applying AES-GCM to secure shell: proposed "tweak"
Tim Polk <tim.polk@nist.gov> Wed, 08 April 2009 14:34 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A0A23A6A4E for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 8 Apr 2009 07:34:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.51
X-Spam-Level:
X-Spam-Status: No, score=-6.51 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 40KS8qYrjaRH for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 8 Apr 2009 07:34:35 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:4:7:2e0:81ff:fe52:9ab6]) by core3.amsl.com (Postfix) with ESMTP id 614AC3A6B36 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 8 Apr 2009 07:32:31 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 0) id C5EE463B1A9; Wed, 8 Apr 2009 14:33:27 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id A1DCC63B18C for <ietf-ssh@netbsd.org>; Wed, 8 Apr 2009 14:33:21 +0000 (UTC)
Received: from h222130.nist.gov (h222130.nist.gov [129.6.222.130]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id n38D2FPW002545; Wed, 8 Apr 2009 09:02:15 -0400
Message-Id: <9311F3B1-7185-4A1B-A833-B8DEE63B90B8@nist.gov>
From: Tim Polk <tim.polk@nist.gov>
To: ietf-ssh@netbsd.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Subject: applying AES-GCM to secure shell: proposed "tweak"
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Wed, 08 Apr 2009 09:02:00 -0400
Cc: Tero Kivinen <kivinen@iki.fi>, Bill Sommerfeld <sommerfeld@sun.com>, Chris Lonvick <clonvick@cisco.com>, ylo@ssh.com, "Igoe, Kevin M." <kmigoe@nsa.gov>, "Jerome A. Solinas" <jasolin@orion.ncsc.mil>, "<Pasi.Eronen@nokia.com> Eronen" <Pasi.Eronen@nokia.com>
X-Mailer: Apple Mail (2.930.3)
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: tim.polk@nist.gov
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh
Precedence: list
Folks, The IESG is currently considering publication of draft-igoe-secsh-aes- gcm-01, "AES Galois Counter Mode for the Secure Shell Transport Layer Protocol", as an Informational RFC. The draft specifies the application of the Authenticated Encryption with Associated Data (AEAD) block cipher mode AES Galois/Counter Mode to provide both confidentiality and data integrity for SSH. (See RFC 5116, "An Interface and Algorithms for Authenticated Encryption", for a general look at AEAD algorithms and NIST Special Publication 800-38D for the specification of the GCM mode; see URLs below.) The draft was designed to minimize the changes to RFC 4253 (the SSH Transport Layer Protocol), so it encrypts the whole SSH binary packet, including the packet_length field. However, AEAD decryption as defined in both RFC 5116 and SP 800-38D takes the ciphertext as input, and returns either (1) the plaintext if the authentication succeeds or (2) failure. The ciphertext here is an octet string of known length, not an ubounded stream. Since the packet_length field is also encrypted, SSH cannot determine the ciphertext boundary before passing the data to AEAD decryption. (This differs from current SSH encryption modes where the data is first decrypted, then the packet length field is parsed, and finally the MAC is verified.) Two solutions have been proposed: (1) explicitly allowing "partial decryption" so that an implementation can recover the packet_length without authenticating the data; or (2) sending the packet_length unencrypted so that it is always available. The first solution requires less security analysis about SSH, but more analysis about the AEAD algorithm. The exposure of intermediate values in AES GCM would require review, and it is inconsistent with RFC 5116. Even if this solution is determined to be secure for AES GCM, this might not apply to other AEAD algorithms (where returning plaintext fragments before authentication may not be even possible, or may not be secure). In a more parochial concern, inconsistency with SP 800-38D means that current validation processes (i.e. NIST's FIPS 140-based Cryptographic Module Validation Program [CMVP]) would need to be revised, as well as SP 800-38D, to permit use of this protocol with validated modules. The second solution (sending packet_length unencrypted) has a number of desirable properties: it conforms to RFC 5116 so the design should apply to any AEAD algorithm, and it is consistent with the algorithm specification (NIST SP 800-38D). It does require a change to the padding calculations: since the plaintext for encryption excludes the packet_length, the concatenation of the 'padding length', 'payload', and 'random padding' MUST be a multiple of the cipher block size. (This modifies a requirement from Section 6 of RFC 4253.) Since this calculation is algorithm specific anyway, it is hoped this would not be an issue. As you might have guessed, I strongly prefer this solution. However, we are concerned about making such a change without ensuring that the security implications have been thoroughly reviewed. The SSHv1 protocol revealed the exact plaintext length, which is clearly undesirable in many situations (see e.g. link below). In SSHv2, the packet length includes the random padding, so sending it unencrypted does not reveal the exact the plaintext length. Also, in many cases the packet length can be inferred from the data stream (e.g. TCP segment lengths). In applications where there is some fear that the packet lengths might reveal sensitive information, the use of random padding probably provides a much more effective countermeasure than encrypting the packet_length. So, it seems that encryption of the packet_length field would be of little practical use, and might lead to a false sense of security. As a consequence, we hypothesize that sending packet_length in the clear would not negatively impact the security of the protocol. Before moving forward with this protocol using either of the proposed solutions, we would appreciate feedback from this mailing list. Questions to consider: (1) does the exposure of the ssh packet length have significant security implications for ssh itself? (2) were applications that rely on ssh for security designed to take advantage of the encrypted packet length? (3) does the change in padding length calculation (caused by excluding the packet_length from the ciphertext) impose a significant impediment to migrating existing implementations? Thanks, Tim Polk (Security co-AD and document sponsor) P.S. I've tried to contact as many of the usual suspects as possible, but I am sure I have missed some folks. Please forward this to anyone I've left off distribution that might have an interest!] References: http://tools.ietf.org/html/rfc5116 http://tools.ietf.org/html/draft-igoe-secsh-aes-gcm-01 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis/
- applying AES-GCM to secure shell: proposed "tweak" Tim Polk
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Simon Tatham
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Tero Kivinen
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- RE: applying AES-GCM to secure shell: proposed "t… Igoe, Kevin M.
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Joseph Galbraith
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Joseph Galbraith
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- RE: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- RE: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Simon Tatham
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- SSH_MSG_KEXINIT extensions field [was Re: applyin… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… David McGrew
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- KEX_OPTION (Re: applying AES-GCM to secure shell:… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… der Mouse
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Compression [was Re: applying AES-GCM to secure s… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Moving forward with draft-igoe (Was: Re: applying… Tim Polk