OpenSSH and CBC
Ángel González
keisial at gmail.com
Sat Jun 20 10:01:15 AEST 2015
On 18/06/15 19:25, Gerhard Wiesinger wrote:
>> aes128-ctr + hmac-sha256 doesn't have any known vulnerability and
>> encrypts the packet length, but uses the bad practice of e&m.
>> chacha20-poly1305 encrypts both payload and packet len + uses
>> authenticated encryption (best practice), even if the implementation
>> looks very similar to etm.
>>
>
> Why is E&M bad practice?
First of all Encrypt-and-MAC (E&M) allows an attacker to recognise two
identical messages due to the shared MAC.
The ideal method of composing ciphers and macs is to use
Encrypt-and-MAC, which has the very nice property of not decrypting
anything before authenticating it. For instance, a common error is to
fail early (in a way noticeable by timing) before checking the mac (eg.
such as noticing that the plaintext is corrupt).
Colin Percival explains in
http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html how
only Encrypt-then-MAC is provably secure. See
http://cseweb.ucsd.edu/~mihir/papers/oem.pdf for the detailed proof
comparing the modes.
More information about the openssh-unix-dev
mailing list