PuTTY wish ssh2-cbc-weakness

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: SSH-2 CBC weaknesses can be worked around
class: wish: This is a request for an enhancement.
difficulty: tricky: Needs many tuits.
priority: low: We aren't sure whether to fix this or not.
present-in: 2005-01-17
fixed-in: 2005-04-24 (0.59) (0.60)

Bellare et al describe a weakness in the use of CBC-mode ciphers in SSH-2. Section 9.2.1 of the current secsh-architecture draft suggests emitting an SSH_MSG_IGNORE before each real packet, which I think converts Bellare et al's SSH-IPC into something analogous to SSH-CTRIV-CBC or SSH-EIV-CBC.

Implementing this in PuTTY was fairly easy, and gives us decent security until CTR modes are widespread. It does, though, add something like 32 bytes of overhead to each SSH packet in CBC mode.

Audit trail for this wish.

If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2005-04-23 18:10:18 +0100)