RNG using AES CTR as encryption algorithm

Damien Miller djm at mindrot.org
Sun Sep 13 05:47:27 EDT 2009

On Wed, 9 Sep 2009, Peter Gutmann wrote:

> I was just going to reply with a variation of this, if you're implementing a
> full protocol that uses AES-CTR (or any algorithm/mode for that matter), find
> other implementations that do it too and make sure that you can talk to them.
> In theory everyone could end up implementing it wrong, but that's somewhat
> unlikely.
> (This has already caught AES-CTR implementation bugs in the past, for example
> one particular version of OpenSSL 0.9.8 got AES-CTR keying wrong and it was
> noticed when SSH users couldn't connect to OpenSSH servers using this mode).

The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH.
I don't think OpenSSL even supports a CTR mode through its EVP API.

Any mistakes in implementing CTR mode in OpenSSH are therefore our own.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list