More info in my AES128-CBC question
Leichter, Jerry
leichter_jerrold at emc.com
Fri Apr 27 17:42:41 EDT 2007
| > What the RFC seems to be suggesting is that the first block of every
| > message be SSH_MSG_IGNORE. Since the first block in any message is now
| > fixed, there's no way for the attacker to choose it. Since the attacker
|
| SSH_MSG_IGNORE messages carry [random] data.
|
| Effectively what the RFC is calling for is a confounder.
No, not really, for any reasonable interpretation I can make of
that term. You can send a message that consists of enough 0 bytes
to be sure that the entire first block is fixed, and you've gotten
all the security you can get against the attack in question. (If
you're using SSH_MSG_IGNORE to protect against traffic analysis, you
might want to do something different - but that's a completely
distinct attack and the security considerations are entirely
different.)
-- Jerry
| Nico
| --
|
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list