Nico Williams <n...@cryptonector.com> writes: >On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> >wrote: >> There have been attacks on SSH based on the fact that portions of the packets >> aren't authenticated, and as soon as the TLS folks stop bikeshedding and >> adopt >> encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a >> no-brainer it should have been adopted years ago when the first attacks >> popped >> up. > >No need, just deprecate the CBC ciphers from SSHv2 and be done. We do have >counter-mode replacements.
How does counter-mode stop manipulation of the encrypted metadata at the start of the SSH packet, which is what previous attacks have targeted? (And for those who get the reference: "Puts out fires, does he?"). Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography