[Ach] OpenSSH ETM implementation error

Alexander Wuerstlein arw at cs.fau.de
Tue Jun 21 16:18:18 CEST 2016

On 2016-06-21T09:18, Aaron Zauner <azet at azet.org> wrote:
> > On 21 Jun 2016, at 14:55, Aaron Zauner <azet at azet.org> wrote:
> > 
> > Hi,
> > 
> > Our recommendations go with EtM in OpenSSH, Kenny Paterson published this slide deck recently: http://www.turing-gateway.cam.ac.uk/documents/tgmw35/Kenny%20Paterson.pdf
> > 
> > They identify a CBC timing oracle (not much used anymore) but more importantly: they identify a error in the generic Encrypt-then-Mac implementation in OpenSSH which is used quite a lot. I'm not aware of upstream patches.
> Follow-up: https://twitter.com/kennyog/status/745153366699827205

Is there any more specific description of the problem? Somehow I can't
really make sense of the slides regarding EtM problems, there are
references to papers, e.g. on slide 56, but I can't even find the paper.
Let alone make sense of the slides.

Sorry for being dense, might be lack of coffee ;)


Alexander Wuerstlein.

More information about the Ach mailing list