| version 1.17, 2010/12/04 00:18:01 |
version 1.18, 2012/12/11 22:31:18 |
|
|
| curve points encoded using point compression are NOT accepted or |
curve points encoded using point compression are NOT accepted or |
| generated. |
generated. |
| |
|
| |
1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms |
| |
|
| |
OpenSSH supports MAC algorithms, whose names contain "-etm", that |
| |
perform the calculations in a different order to that defined in RFC |
| |
4253. These variants use the so-called "encrypt then MAC" ordering, |
| |
calculating the MAC over the packet ciphertext rather than the |
| |
plaintext. This ordering closes a security flaw in the SSH transport |
| |
protocol, where decryption of unauthenticated ciphertext provided a |
| |
"decryption oracle" that could, in conjunction with cipher flaws, reveal |
| |
session plaintext. |
| |
|
| |
Specifically, the "-etm" MAC algorithms modify the transport protocol |
| |
to calculate the MAC over the packet ciphertext and to send the packet |
| |
length unencrypted. This is necessary for the transport to obtain the |
| |
length of the packet and location of the MAC tag so that it may be |
| |
verified without decrypting unauthenticated data. |
| |
|
| |
As such, the MAC covers: |
| |
|
| |
mac = MAC(key, sequence_number || encrypted_packet) |
| |
|
| |
where "encrypted_packet" contains: |
| |
|
| |
byte padding_length |
| |
byte[n1] payload; n1 = packet_length - padding_length - 1 |
| |
byte[n2] random padding; n2 = padding_length |
| |
|
| 2. Connection protocol changes |
2. Connection protocol changes |
| |
|
| 2.1. connection: Channel write close extension "eow@openssh.com" |
2.1. connection: Channel write close extension "eow@openssh.com" |
![[BACK]](/icons/back.gif){kind=icon}
Return to PROTOCOL CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh