Re: [hybi] A bit of pragmatism

[Eric Rescorla <ekr@rtfm.com>]

On Sun, Jan 9, 2011 at 2:02 PM, Bruce Atherton <bruce@callenish.com> wrote:
> Thanks for the correction, but I still don't understand.
>
> If you are suggesting your mask for the wss: scheme in order to provide for
> a stream of apparent random bits on the wire, then that makes perfect sense.
> But for the purposely less-secure unencrypted ws: scheme I don't understand
> why it would be necessary.

It's not a matter of random versus non-random. RC4 and AES-CTR without random IV
(which is not a requirement of the standard) provide the attacker with
complete control over
the payload bits on the wire, beause he can predict the keystream.

-Ekr


> On 08/01/2011 4:00 PM, Eric Rescorla wrote:
>>
>> On Sat, Jan 8, 2011 at 2:04 PM, Bruce Atherton<bruce@callenish.com>
>>  wrote:
>>>
>>> On 07/01/2011 1:19 PM, Eric Rescorla wrote:
>>>>
>>>> My objective is to make the bits that appear on the wire
>>>> indistinguishable
>>>> from random
>>>> from the attacker's perspective. I think it's clear that this is the
>>>> strongest form of masking
>>>> available, and the method I proposed does that.
>>>
>>> It is true that your goal is clear, but I don't understand why you think
>>> this goal is necessary.
>>>
>>> The specification already allows for two forms of Websocket, a simple one
>>> denoted by the scheme "ws:" and a secure one denoted with "wss:". The
>>> latter
>>> one will have the random byte stream characteristics you are interested
>>> in.
>>> If you are uncomfortable with any other kind of stream, make sure your
>>> client only supports secure Websockets.
>>
>> Regrettably, this is not the case except for certain specific ciphers
>> (in particular
>> block cipher in CBC mode.) It's not at all the case for RC4 and only
>> the case for
>> some CTR mode implementations.
>>
>> Best,
>> -Ekr
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>