"Paterson, Kenny" <kenny.pater...@rhul.ac.uk> writes: >In fact, SSHv2 adopts a "Encrypt & MAC" construction and all fields in SSHv2 >are authenticated. But the issue is that this authentication cannot be >checked until the whole message has arrived, and the receiver has to use a >field in the plaintext to determine how long that message should be. So the >receiver has to act on unauthenticated plaintext data. This (in combination >with the use of CBC mode) is the root cause of the attack.
Yeah, sorry, I was a bit unclear, when I meant was that you have to perform a decrypt before you can verify the MAC, even though the MAC is in the clear at the end of the packet, which negates the benefit of having the MAC readily available. So the fix would be to leave the packet lengths unencrypted, so the format is: length || encrypt( payload ) || MAC This means you don't have to touch the encrypted data unless the MAC tells you that its untampered. As it stands at the moment the encryption of lengths serves no useful purpose (Wireshark tells you exactly how long each packet is even if the length is encrypted), but horribly complicates the processing. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
