Michael Stone <mstone@debian.org> writes:
No, anyone can generate encrypted parts. IMHO, there's not much chance
that the decryption routines in your magic udp parser are going to be
less vulnerable than those in openssh itself. Having "two layers of
Having "two layers of encryption" in this context is fairly pointless.
Those two layers are totaly standard. You have to use two keypairs in
parallel to ensure that only one person can read the text and only one
person can have send it.
Why not use three layers, or four? What analysis demonstrates a
demonstrable return for that second layer, weighed against the cost of
this kooky mechanism? If you really need multiple encryption layers,
do it right and use an existing standard like ipsec rather than
inventing a convoluted "secret method".
The analysis is simple:
Encrypting with the server public key ensures that only the server
private key can decrypt the data.
Encrypting with the client private key ensures that only the client
can have send the package. Decryptng with the clients public key
ensures that.