Re: applying AES-GCM to secure shell: proposed "tweak" (fwd)
David McGrew <mcgrew@cisco.com> Thu, 16 April 2009 13:52 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85DBE3A684F for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Thu, 16 Apr 2009 06:52:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.18
X-Spam-Level:
X-Spam-Status: No, score=-6.18 tagged_above=-999 required=5 tests=[AWL=0.419, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ft3y9Ek44BUC for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Thu, 16 Apr 2009 06:52:47 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:4:7:2e0:81ff:fe52:9ab6]) by core3.amsl.com (Postfix) with ESMTP id 89C5E3A6921 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 16 Apr 2009 06:52:46 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 0) id 5DA2463B1C6; Thu, 16 Apr 2009 13:53:56 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "sj-iport-4.cisco.com", Issuer "Cisco SSCA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id E550563B1A5 for <ietf-ssh@netbsd.org>; Thu, 16 Apr 2009 13:53:53 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="4.40,198,1238976000"; d="scan'208";a="33908095"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-4.cisco.com with ESMTP; 16 Apr 2009 12:44:22 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n3GCiMJT015695; Thu, 16 Apr 2009 05:44:22 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n3GCiM1D027975; Thu, 16 Apr 2009 12:44:22 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 16 Apr 2009 05:44:22 -0700
Received: from [10.32.254.210] ([10.32.254.210]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 16 Apr 2009 05:44:21 -0700
Cc: ietf-ssh@netbsd.org, Tero Kivinen <kivinen@iki.fi>, sommerfeld@sun.com, "Chris Lonvick (clonvick)" <clonvick@cisco.com>, ylo@ssh.com, "Kevin M. Igoe" <kmigoe@nsa.gov>, jasolin@orion.ncsc.mil, Pasi Eronen <Pasi.Eronen@nokia.com>
Message-Id: <034620B2-6B85-40AE-9297-367F0440CF3D@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Tim Polk <tim.polk@nist.gov>
In-Reply-To: <AA60AF7F-DC06-4429-BC94-EE8DF0D07DED@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: Re: applying AES-GCM to secure shell: proposed "tweak" (fwd)
Date: Thu, 16 Apr 2009 05:44:19 -0700
References: <Pine.GSO.4.63.0904080833580.7795@sjc-cde-010.cisco.com> <AA60AF7F-DC06-4429-BC94-EE8DF0D07DED@cisco.com>
X-Mailer: Apple Mail (2.930.3)
X-OriginalArrivalTime: 16 Apr 2009 12:44:21.0706 (UTC) FILETIME=[10BBFAA0:01C9BE91]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=7222; t=1239885862; x=1240749862; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20Re=3A=20applying=20AES-GCM=20to=20secure=20shel l=3A=20proposed=20=22tweak=22=20(fwd) |Sender:=20; bh=cgP3rhcbU7022Vfz0ZyI4qxiU2mfiNeRu7yYMau0j8k=; b=Vd++GdGPD4TsNqXtbLIGkGJDNY9+4ZyVTtchtnK+9dUrHjgf6zHvbTGTyK 35Q01i/n32XdBxBD9RQ6AHXnmXcIyzyygJPaHJIGn4OlpBQmUGQIJVnRQQVq /Fr65CSFWg;
Authentication-Results: sj-dkim-2; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh
Precedence: list
Hi Tim, this email very nicely outlines the situation; some comments inline: > ---------- Forwarded message ---------- > Date: Wed, 8 Apr 2009 09:02:00 -0400 > From: Tim Polk <tim.polk@nist.gov> > To: ietf-ssh@netbsd.org > Cc: Tero Kivinen <kivinen@iki.fi>, Bill Sommerfeld > <sommerfeld@sun.com>, > Chris Lonvick <clonvick@cisco.com>, ylo@ssh.com, > "Igoe, Kevin M." <kmigoe@nsa.gov>, > Jerome A. Solinas <jasolin@orion.ncsc.mil>, > "<Pasi.Eronen@nokia.com> Eronen" <Pasi.Eronen@nokia.com> > Subject: applying AES-GCM to secure shell: proposed "tweak" > > Folks, > > The IESG is currently considering publication of draft-igoe-secsh-aes- > gcm-01, "AES Galois Counter Mode for the Secure Shell Transport Layer > Protocol", as an Informational RFC. The draft specifies the > application of the Authenticated Encryption with Associated Data > (AEAD) block cipher mode AES Galois/Counter Mode to provide both > confidentiality and data integrity for SSH. (See RFC 5116, "An > Interface and Algorithms for Authenticated Encryption", for a general > look at AEAD algorithms and NIST Special Publication 800-38D for the > specification of the GCM mode; see URLs below.) > > The draft was designed to minimize the changes to RFC 4253 (the SSH > Transport Layer Protocol), so it encrypts the whole SSH binary packet, > including the packet_length field. > > However, AEAD decryption as defined in both RFC 5116 and SP 800-38D > takes the ciphertext as input, and returns either (1) the plaintext if > the authentication succeeds or (2) failure. The ciphertext here is an > octet string of known length, not an ubounded stream. > > Since the packet_length field is also encrypted, SSH cannot determine > the ciphertext boundary before passing the data to AEAD decryption. > (This differs from current SSH encryption modes where the data is > first decrypted, then the packet length field is parsed, and finally > the MAC is verified.) > > Two solutions have been proposed: (1) explicitly allowing "partial > decryption" so that an implementation can recover the packet_length > without authenticating the data; or (2) sending the packet_length > unencrypted so that it is always available. > > The first solution requires less security analysis about SSH, but more > analysis about the AEAD algorithm. The exposure of intermediate values > in AES GCM would require review, and it is inconsistent with RFC > 5116. Even if this solution is determined to be secure for AES GCM, > this might not apply to other AEAD algorithms (where returning > plaintext fragments before authentication may not be even