Technical Summary
Researchers have discovered that the authenticated encryption portion of
the current SSH Transport Protocol is vulnerable to several attacks.
This document describes new counter-mode based symmetric encryption
methods for the SSH Transport Protocol and gives specific
recommendations on how frequently SSH implementations should rekey.
Working Group Summary
This document was non-controversial and well-received by the WG.
Protocol Quality
The spec is relatively simple, and the working group is aware of
multiple implementations, has received informal reports of successful
interoperability, and has not received reports of any implementation
difficulties.
Sam hartman reviewed the specification for the IESG.
Note to RFC Editor
Section 4: Add note about future directions
old: The "aes128-ctr" method uses AES (the Advanced Encryption Standard,
formerly Rijndael) with 128-bit keys [AES]. The block size is 16
bytes.
new:
The "aes128-ctr" method uses AES (the Advanced Encryption Standard,
formerly Rijndael) with 128-bit keys [AES]. The block size is 16
bytes.
At this time it appears likely that a future
specification will promote aes128-ctr to be REQUIRED;
implementation of this algorithm is very strongly encouraged.