diff options
| author | Damien Miller <djm@mindrot.org> | 2012-12-12 10:46:31 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-12-12 10:46:31 +1100 |
| commit | af43a7ac2d77c57112b48f34c7a72be2adb761bc (patch) | |
| tree | 4381616492fbbca62d39c042f16221f681c1d37f /PROTOCOL | |
| parent | 6a1937eac5da5bdcf33aaa922ce5de0c764e37ed (diff) | |
- markus@cvs.openbsd.org 2012/12/11 22:31:18
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
[packet.c ssh_config.5 sshd_config.5]
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
that change the packet format and compute the MAC over the encrypted
message (including the packet size) instead of the plaintext data;
these EtM modes are considered more secure and used by default.
feedback and ok djm@
Diffstat (limited to 'PROTOCOL')
| -rw-r--r-- | PROTOCOL | 29 |
1 files changed, 28 insertions, 1 deletions
| @@ -51,6 +51,33 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic | |||
| 51 | curve points encoded using point compression are NOT accepted or | 51 | curve points encoded using point compression are NOT accepted or |
| 52 | generated. | 52 | generated. |
| 53 | 53 | ||
| 54 | 1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms | ||
| 55 | |||
| 56 | OpenSSH supports MAC algorithms, whose names contain "-etm", that | ||
| 57 | perform the calculations in a different order to that defined in RFC | ||
| 58 | 4253. These variants use the so-called "encrypt then MAC" ordering, | ||
| 59 | calculating the MAC over the packet ciphertext rather than the | ||
| 60 | plaintext. This ordering closes a security flaw in the SSH transport | ||
| 61 | protocol, where decryption of unauthenticated ciphertext provided a | ||
| 62 | "decryption oracle" that could, in conjunction with cipher flaws, reveal | ||
| 63 | session plaintext. | ||
| 64 | |||
| 65 | Specifically, the "-etm" MAC algorithms modify the transport protocol | ||
| 66 | to calculate the MAC over the packet ciphertext and to send the packet | ||
| 67 | length unencrypted. This is necessary for the transport to obtain the | ||
| 68 | length of the packet and location of the MAC tag so that it may be | ||
| 69 | verified without decrypting unauthenticated data. | ||
| 70 | |||
| 71 | As such, the MAC covers: | ||
| 72 | |||
| 73 | mac = MAC(key, sequence_number || encrypted_packet) | ||
| 74 | |||
| 75 | where "encrypted_packet" contains: | ||
| 76 | |||
| 77 | byte padding_length | ||
| 78 | byte[n1] payload; n1 = packet_length - padding_length - 1 | ||
| 79 | byte[n2] random padding; n2 = padding_length | ||
| 80 | |||
| 54 | 2. Connection protocol changes | 81 | 2. Connection protocol changes |
| 55 | 82 | ||
| 56 | 2.1. connection: Channel write close extension "eow@openssh.com" | 83 | 2.1. connection: Channel write close extension "eow@openssh.com" |
| @@ -291,4 +318,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. | |||
| 291 | This extension is advertised in the SSH_FXP_VERSION hello with version | 318 | This extension is advertised in the SSH_FXP_VERSION hello with version |
| 292 | "1". | 319 | "1". |
| 293 | 320 | ||
| 294 | $OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ | 321 | $OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $ |