OpenSSH and CBC
Gerhard Wiesinger
lists at wiesinger.com
Fri Jun 19 03:25:19 AEST 2015
On 16.06.2015 14:43, Aris Adamantiadis wrote:
> Hi Gerhard,
>
> This is not exactly true. CTR modes have the length field encrypted.
> etm MAC modes and AES-GCM have the length field in cleartext.
> CBC is dangerous because the length field is encrypted with CBC.
>
What's exactly the topic encrypting the length field with CBC?
Any documentation/papers on this to understand (except the source)?
> aes128-ctr + hmac-sha256 doesn't have any known vulnerability and
> encrypts the packet length, but uses the bad practice of e&m.
> chacha20-poly1305 encrypts both payload and packet len + uses
> authenticated encryption (best practice), even if the implementation
> looks very similar to etm.
>
Why is E&M bad practice?
Thank you.
Ciao,
Gerhard
More information about the openssh-unix-dev
mailing list