diff options
Diffstat (limited to 'PROTOCOL')
-rw-r--r-- | PROTOCOL | 29 |
1 files changed, 28 insertions, 1 deletions
@@ -51,6 +51,33 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic | |||
51 | curve points encoded using point compression are NOT accepted or | 51 | curve points encoded using point compression are NOT accepted or |
52 | generated. | 52 | generated. |
53 | 53 | ||
54 | 1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms | ||
55 | |||
56 | OpenSSH supports MAC algorithms, whose names contain "-etm", that | ||
57 | perform the calculations in a different order to that defined in RFC | ||
58 | 4253. These variants use the so-called "encrypt then MAC" ordering, | ||
59 | calculating the MAC over the packet ciphertext rather than the | ||
60 | plaintext. This ordering closes a security flaw in the SSH transport | ||
61 | protocol, where decryption of unauthenticated ciphertext provided a | ||
62 | "decryption oracle" that could, in conjunction with cipher flaws, reveal | ||
63 | session plaintext. | ||
64 | |||
65 | Specifically, the "-etm" MAC algorithms modify the transport protocol | ||
66 | to calculate the MAC over the packet ciphertext and to send the packet | ||
67 | length unencrypted. This is necessary for the transport to obtain the | ||
68 | length of the packet and location of the MAC tag so that it may be | ||
69 | verified without decrypting unauthenticated data. | ||
70 | |||
71 | As such, the MAC covers: | ||
72 | |||
73 | mac = MAC(key, sequence_number || encrypted_packet) | ||
74 | |||
75 | where "encrypted_packet" contains: | ||
76 | |||
77 | byte padding_length | ||
78 | byte[n1] payload; n1 = packet_length - padding_length - 1 | ||
79 | byte[n2] random padding; n2 = padding_length | ||
80 | |||
54 | 2. Connection protocol changes | 81 | 2. Connection protocol changes |
55 | 82 | ||
56 | 2.1. connection: Channel write close extension "eow@openssh.com" | 83 | 2.1. connection: Channel write close extension "eow@openssh.com" |
@@ -291,4 +318,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. | |||
291 | This extension is advertised in the SSH_FXP_VERSION hello with version | 318 | This extension is advertised in the SSH_FXP_VERSION hello with version |
292 | "1". | 319 | "1". |
293 | 320 | ||
294 | $OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ | 321 | $OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $ |