Re: applying AES-GCM to secure shell: proposed "tweak"
Damien Miller <djm@mindrot.org> Thu, 09 April 2009 04:40 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 163743A6A7D for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 8 Apr 2009 21:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RfYWs9+VOm3M for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 8 Apr 2009 21:40:19 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:4:7:2e0:81ff:fe52:9ab6]) by core3.amsl.com (Postfix) with ESMTP id C2AE03A68A5 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 8 Apr 2009 21:40:18 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 0) id 72FEA63B15A; Thu, 9 Apr 2009 04:41:23 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from natsu.mindrot.org (natsu.mindrot.org [116.66.166.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 60AED63B14D for <ietf-ssh@netbsd.org>; Thu, 9 Apr 2009 04:41:21 +0000 (UTC)
Received: by natsu.mindrot.org (Postfix, from userid 506) id D81AAC4AFE; Thu, 9 Apr 2009 13:25:57 +1000 (EST)
Received: from fuyu.mindrot.org (fuyu.mindrot.org [203.217.30.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "fuyu.mindrot.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by natsu.mindrot.org (Postfix) with ESMTPS id 79373C4ACD; Thu, 9 Apr 2009 13:25:51 +1000 (EST)
Received: by fuyu.mindrot.org (Postfix, from userid 1000) id E9B49A4F6D; Thu, 9 Apr 2009 13:25:50 +1000 (EST)
Received: from localhost (localhost [127.0.0.1]) by fuyu.mindrot.org (Postfix) with ESMTP id E7513A4F6C; Thu, 9 Apr 2009 13:25:50 +1000 (EST)
Date: Thu, 09 Apr 2009 13:25:50 +1000
From: Damien Miller <djm@mindrot.org>
To: Tim Polk <tim.polk@nist.gov>
cc: ietf-ssh@netbsd.org, Tero Kivinen <kivinen@iki.fi>, Bill Sommerfeld <sommerfeld@sun.com>, Chris Lonvick <clonvick@cisco.com>, ylo@ssh.com, "Igoe, Kevin M." <kmigoe@nsa.gov>, "Jerome A. Solinas" <jasolin@orion.ncsc.mil>, "<Pasi.Eronen@nokia.com> Eronen" <Pasi.Eronen@nokia.com>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
In-Reply-To: <9311F3B1-7185-4A1B-A833-B8DEE63B90B8@nist.gov>
Message-ID: <alpine.BSO.2.00.0904091259300.8718@fuyu.mindrot.org>
References: <9311F3B1-7185-4A1B-A833-B8DEE63B90B8@nist.gov>
User-Agent: Alpine 2.00 (BSO 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh
Precedence: list
On Wed, 8 Apr 2009, Tim Polk wrote: > Folks, > > The IESG is currently considering publication of draft-igoe-secsh-aes- > gcm-01, "AES Galois Counter Mode for the Secure Shell Transport Layer > Protocol", as an Informational RFC. The draft specifies the > application of the Authenticated Encryption with Associated Data > (AEAD) block cipher mode AES Galois/Counter Mode to provide both > confidentiality and data integrity for SSH. (See RFC 5116, "An > Interface and Algorithms for Authenticated Encryption", for a general > look at AEAD algorithms and NIST Special Publication 800-38D for the > specification of the GCM mode; see URLs below.) > > The draft was designed to minimize the changes to RFC 4253 (the SSH > Transport Layer Protocol), so it encrypts the whole SSH binary packet, > including the packet_length field. > > However, AEAD decryption as defined in both RFC 5116 and SP 800-38D > takes the ciphertext as input, and returns either (1) the plaintext if > the authentication succeeds or (2) failure. The ciphertext here is an > octet string of known length, not an ubounded stream. > > Since the packet_length field is also encrypted, SSH cannot determine > the ciphertext boundary before passing the data to AEAD decryption. > (This differs from current SSH encryption modes where the data is > first decrypted, then the packet length field is parsed, and finally > the MAC is verified.) > > Two solutions have been proposed: (1) explicitly allowing "partial > decryption" so that an implementation can recover the packet_length > without authenticating the data; or (2) sending the packet_length > unencrypted so that it is always available. another option, would be encrypting the length field with an independently-keyed cipher, but I doubt that it is worth it. I'd agree that simply leaving the length fields unencrypted would be best, but the security considerations should mention the need to use padding to avoid revealing secrets, especially for password userauth. Some general comments on the draft: First, why GCM? Some rationale would be nice. 4.1 Key exchange implies modification to the matching rules, but doesn't IMO sufficiently spell out exactly how matching should occur when the GCM method appears in various positions of the client and server's lists. 5.1/5.2 - The suggested algorithm names are structurally different to the other algorithm identifiers used in SSH. In particular, I don't see any need for the "-ssh" to appear in the algorithm name as the cipher has not been modified in any substantial way. Why not just "aes128-gcm" or "aes128-gcm-aead" if you wanted to be particularly verbose? -d
- applying AES-GCM to secure shell: proposed "tweak" Tim Polk
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Simon Tatham
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Tero Kivinen
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- RE: applying AES-GCM to secure shell: proposed "t… Igoe, Kevin M.
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Joseph Galbraith
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Joseph Galbraith
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- RE: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- RE: applying AES-GCM to secure shell: proposed "t… James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- RE: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Simon Tatham
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- SSH_MSG_KEXINIT extensions field [was Re: applyin… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Damien Miller
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… David McGrew
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Timo J. Rinne
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Jeffrey Hutzelman
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- KEX_OPTION (Re: applying AES-GCM to secure shell:… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… der Mouse
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: KEX_OPTION (Re: applying AES-GCM to secure sh… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Compression [was Re: applying AES-GCM to secure s… der Mouse
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… denis bider (Bitvise)
- Re: applying AES-GCM to secure shell: proposed "t… Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Niels Möller
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "t… Nicolas Williams
- Moving forward with draft-igoe (Was: Re: applying… Tim Polk