version 1.17, 2010/12/04 00:18:01 |
version 1.18, 2012/12/11 22:31:18 |
|
|
curve points encoded using point compression are NOT accepted or |
curve points encoded using point compression are NOT accepted or |
generated. |
generated. |
|
|
|
1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms |
|
|
|
OpenSSH supports MAC algorithms, whose names contain "-etm", that |
|
perform the calculations in a different order to that defined in RFC |
|
4253. These variants use the so-called "encrypt then MAC" ordering, |
|
calculating the MAC over the packet ciphertext rather than the |
|
plaintext. This ordering closes a security flaw in the SSH transport |
|
protocol, where decryption of unauthenticated ciphertext provided a |
|
"decryption oracle" that could, in conjunction with cipher flaws, reveal |
|
session plaintext. |
|
|
|
Specifically, the "-etm" MAC algorithms modify the transport protocol |
|
to calculate the MAC over the packet ciphertext and to send the packet |
|
length unencrypted. This is necessary for the transport to obtain the |
|
length of the packet and location of the MAC tag so that it may be |
|
verified without decrypting unauthenticated data. |
|
|
|
As such, the MAC covers: |
|
|
|
mac = MAC(key, sequence_number || encrypted_packet) |
|
|
|
where "encrypted_packet" contains: |
|
|
|
byte padding_length |
|
byte[n1] payload; n1 = packet_length - padding_length - 1 |
|
byte[n2] random padding; n2 = padding_length |
|
|
2. Connection protocol changes |
2. Connection protocol changes |
|
|
2.1. connection: Channel write close extension "eow@openssh.com" |
2.1. connection: Channel write close extension "eow@openssh.com" |