IETF Logo Mail Archive

Re: applying AES-GCM to secure shell: proposed "tweak"

Damien Miller <djm@mindrot.org> Thu, 09 April 2009 04:40 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 163743A6A7D for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 8 Apr 2009 21:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RfYWs9+VOm3M for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 8 Apr 2009 21:40:19 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:4:7:2e0:81ff:fe52:9ab6]) by core3.amsl.com (Postfix) with ESMTP id C2AE03A68A5 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 8 Apr 2009 21:40:18 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 0) id 72FEA63B15A; Thu, 9 Apr 2009 04:41:23 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from natsu.mindrot.org (natsu.mindrot.org [116.66.166.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 60AED63B14D for <ietf-ssh@netbsd.org>; Thu, 9 Apr 2009 04:41:21 +0000 (UTC)
Received: by natsu.mindrot.org (Postfix, from userid 506) id D81AAC4AFE; Thu, 9 Apr 2009 13:25:57 +1000 (EST)
Received: from fuyu.mindrot.org (fuyu.mindrot.org [203.217.30.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "fuyu.mindrot.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by natsu.mindrot.org (Postfix) with ESMTPS id 79373C4ACD; Thu, 9 Apr 2009 13:25:51 +1000 (EST)
Received: by fuyu.mindrot.org (Postfix, from userid 1000) id E9B49A4F6D; Thu, 9 Apr 2009 13:25:50 +1000 (EST)
Received: from localhost (localhost [127.0.0.1]) by fuyu.mindrot.org (Postfix) with ESMTP id E7513A4F6C; Thu, 9 Apr 2009 13:25:50 +1000 (EST)
Date: Thu, 09 Apr 2009 13:25:50 +1000
From: Damien Miller <djm@mindrot.org>
To: Tim Polk <tim.polk@nist.gov>
cc: ietf-ssh@netbsd.org, Tero Kivinen <kivinen@iki.fi>, Bill Sommerfeld <sommerfeld@sun.com>, Chris Lonvick <clonvick@cisco.com>, ylo@ssh.com, "Igoe, Kevin M." <kmigoe@nsa.gov>, "Jerome A. Solinas" <jasolin@orion.ncsc.mil>, "<Pasi.Eronen@nokia.com> Eronen" <Pasi.Eronen@nokia.com>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
In-Reply-To: <9311F3B1-7185-4A1B-A833-B8DEE63B90B8@nist.gov>
Message-ID: <alpine.BSO.2.00.0904091259300.8718@fuyu.mindrot.org>
References: <9311F3B1-7185-4A1B-A833-B8DEE63B90B8@nist.gov>
User-Agent: Alpine 2.00 (BSO 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh
Precedence: list

On Wed, 8 Apr 2009, Tim Polk wrote:

> Folks,
> 
> The IESG is currently considering publication of draft-igoe-secsh-aes-
> gcm-01, "AES Galois Counter Mode for the Secure Shell Transport Layer
> Protocol", as an Informational RFC.  The draft specifies the
> application of the Authenticated Encryption with Associated Data
> (AEAD) block cipher mode AES Galois/Counter Mode to provide both
> confidentiality and data integrity for SSH.  (See RFC 5116, "An
> Interface and Algorithms for Authenticated Encryption", for a general
> look at AEAD algorithms and NIST Special Publication 800-38D for the
> specification of the GCM mode; see URLs below.)
> 
> The draft was designed to minimize the changes to RFC 4253 (the SSH
> Transport Layer Protocol), so it encrypts the whole SSH binary packet,
> including the packet_length field.
> 
> However, AEAD decryption as defined in both RFC 5116 and SP 800-38D
> takes the ciphertext as input, and returns either (1) the plaintext if
> the authentication succeeds or (2) failure. The ciphertext here is an
> octet string of known length, not an ubounded stream.
> 
> Since the packet_length field is also encrypted, SSH cannot determine
> the ciphertext boundary before passing the data to AEAD decryption.
> (This differs from current SSH encryption modes where the data is
> first decrypted, then the packet length field is parsed, and finally
> the MAC is verified.)
> 
> Two solutions have been proposed: (1) explicitly allowing "partial
> decryption" so that an implementation can recover the packet_length
> without authenticating the data; or (2) sending the packet_length
> unencrypted so that it is always available.

another option, would be encrypting the length field with an
independently-keyed cipher, but I doubt that it is worth it.

I'd agree that simply leaving the length fields unencrypted would
be best, but the security considerations should mention the need to
use padding to avoid revealing secrets, especially for password
userauth.

Some general comments on the draft:

First, why GCM? Some rationale would be nice.

4.1 Key exchange implies modification to the matching rules, but doesn't
IMO sufficiently spell out exactly how matching should occur when the
GCM method appears in various positions of the client and server's lists.

5.1/5.2 - The suggested algorithm names are structurally different to
the other algorithm identifiers used in SSH. In particular, I don't see
any need for the "-ssh" to appear in the algorithm name as the cipher
has not been modified in any substantial way. Why not just "aes128-gcm"
or "aes128-gcm-aead" if you wanted to be particularly verbose?

-d

v2.23.0 | Report a Bug | By Email