PuTTY wish ssh2-cbc-weakness

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: SSH-2 CBC weaknesses can be worked around
class: wish: This is a request for an enhancement.
difficulty: tricky: Needs many tuits.
priority: low: We aren't sure whether to fix this or not.
present-in: 2005-01-17
fixed-in: 2005-04-24 f2b0335c48ee9afe69420f9869cf205f018ace99 (0.59)

Bellare et al describe a weakness in the use of CBC-mode ciphers in SSH-2. Section 9.2.1 of the current secsh-architecture draft suggests emitting an SSH_MSG_IGNORE before each real packet, which I think converts Bellare et al's SSH-IPC into something analogous to SSH-CTRIV-CBC or SSH-EIV-CBC.

Implementing this in PuTTY was fairly easy, and gives us decent security until CTR modes are widespread. It does, though, add something like 32 bytes of overhead to each SSH packet in CBC mode.


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2016-12-27 11:40:22 +0000)