More info in my AES128-CBC question

Leichter, Jerry leichter_jerrold at emc.com
Fri Apr 27 17:42:41 EDT 2007


| > What the RFC seems to be suggesting is that the first block of every
| > message be SSH_MSG_IGNORE.  Since the first block in any message is now
| > fixed, there's no way for the attacker to choose it.  Since the attacker
| 
| SSH_MSG_IGNORE messages carry [random] data.
| 
| Effectively what the RFC is calling for is a confounder.
No, not really, for any reasonable interpretation I can make of
that term.  You can send a message that consists of enough 0 bytes
to be sure that the entire first block is fixed, and you've gotten
all the security you can get against the attack in question.  (If
you're using SSH_MSG_IGNORE to protect against traffic analysis, you
might want to do something different - but that's a completely
distinct attack and the security considerations are entirely
different.)

							-- Jerry
 
| Nico
| -- 
| 
| 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list