OpenSSH and CBC
Aris Adamantiadis
aris at 0xbadc0de.be
Tue Jun 16 22:43:34 AEST 2015
Hi Gerhard,
This is not exactly true. CTR modes have the length field encrypted. etm
MAC modes and AES-GCM have the length field in cleartext.
CBC is dangerous because the length field is encrypted with CBC.
aes128-ctr + hmac-sha256 doesn't have any known vulnerability and
encrypts the packet length, but uses the bad practice of e&m.
chacha20-poly1305 encrypts both payload and packet len + uses
authenticated encryption (best practice), even if the implementation
looks very similar to etm.
Aris
>> BTW: Jan Zerebecki also doesn't recommend the AES CTR modes as they
>> disclose packet length.
>> https://wiki.mozilla.org/Security/Guidelines/OpenSSH
>> Any comments on this?
>>
>
> Jan answered me, as the packet length is transmitted in plaintext, see:
> http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html
>
> Ciao,
> Gerhard
>
> -- http://www.wiesinger.com/
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list