path: root/PROTOCOL
diff options
authorDamien Miller <>2012-12-12 10:46:31 +1100
committerDamien Miller <>2012-12-12 10:46:31 +1100
commitaf43a7ac2d77c57112b48f34c7a72be2adb761bc (patch)
tree4381616492fbbca62d39c042f16221f681c1d37f /PROTOCOL
parent6a1937eac5da5bdcf33aaa922ce5de0c764e37ed (diff)
- 2012/12/11 22:31:18
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
Diffstat (limited to 'PROTOCOL')
1 files changed, 28 insertions, 1 deletions
diff --git a/PROTOCOL b/PROTOCOL
index c2819601..834716cc 100644
@@ -51,6 +51,33 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
curve points encoded using point compression are NOT accepted or
+1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
+OpenSSH supports MAC algorithms, whose names contain "-etm", that
+perform the calculations in a different order to that defined in RFC
+4253. These variants use the so-called "encrypt then MAC" ordering,
+calculating the MAC over the packet ciphertext rather than the
+plaintext. This ordering closes a security flaw in the SSH transport
+protocol, where decryption of unauthenticated ciphertext provided a
+"decryption oracle" that could, in conjunction with cipher flaws, reveal
+session plaintext.
+Specifically, the "-etm" MAC algorithms modify the transport protocol
+to calculate the MAC over the packet ciphertext and to send the packet
+length unencrypted. This is necessary for the transport to obtain the
+length of the packet and location of the MAC tag so that it may be
+verified without decrypting unauthenticated data.
+As such, the MAC covers:
+ mac = MAC(key, sequence_number || encrypted_packet)
+where "encrypted_packet" contains:
+ byte padding_length
+ byte[n1] payload; n1 = packet_length - padding_length - 1
+ byte[n2] random padding; n2 = padding_length
2. Connection protocol changes
2.1. connection: Channel write close extension ""
@@ -291,4 +318,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
-$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $
+$OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $