[PATCH] curve25519-sha256 at libssh.org key exchange proposal
Aris Adamantiadis
aris at 0xbadc0de.be
Thu Nov 7 20:30:23 EST 2013
Le 7/11/13 00:28, mancha a écrit :
>
> That sounds like a great complement to aes{128,256}-gcm at openssh.com.
> Have you been tracking his progress so far? e.g.:
> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a8646510b
I am not very comfortable with aes*-gcm at openssh.com because the packet
len is not encrypted under the claim that it is not possible to do both
encryption and authentication on the length field. I believe that's not
true, a competing authenticated encryption mechanism should fix this
(e.g. by sending an authentication token on both every encrypted length
and packet payload).
This unencrypted length thing brings SSH2 back to the SSH1 days where it
was trivial to sniff the length of a password. Contrary to what the RFC
tells, sending ignore packets doesn't help.
Aris
More information about the openssh-unix-dev
mailing list