[PATCH] curve25519-sha256 at libssh.org key exchange proposal

Damien Miller djm at mindrot.org
Thu Nov 14 13:59:56 EST 2013


On Thu, 7 Nov 2013, Aris Adamantiadis wrote:

> Le 7/11/13 00:28, mancha a ?crit :
> > 
> > That sounds like a great complement to aes{128,256}-gcm at openssh.com.
> > Have you been tracking his progress so far? e.g.:
> > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a8646510b
> 
> I am not very comfortable with aes*-gcm at openssh.com because the packet
> len is not encrypted under the claim that it is not possible to do both
> encryption and authentication on the length field. I believe that's not
> true, a competing authenticated encryption mechanism should fix this
> (e.g. by sending an authentication token on both every encrypted length
> and packet payload).
> 
> This unencrypted length thing brings SSH2 back to the SSH1 days where it
> was trivial to sniff the length of a password. Contrary to what the RFC
> tells, sending ignore packets doesn't help.

You might be interested in the ChaCha20+Poly1305 proposal diff that I just
sent to the openssh-unix-dev@ mailing list. It uses a separate stream
cipher instance to encrypt the packet lengths.

-d


More information about the openssh-unix-dev mailing list