Re: Binary packet protocol rethink
Bryan Ford <brynosaurus@gmail.com> Mon, 30 November 2015 21:45 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A16681B344E for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 30 Nov 2015 13:45:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.709
X-Spam-Level:
X-Spam-Status: No, score=-1.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1veozGAvrA1k for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 30 Nov 2015 13:45:18 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF2B71AD1A6 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 30 Nov 2015 13:45:18 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 1B83014A384; Mon, 30 Nov 2015 21:45:15 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 9B4C514A379; Mon, 30 Nov 2015 21:45:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id F03CD14A33C for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 15:40:04 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id AoAmGVV1BAZF for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 15:40:04 +0000 (UTC)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 8C45714A337 for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 15:40:03 +0000 (UTC)
Received: by wmww144 with SMTP id w144so134889067wmw.1 for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 07:40:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=WAsbUV+fuw+BE/qvOvmhRDEqIM+OL4J1uVV4WWkueRY=; b=QaZsMga56GhkRKdHexv/EYo+J35hykbj430jf1JBoef8alqF5qPYP1vxL67OUoOXaU 7snUhPPE9bscQeqPFv6ff9t/9h1Tw7A9l6qQ4qBGf/CgHKZj6IbZ4pmd+DMbCP6CHiSZ UtBOGpSF1DWwqJgjjTHqkOJmXVDmlaztl1PHl4WbcuEJHNASWTjhuLkVYIQRGz4BbtZ0 nvNaA2EEd9cLe+tKtXpf/YvkQxr2UkEQzymiOPXZExNpnisXYaerMhZvoI8THG24IMCG QKXUFlyH+iBmyKJvSwmdLYqeWWJyf1bYNK8CgvAu8My5GOH4rYdXeNLIHEOiO7dXrAhp zNOg==
X-Received: by 10.194.76.65 with SMTP id i1mr32070882wjw.99.1448898001992; Mon, 30 Nov 2015 07:40:01 -0800 (PST)
Received: from icsil1noteb193.epfl.ch (icsil1noteb193.epfl.ch. [128.178.151.41]) by smtp.gmail.com with ESMTPSA id q9sm34422235wjo.9.2015.11.30.07.40.00 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 30 Nov 2015 07:40:01 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_9B43D559-FE4C-47EE-965C-DFFCBC6D26EC"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Subject: Re: Binary packet protocol rethink
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <55D41D88-55E6-4FC7-890B-62B5E075B3B7@gmail.com>
Date: Mon, 30 Nov 2015 16:40:00 +0100
Cc: Simon Tatham <anakin@pobox.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Damien Miller <djm@mindrot.org>, Simon Josefsson <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Message-Id: <F1BE28A1-BA80-4893-953F-BD85E421B9CE@gmail.com>
References: <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org> <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz> <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org> <9A043F3CF02CD34C8E74AC1594475C73F4B92EF0@uxcn10-5.UoA.auckland.ac.nz> <nn37vnsyoi.fsf@armitage.lysator.liu.se> <9A043F3CF02CD34C8E74AC1594475C73F4B9321A@uxcn10-5.UoA.auckland.ac.nz> <1448874084-sup-4376@atreus.tartarus.org> <nnpoyrra9p.fsf@armitage.lysator.liu.se> <55D41D88-55E6-4FC7-890B-62B5E075B3B7@gmail.com>
To: Niels Möller <nisse@lysator.liu.se>
X-Mailer: Apple Mail (2.3096.5)
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
In followup to my own message… On 30 Nov 2015, at 14:58, Bryan Ford <brynosaurus@gmail.com> wrote: > On 30 Nov 2015, at 12:34, Niels Möller <nisse@lysator.liu.se> wrote: >> Simon Tatham <anakin@pobox.com> writes: >> >>> an attacker either guesses the true length by correlating to the >>> TCP headers, or probes it by means of the byte-at-a-time dribbling >>> attack, or actively corrupts the cipher block containing the length and >>> waits to see when the resulting MAC failure is reported, >> >> Would you be happier if the length field were independently >> authenticated? I'm not sure how strong an authenticator we need, it >> seems a bit silly to use an authentication tag which is much larger than >> the message, but maybe it's really needed. > > It’s hard for me to see how separately authenticating the length field would be a benefit; […] Sorry, on further thought I *do* see now what might be gained in principle by authenticating the length field separately, and how that might be implemented securely. So the SSH record stream might for example alternate between fixed-size “length records” and variable-size “payload records”, each with its own AEAD MAC. To ensure no mix-and-match vulnerabilities this distinction must be encoded in the AEAD nonce: e.g., the least-significant bit might always be 0 for the length record and 1 for the corresponding payload record. The cost is the space overhead of two MACs per “useful” payload record rather than just one, but the benefit is the receiver obtains certainty that an attacker can never trick the receiver into trying to read a different-length (e.g., longer) block than the sender intended. That would indeed be nice, and I can see it potentially being worth the cost. Just to brainstorm a bit further, here’s a different variant that might mitigate the space cost somewhat. In every record, include a length field that indicates the length of the *next* record. Then when the sender has a batch of records to transmit, it can just send them consecutively with one MAC per record. But when the sender is about to go idle, i.e., is transmitting the last record in a batch for which the sender doesn’t “already” have a subsequent record immediately ready to go, the sender sets the next-record-length field to some standard minimum size. The sender can then go idle; the receiver will wait for that minimum-size next record. When the sender has something to send again, it sends the promised minimum-length record, which might contain no useful data but merely get the pipeline going again, with a next-record-length field appropriate for whatever the sender actually wants to send next. So this way the protocol actually pays the bandwidth cost of extra MACs only when the stream goes idle, not on every record. This design direction does seem attractive in some ways. Bryan
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller