RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 27 November 2015 10:48 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA9481B31E4 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Fri, 27 Nov 2015 02:48:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.185
X-Spam-Level:
X-Spam-Status: No, score=-2.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iz-Teold7OOa for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Fri, 27 Nov 2015 02:48:17 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BEE31B31E2 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Fri, 27 Nov 2015 02:48:17 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id BBD1214A2D5; Fri, 27 Nov 2015 10:48:14 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A560D14A2D4 for <ietf-ssh@netbsd.org>; Fri, 27 Nov 2015 10:48:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id o0t1UbYpSOrI for <ietf-ssh@netbsd.org>; Fri, 27 Nov 2015 10:48:08 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 5A45014A2D3 for <ietf-ssh@netbsd.org>; Fri, 27 Nov 2015 10:48:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1448621288; x=1480157288; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=OgNOgJpNChBQuohgNwyrW+FLMHvRBTWgCcOlNDOZtqo=; b=2iYqlFyTXpusnMgs13Hnv3fQ/etZ14BxTeXANICUcsFQEV0O3zNHvF6U SIL73wxRK0uXLeVUqeiLv+d8zQAbXFtDsHIW3mqwXfGuOKuH6IZo6Urc4 r/sI9se6toKYEGWUyu0Yyz1wWlhL/rK7rdgAX38+3fyapd97w1LaNyyJc CK/VqPDimF0oesge+eDLgdkb7D6JXXbDvj2caqiQWtVBZaxGpNLePEVug DaW5en6dq8RiNMlbCOA9PQv+IjLFeq6Eo0Ghv/WKl98DTbaZZUM73C8l1 qbTFyuIZQZOGlsrHGnDx/2c44nNeZcfIkZOy0rDqMQxlnvJcmexcO/qdz g==;
X-IronPort-AV: E=Sophos;i="5.20,351,1444647600"; d="scan'208";a="56426630"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 27 Nov 2015 23:48:03 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.11]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0266.001; Fri, 27 Nov 2015 23:48:02 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Simon Tatham <anakin@pobox.com>, Niels Möller <nisse@lysator.liu.se>
CC: Simon Josefsson <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Thread-Topic: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Thread-Index: AQHRKNNHBRhQyFSywkSozIEr4kOK8p6vsC46
Date: Fri, 27 Nov 2015 10:48:02 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz>
References: <87egfdxebo.fsf@latte.josefsson.org> <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se>, <1448554180-sup-7145@atreus.tartarus.org>
In-Reply-To: <1448554180-sup-7145@atreus.tartarus.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Simon Tatham <anakin@pobox.com> writes: >Is there any possible way - and would people be interested in pursuing it if >there were - to invent a replacement binary packet protocol for SSH which >decouples the unit of encryption and the unit of protocol semantics into >completely separate layers? I've asked for this in the past too. SSL/TLS have used unencrypted lengths for twenty years without there being any (known) attack or weakness based on this. OTOH SSH has used encrypted lengths for nearly the same period, and there have been several attacks/weaknesses based on that. Security-wise, it has the opposite effect of the one intended, it makes the protocol weaker, not stronger. My real issue with it though is that, as you've pointed out, it makes it impossible to create an efficient streaming implementation. With TLS you read the length at the start, stream the rest into the target memory location, and decrypt in place. With SSH you have to read a single block, decrypt it, make sure you're not providing an oracle for the attacker, copy what's left around, read more encrypted data onto the end, decrypt the remainder, ugh. I would really like to see a protocol that: 1) Doesn't encrypt the length so you can create an efficient streaming implementation. 2) Uses encrypt-then-MAC for security rather than MAC-then-encrypt. This would solve several problems with the current format all at once. Peter.
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller