summaryrefslogtreecommitdiff
path: root/PROTOCOL
diff options
context:
space:
mode:
Diffstat (limited to 'PROTOCOL')
-rw-r--r--PROTOCOL42
1 files changed, 41 insertions, 1 deletions
diff --git a/PROTOCOL b/PROTOCOL
index c28196011..48b3a4400 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -51,6 +51,46 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51curve points encoded using point compression are NOT accepted or 51curve points encoded using point compression are NOT accepted or
52generated. 52generated.
53 53
541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
55
56OpenSSH supports MAC algorithms, whose names contain "-etm", that
57perform the calculations in a different order to that defined in RFC
584253. These variants use the so-called "encrypt then MAC" ordering,
59calculating the MAC over the packet ciphertext rather than the
60plaintext. This ordering closes a security flaw in the SSH transport
61protocol, where decryption of unauthenticated ciphertext provided a
62"decryption oracle" that could, in conjunction with cipher flaws, reveal
63session plaintext.
64
65Specifically, the "-etm" MAC algorithms modify the transport protocol
66to calculate the MAC over the packet ciphertext and to send the packet
67length unencrypted. This is necessary for the transport to obtain the
68length of the packet and location of the MAC tag so that it may be
69verified without decrypting unauthenticated data.
70
71As such, the MAC covers:
72
73 mac = MAC(key, sequence_number || packet_length || encrypted_packet)
74
75where "packet_length" is encoded as a uint32 and "encrypted_packet"
76contains:
77
78 byte padding_length
79 byte[n1] payload; n1 = packet_length - padding_length - 1
80 byte[n2] random padding; n2 = padding_length
81
821.6 transport: AES-GCM
83
84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
85Because of problems with the specification of the key exchange
86the behaviour of OpenSSH differs from the RFC as follows:
87
88AES-GCM is only negotiated as the cipher algorithms
89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as
90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
91the exchanged MAC algorithms are ignored and there doesn't have to be
92a matching MAC.
93
542. Connection protocol changes 942. Connection protocol changes
55 95
562.1. connection: Channel write close extension "eow@openssh.com" 962.1. connection: Channel write close extension "eow@openssh.com"
@@ -291,4 +331,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
291This extension is advertised in the SSH_FXP_VERSION hello with version 331This extension is advertised in the SSH_FXP_VERSION hello with version
292"1". 332"1".
293 333
294$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ 334$OpenBSD: PROTOCOL,v 1.20 2013/01/08 18:49:04 markus Exp $