Home |
Licence |
FAQ |
Docs |
Download |
Keys |
Links
Mirrors |
Updates |
Feedback |
Changes |
Wishlist |
Team
Bellare et al describe a weakness in the use of CBC-mode ciphers in SSH-2. Section 9.2.1 of the current secsh-architecture draft suggests emitting an SSH_MSG_IGNORE before each real packet, which I think converts Bellare et al's SSH-IPC into something analogous to SSH-CTRIV-CBC or SSH-EIV-CBC.
Implementing this in PuTTY was fairly easy, and gives us decent security until CTR modes are widespread. It does, though, add something like 32 bytes of overhead to each SSH packet in CBC mode.
Audit trail for this wish.