[86707] in cryptography@c2.net mail archive
Re: More info in my AES128-CBC question
daemon@ATHENA.MIT.EDU (Leichter, Jerry)
Fri Apr 27 22:19:22 2007
Date: Fri, 27 Apr 2007 17:42:41 -0400 (EDT)
From: "Leichter, Jerry" <leichter_jerrold@emc.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>
cc: Hagai Bar-El <info@hbarel.com>, Aram Perez <aramperez@mac.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <20070427213021.GP21027@Sun.COM>
| > What the RFC seems to be suggesting is that the first block of every
| > message be SSH_MSG_IGNORE. Since the first block in any message is now
| > fixed, there's no way for the attacker to choose it. Since the attacker
|
| SSH_MSG_IGNORE messages carry [random] data.
|
| Effectively what the RFC is calling for is a confounder.
No, not really, for any reasonable interpretation I can make of
that term. You can send a message that consists of enough 0 bytes
to be sure that the entire first block is fixed, and you've gotten
all the security you can get against the attack in question. (If
you're using SSH_MSG_IGNORE to protect against traffic analysis, you
might want to do something different - but that's a completely
distinct attack and the security considerations are entirely
different.)
-- Jerry
| Nico
| --
|
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