possible, or > may not be secure). In a more parochial concern, inconsistency with SP > 800-38D means that current validation processes (i.e. NIST's FIPS > 140-based Cryptographic Module Validation Program [CMVP]) would need > to be revised, as well as SP 800-38D, to permit use of this protocol > with validated modules. > > The second solution (sending packet_length unencrypted) has a number > of desirable properties: it conforms to RFC 5116 so the design should > apply to any AEAD algorithm, and it is consistent with the algorithm > specification (NIST SP 800-38D). It does require a change to the > padding calculations: since the plaintext for encryption excludes the > packet_length, the concatenation of the 'padding length', 'payload', > and 'random padding' MUST be a multiple of the cipher block size. > (This modifies a requirement from Section 6 of RFC 4253.) Since this > calculation is algorithm specific anyway, it is hoped this would not > be an issue. As you might have guessed, I strongly prefer this > solution. However, we are concerned about making such a change > without ensuring that the security implications have been thoroughly > reviewed. I also strongly prefer this solution, because partial decryption is counter to "authenticated encryption". A lot of work has been done in the theoretical community and in standards groups in the direction of authenticated encryption, and it makes more sense to position SSH to benefit from that line work in the future. > > The SSHv1 protocol revealed the exact plaintext length, which is > clearly undesirable in many situations (see e.g. link below). In > SSHv2, the packet length includes the random padding, so sending it > unencrypted does not reveal the exact the plaintext length. Also, in > many cases the packet length can be inferred from the data stream > (e.g. TCP segment lengths). In applications where there is some fear > that the packet lengths might reveal sensitive information, the use of > random padding probably provides a much more effective countermeasure > than encrypting the packet_length. > > So, it seems that encryption of the packet_length field would be of > little practical use, and might lead to a false sense of security. As > a consequence, we hypothesize that sending packet_length in the clear > would not negatively impact the security of the protocol. > > Before moving forward with this protocol using either of the proposed > solutions, we would appreciate feedback from this mailing list. > Questions to consider: > > (1) does the exposure of the ssh packet length have significant > security implications for ssh itself? > > (2) were applications that rely on ssh for security designed to take > advantage of the encrypted packet length? > > (3) does the change in padding length calculation (caused by excluding > the packet_length from the ciphertext) impose a significant impediment > to migrating existing implementations? > This message was forwarded to me (I'm not on the ssh list) so if security issues have been raised in further emails, I haven't seen them. (If someone perceives a significant security implication in SSH itself, I would like to review it; please forward.) Reading over the security considerations of RFC 4251, there are descriptions of various security issues due to the use of CBC. I also noticed that it does not reference "Security Flaws Induced by CBC Padding", Vaudenay, EUROCRYPT'02, http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps , which is yet another security issue that can occur due to unauthenticated CBC (and SSH as it is currently defined requires that the first CBC block be decrypted prior to the MAC verification step). These problems would not be present if we avoid partial- decryption and stick with authenticated encryption (and AE is what Vaudenay recommends in Section 7 of the above reference, FWIW). best regards, David > Thanks, > > Tim Polk > (Security co-AD and document sponsor) > > P.S. I've tried to contact as many of the usual suspects as > possible, but I am sure I have > missed some folks. Please forward this to anyone I've left off > distribution that might > have an interest!] > > References: > > http: //tools.ietf.org/html/rfc5116 > http: //tools.ietf.org/html/draft-igoe-secsh-aes-gcm-01 > http: //csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf > http: //www.openwall.com/advisories/OW-003-ssh-traffic-analysis/
- applying AES-GCM to secure shell: proposed "tweak" Tim Polk
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Simon Tatham
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Tero Kivinen
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- RE: applying AES-GCM to secure shell: proposed "t… Igoe, Kevin M.
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Joseph Galbraith
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Joseph Galbraith
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- RE: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- RE: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Simon Tatham
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- SSH_MSG_KEXINIT extensions field [was Re: applyin… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… David McGrew
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- KEX_OPTION (Re: applying AES-GCM to secure shell:… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… der Mouse
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Compression [was Re: applying AES-GCM to secure s… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Moving forward with draft-igoe (Was: Re: applying… Tim Polk