OpenSSH and Galois/Counter mode i.e. GCM

Damien Miller djm at
Sun Oct 21 08:13:24 EST 2012

On Fri, 19 Oct 2012, Arthur Mesh wrote:

> Hello,
> Are there any known efforts to implement RFC 5647 i.e. AES Galois
> Counter Mode for the Secure Shell Transport Layer Protocol for
> OpenSSH?

Combined confidentiality/integrity modes are a bit subtle to
integrate into the SSH protocol, as it was designed to negotiate them
independently. This leads to annoying corner-cases, e.g. if the combined
mode was selected as the symmetric cipher by something else was selected
as the MAC.

Futher complications arise because the combined modes require some
alteration to the packet code, and might even affect what is sent in the
clear and what isn't.

There's an RFC for AES-GCM, but unfortunately it seems to have been
written by someone at the NSA who ignored much of the discussion that
took place on the ietf-secsh mailing list and it has some problems
with regards to the cipher/MAC selection difficulty I mentioned above.
I'm not sure we'd want to implement that RFC, but we might be open to
integrating AES-GCM in a way that doesn't break the negotiation system
so much.


More information about the openssh-unix-dev mailing list