From owner-freebsd-security@freebsd.org Wed Nov 11 19:22:43 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 234B2A2B185 for ; Wed, 11 Nov 2015 19:22:43 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D24E510A9 for ; Wed, 11 Nov 2015 19:22:42 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id tABJMNGe007892 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2015 11:22:23 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id tABJMMCK007891; Wed, 11 Nov 2015 11:22:22 -0800 (PST) (envelope-from jmg) Date: Wed, 11 Nov 2015 11:22:22 -0800 From: John-Mark Gurney To: Daniel Kalchev Cc: Jason Birch , Ben Woods , Bryan Drewery , Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Subject: Re: OpenSSH HPN Message-ID: <20151111192221.GS65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Wed, 11 Nov 2015 11:22:23 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 19:22:43 -0000 Daniel Kalchev wrote this message on Wed, Nov 11, 2015 at 17:49 +0200: > It is my understanding, that using the NONE cypher is not identical to using ???the old tools??? (rsh/rlogin/rcp). > > When ssh uses the NONE cypher, credentials and authorization are still encrypted and verified. Only the actual data payload is not encrypted. Except the point is that you ALREADY trust your network, so you don't need to encrypt the credentials and authorizations, otherwise, why are you running unencrypted payloads? In fact, if you aren't running at least a MAC, or a final verify, and you're transfering large amounts of data (multiple gigabytes), the data can and will likely be corrupted... See: http://noahdavids.org/self_published/CRC_and_checksum.html Having not used the NONE cipher, I don't know if the MAC is also removed or not... Either way, the MAC is still the long poll when it comes to encryption w/ AES-NI... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."