Re: OpenSSH and CBC

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 18/06/15 19:25, Gerhard Wiesinger wrote:
aes128-ctr + hmac-sha256 doesn't have any known vulnerability and encrypts the packet length, but uses the bad practice of e&m. chacha20-poly1305 encrypts both payload and packet len + uses authenticated encryption (best practice), even if the implementation looks very similar to etm.


Why is E&M bad practice?
First of all Encrypt-and-MAC (E&M) allows an attacker to recognise two identical messages due to the shared MAC.

The ideal method of composing ciphers and macs is to use Encrypt-and-MAC, which has the very nice property of not decrypting anything before authenticating it. For instance, a common error is to fail early (in a way noticeable by timing) before checking the mac (eg. such as noticing that the plaintext is corrupt).

Colin Percival explains in http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html how only Encrypt-then-MAC is provably secure. See http://cseweb.ucsd.edu/~mihir/papers/oem.pdf for the detailed proof comparing the modes.


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux