On Mon, Feb 11, 2013 at 4:57 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Nico Williams <n...@cryptonector.com> writes: >>On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> >>wrote: >>> There have been attacks on SSH based on the fact that portions of the >>> packets >>> aren't authenticated, and as soon as the TLS folks stop bikeshedding and >>> adopt >>> encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a >>> no-brainer it should have been adopted years ago when the first attacks >>> popped >>> up. >> >>No need, just deprecate the CBC ciphers from SSHv2 and be done. We do have >>counter-mode replacements. > > How does counter-mode stop manipulation of the encrypted metadata at the start > of the SSH packet, which is what previous attacks have targeted?
Oh, well, I was thinking of padding -- there's no padding in the counter mode cases, but you're right that we should just always encrypt-then-MAC. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography