On 18/06/15 19:25, Gerhard Wiesinger wrote:
aes128-ctr + hmac-sha256 doesn't have any known vulnerability and
encrypts the packet length, but uses the bad practice of e&m.
chacha20-poly1305 encrypts both payload and packet len + uses
authenticated encryption (best practice), even if the implementation
looks very similar to etm.
Why is E&M bad practice?
First of all Encrypt-and-MAC (E&M) allows an attacker to recognise two
identical messages due to the shared MAC.
The ideal method of composing ciphers and macs is to use
Encrypt-and-MAC, which has the very nice property of not decrypting
anything before authenticating it. For instance, a common error is to
fail early (in a way noticeable by timing) before checking the mac (eg.
such as noticing that the plaintext is corrupt).
Colin Percival explains in
http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html how
only Encrypt-then-MAC is provably secure. See
http://cseweb.ucsd.edu/~mihir/papers/oem.pdf for the detailed proof
comparing the modes.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
