Re: Packet length: header vs. context

Jon Callas <jon@callas.org> Mon, 08 January 2007 00:47 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H3ifE-0003CG-72 for openpgp-archive@lists.ietf.org; Sun, 07 Jan 2007 19:47:00 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H3ifC-0002Jx-Lj for openpgp-archive@lists.ietf.org; Sun, 07 Jan 2007 19:47:00 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0807fRN084648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 7 Jan 2007 17:07:41 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0807fW1084647; Sun, 7 Jan 2007 17:07:41 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (dsl093-068-160.sfo1.dsl.speakeasy.net [66.93.68.160]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0807eT5084640 for <ietf-openpgp@imc.org>; Sun, 7 Jan 2007 17:07:41 -0700 (MST) (envelope-from jon@callas.org)
Received: from keys.merrymeet.com (dsl093-068-161.sfo1.dsl.speakeasy.net [66.93.68.161]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id 5943F469170 for <ietf-openpgp@imc.org>; Sun, 7 Jan 2007 16:07:40 -0800 (PST)
Received: from [66.93.68.165] ([66.93.68.165]) by keys.merrymeet.com (PGP Universal service); Sun, 07 Jan 2007 16:07:40 -0800
X-PGP-Universal: processed; by keys.merrymeet.com on Sun, 07 Jan 2007 16:07:40 -0800
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <45A1801E.5070804@ece.cmu.edu>
References: <459ECBC5.3010101@ece.cmu.edu> <459FADA8.20204@systemics.com> <45A1801E.5070804@ece.cmu.edu>
Message-Id: <2020013B-5FAD-4FCE-8834-445A4956023F@callas.org>
From: Jon Callas <jon@callas.org>
Subject: Re: Packet length: header vs. context
Date: Sun, 07 Jan 2007 16:07:39 -0800
To: OpenPGP <ietf-openpgp@imc.org>
X-Mailer: Apple Mail (2.752.3)
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 7, 2007, at 3:19 PM, Levi Broderick wrote:

>
> The reason for my original question was that I was unsure if such a
> packet could be used to undermine the security of any protocols in the
> system.  Now that I think about it, though, I don't see how it  
> could be
> done.  It's unlike other attacks that use the software as an oracle
> since public key information is - well - public. :)

In the pre-OpenPGP protocols, there were "comment" packets. We  
removed them because people worried about them being a "covert"  
channel. I put "covert" in quotes because the specific case Jeff  
Schiller (then Security AD) gave was of an implementation that  
lowered the security to 40 bits by putting N-40 in a comment. This is  
also why the marker packet is defined the way it is.

I remember talking to Jeff and said that someone could stick anything  
in packet slack space. He said, "That's different. We shouldn't give  
a *defined* place for a covert channel." He was right.

A sufficiently devious person can put covert channels nearly  
anywhere. (This is why steganography isn't an interesting discipline.  
It's very easy to think of mats to leave keys under.) You could, for  
example, leak key bits or even code a secondary message in OpenPGP  
with partials. Imagine that each partial is a bit, denoted by log2 
(size) & 1. Whee.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.5.2
Charset: US-ASCII

wj8DBQFFoYtMsTedWZOD3gYRAjCiAJ42W7RYoN+KZ63mZUxypbiHcLrzvwCfXZgh
CMmAF1nfvL1k9zUQKkUIiJ8=
=G8Mw
-----END PGP SIGNATURE-----