search for: degabriel

...account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility. * ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC b...

...account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility. * ssh(1), sshd(8): Improve ordering ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC be...

...@@ cipher_blocksize(const struct sshcipher *c) return (c->block_size); } +uint64_t +cipher_rekey_blocks(const struct sshcipher *c) +{ + /* + * Chacha20-Poly1305 does not benefit from data-based rekeying, + * per "The Security of ChaCha20-Poly1305 in the Multi-user Setting", + * Degabriele, J. P., Govinden, J, Gunther, F. and Paterson K. + * ACM CCS 2021; https://eprint.iacr.org/2023/085.pdf + * + * Cryptanalysis aside, we do still want do need to prevent the SSH + * sequence number wrapping and also to rekey to provide some + * protection for long lived sessions against key di...

...150,39 @@ cipher_blocksize(const struct sshcipher *c) return (c->block_size); } +uint64_t +cipher_rekey_blocks(const struct sshcipher *c) +{ + /* + * Chacha20-Poly1305 does not benefit from data-based rekeying, + * per "The Security of ChaCha20-Poly1305 in the Multi-user Setting", + * Degabriele, J. P., Govinden, J, Gunther, F. and Paterson K. + * ACM CCS 2021; https://eprint.iacr.org/2023/085.pdf<https://eprint.iacr.org/2023/085.pdf> + * + * Cryptanalysis aside, we do still want do need to prevent the SSH + * sequence number wrapping and also to rekey to provide some + * protection...

...*c) > return (c->block_size); > } > > +uint64_t > +cipher_rekey_blocks(const struct sshcipher *c) > +{ > + /* > + * Chacha20-Poly1305 does not benefit from data-based rekeying, > + * per "The Security of ChaCha20-Poly1305 in the Multi-user Setting", > + * Degabriele, J. P., Govinden, J, Gunther, F. and Paterson K. > + * ACM CCS 2021; https://eprint.iacr.org/2023/085.pdf > + * > + * Cryptanalysis aside, we do still want do need to prevent the SSH > + * sequence number wrapping and also to rekey to provide some > + * protection for long lived ses...

...oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London. * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying f...

I was wondering if there was something specific to the internal chacha20 cipher as opposed to OpenSSL implementation. I can't just change the block size because it breaks compatibility. I can do something like as a hack (though it would probably be better to do it with the compat function): if (strstr(enc->name, "chacha")) *max_blocks = (u_int64_t)1 << (16*2);

...*c) > return (c->block_size); > } > > +uint64_t > +cipher_rekey_blocks(const struct sshcipher *c) > +{ > + /* > + * Chacha20-Poly1305 does not benefit from data-based rekeying, > + * per "The Security of ChaCha20-Poly1305 in the Multi-user Setting", > + * Degabriele, J. P., Govinden, J, Gunther, F. and Paterson K. > + * ACM CCS 2021; https://eprint.iacr.org/2023/085.pdf<https://eprint.iacr.org/2023/085.pdf> > + * > + * Cryptanalysis aside, we do still want do need to prevent the SSH > + * sequence number wrapping and also to rekey to provide...

...oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London. * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying f...