nail
these things down.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.