"cipher none" alternatives ?

Dan Kaminsky dankamin at cisco.com
Sat Mar 17 12:16:42 EST 2001


Andrew--

    Funny, I was just talking about this with one of the dev guys.

    Here's the problem--while what you're moving doesn't have any security
considerations(same here--but I'm moving GPG encrypted files), without a
cipher and the associated per-message authentication that goes with it, you
have no way to prevent an attacker from injecting arbitrary packets or
commands(like rm -rf *).

    Sure, *you* might be sending trivial messages, but you can't predict
what *other* people will send.  The crypto prevents their messages from
being meaningful.

    SSH2 does have a real HMAC per-packet authenticator, and indeed might be
amenable to what you describe--essentially, something similar to AH-mode
IPSec.  But someone else will have to say whether the HMAC is capable of
being used in this manner, and performance will never be as high as a
full-out null cipher.

    Incidentally--if anyone out there is skilled at profiling code, I think
the SSH client could use a look.  I think there are absolute limits embedded
in there as to how fast it may run, because it'll never use up as much CPU
as is available to it and will top out at 150-220K/s no matter the speed of
the client or server.

Yours Truly,

    Dan Kaminsky, CISSP
    http://www.doxpara.com







More information about the openssh-unix-dev mailing list