[144851] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: RNG using AES CTR as encryption algorithm

daemon@ATHENA.MIT.EDU (Damien Miller)
Mon Sep 14 20:05:48 2009

Date: Sun, 13 Sep 2009 19:47:27 +1000 (EST)
From: Damien Miller <djm@mindrot.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
cc: dj@deadhat.com, cryptography@metzdowd.com
In-Reply-To: <E1MlGu2-0002pI-DI@wintermute01.cs.auckland.ac.nz>

On Wed, 9 Sep 2009, Peter Gutmann wrote:

> I was just going to reply with a variation of this, if you're implementing a
> full protocol that uses AES-CTR (or any algorithm/mode for that matter), find
> other implementations that do it too and make sure that you can talk to them.
> In theory everyone could end up implementing it wrong, but that's somewhat
> unlikely.
> 
> (This has already caught AES-CTR implementation bugs in the past, for example
> one particular version of OpenSSL 0.9.8 got AES-CTR keying wrong and it was
> noticed when SSH users couldn't connect to OpenSSH servers using this mode).

The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH.
I don't think OpenSSL even supports a CTR mode through its EVP API.

Any mistakes in implementing CTR mode in OpenSSH are therefore our own.

-d

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post