IETF Logo Mail Archive

Re: [saag] A case against algorithm agility (long)

ianG <iang@iang.org> Mon, 05 May 2014 18:59 UTC

Return-Path: <iang@iang.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ACF51A0470 for <saag@ietfa.amsl.com>; Mon, 5 May 2014 11:59:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6ALeNydBXqB for <saag@ietfa.amsl.com>; Mon, 5 May 2014 11:59:41 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) by ietfa.amsl.com (Postfix) with ESMTP id B129D1A0441 for <saag@ietf.org>; Mon, 5 May 2014 11:59:41 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 16A1C6D5A6; Mon, 5 May 2014 14:59:36 -0400 (EDT)
Message-ID: <5367DF99.1060700@iang.org>
Date: Mon, 05 May 2014 19:59:37 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, Nico Williams <nico@cryptonector.com>
References: <53650F27.6040607@iang.org> <CAK3OfOhGCKPrYzhC46EVAnro6_FEsNVt16Gzx3Ds3zfR2wznOA@mail.gmail.com> <5367C9DC.10009@iang.org> <CF8D8911.1D4D1%kenny.paterson@rhul.ac.uk>
In-Reply-To: <CF8D8911.1D4D1%kenny.paterson@rhul.ac.uk>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-7
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/T-GNeWl8L-aCCFHFkh-tJodOHwI
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] A case against algorithm agility (long)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 18:59:43 -0000

On 5/05/2014 18:32 pm, Paterson, Kenny wrote:
>>> Nonsense.  The CBC IV chaining bugs were exploited against SSHv2.  We
>>> were very glad back then to have deployed AES in counter mode as that
>>> saved our butts.
>>
>>
>> Any reference to that?
> 
> How about these:

Thanks!  Excellent.  Was there any fallout, any actual attacks or damages?

> http://www.kb.cert.org/vuls/id/958563
> 
> http://www.openssh.com/txt/cbc.adv

     "A future version of OpenSSH may make CTR mode ciphers the default
and/or implement other countermeasures, but at present we do not feel
that this issue is serious enough to make an emergency release."



On the face of those texts, this was a nice exploit of academic note,
but not a likely one, nor a practical one.  Something to be fixed, but
not something to inform our design choices in the future.

I'll let my point 7. stand unless there is some info about attacks and
damages.

(One question:  is Nico's claim that this is an example of "being saved"
more to do with commercial vendors' need to ship product with no
theoretical or known flaws?)



> 
> and
> 
> http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
> 
> 
> (for details of the attack).
> 
> Cheers,
> 
> Kenny


thanks again,

iang

v2.8.7 | Report a Bug | By Email