Re: Binary packet protocol rethink
Bryan Ford <brynosaurus@gmail.com> Sat, 05 December 2015 19:08 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 022531B2CBE for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 11:08:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q9HkNfVovXY8 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 11:08:29 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68FA61B2CB7 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 5 Dec 2015 11:08:29 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id B62EB85F0A; Sat, 5 Dec 2015 18:05:35 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 5B50785F08; Sat, 5 Dec 2015 18:05:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id DD32385E73 for <ietf-ssh@netbsd.org>; Wed, 2 Dec 2015 09:31:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id m_4iLxDkrFcc for <ietf-ssh@netbsd.org>; Wed, 2 Dec 2015 09:31:02 +0000 (UTC)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id CF1A984C73 for <ietf-ssh@netbsd.org>; Wed, 2 Dec 2015 09:31:01 +0000 (UTC)
Received: by wmww144 with SMTP id w144so48394843wmw.0 for <ietf-ssh@netbsd.org>; Wed, 02 Dec 2015 01:31:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=5BVq8/hl7EQDyYbk7nN5RhWuElHuweze72hTqw1Z6pE=; b=llodHSLvpr894GJMwZ3S5m6QEK48pAnetmMaNTsMvfvFqATILtiKzVlenwMyoTxGOl w2SgqbUdhYw0wwSkLnXhREEPf52yKvd8S9hpORekVPRcFMfEU/l3TT41c6awCQqDRbKv A7x0EcPJ+ucp43ZVOJN7wH+YV3dWjak8+NPbbOD3P62Q3Qumoa22ur6cWqODb28zNvZw lNHQsUuAb2BO9qjS++P6jumAaqd8dqRkzlODvmLHzCXjBM0cI1TelmBVHTESk/Vj6kpE s8aui63EJNkRb4Y6f4X+dk7Fs/OEW1qH+wVQRWY6opUaNb8e+eKN1Z8NQyBMXA8AxdYj hK5g==
X-Received: by 10.194.110.35 with SMTP id hx3mr3720551wjb.0.1449048660192; Wed, 02 Dec 2015 01:31:00 -0800 (PST)
Received: from icsil1noteb193.epfl.ch (icsil1noteb193.epfl.ch. [128.178.151.41]) by smtp.gmail.com with ESMTPSA id h7sm2329002wmf.0.2015.12.02.01.30.58 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 Dec 2015 01:30:59 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_6B351A1E-F69B-4B22-9B33-368C0DE06CE6"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Subject: Re: Binary packet protocol rethink
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B95D3F@uxcn10-5.UoA.auckland.ac.nz>
Date: Wed, 02 Dec 2015 10:30:58 +0100
Cc: Niels Möller <nisse@lysator.liu.se>, Damien Miller <djm@mindrot.org>, Simon Tatham <anakin@pobox.com>, Simon Josefsson <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Message-Id: <94C59487-9D91-436D-AAAB-D36881F65539@gmail.com>
References: <87egfdxebo.fsf@latte.josefsson.org> <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org> <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz> <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org> <9A043F3CF02CD34C8E74AC1594475C73F4B92EF0@uxcn10-5.UoA.auckland.ac.nz> <nn37vnsyoi.fsf@armitage.lysator.liu.se> <9A043F3CF02CD34C8E74AC1594475C73F4B9321A@uxcn10-5.UoA.auckland.ac.nz> <nntwo3raow.fsf@armitage.lysator.liu.se> <9A043F3CF02CD34C8E74AC1594475C73F4B95D3F@uxcn10-5.UoA.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3096.5)
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
On 02 Dec 2015, at 02:09, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > Niels Möller <nisse@lysator.liu.se> writes: > >> The ssh transport machinery can encrypt these, then split them into fixed >> size blocks and send off with pre-determined intervals, and whatever else you >> think is a useful counter measure to traffic analysis. When an input message >> or message fragment is too short, insert ignore messages (preferable in >> *front* of the real data, for the byte-by-byte dribble attack). > > The important point there is that it *can*, not that it actually *does*. I've > heard that there was an OpenSSH patch some years ago that did something like > this, but in about 15 years of interop-testing my code I've never seen any > evidence that the other side is applying any traffic-analysis countermeasures. > A quick Google turns up this blog post from a few months ago: > > http://malwaremusings.com/2015/07/13/traffic-analysis-openssh-with-an-interactive-shell/ > > which indicates that OpenSSH doesn't implement traffic-analysis protection > (not trying to single out OpenSSH here, but that seems to have the most bells > and whistles added to it so if it was implemented I'd sort of expect to see it > there first), and that some random guy with a copy of Wireshark (not an > intelligence agency, if that's what the perceived threat is) doesn't have much > problem in doing traffic analysis on it. > > So there appears to be either zero or close to zero support out there for > anti-traffic-analysis. Even if, say, OpenSSH were to add support, that would > only affect two similar OpenSSH implementations talking to each other. As > soon as you get a single other SSH implementation involved (and there are a > lot of them out there), you lose the anti-traffic analysis. That’s only the case with your approach of leaving all headers (SSH or TLS) in cleartext. With cleartext headers, any SSH or TLS implementation that fails to do padding gets basically no traffic analysis protection at all, even if its communication partner does. It’s indeed partly an “ecosystem problem” as Eben Moglen would say, and in the long term we need to try to fix that, but it’s hard. With encrypted headers, however, *every* SSH or TLS conversation can get at least some (admittedly weak but still useful) protection against at least passive traffic analysis. As many have said already, not all attackers are active MITM attackers; we need to care about passive attackers as well. And as I pointed out on the TLS list, TCP segments can be desynchronized from SSH or TLS records for many reasons and in a variety of points in the network, either intentionally or unintentionally: e.g., in the SSH or TLS implementation, in the TCP stack (by merging adjacent or time-proximate writes), or in middleboxes that resegment TCP streams. Even if none of those network elements are *intentionally* trying to provide traffic analysis protection, even just the fact that they are sometimes unintentionally “messing up” the TCP segmentation boundaries makes things at least a bit harder and more noisy for passive attackers who only get to watch segments fly past and don’t get to mount dribble attacks and such. And a single administrator can deploy a middlebox at the edge of a corporate or campus network to provide even better (still weak but better) traffic analysis protection for all SSH/TLS traffic crossing that middlebox, by deliberately delaying TCP segments just slightly and re-segmenting them on uniform MTU-size boundaries. But only if SSH maintains encrypted headers, or if TLS adopts encrypted headers. >> I'm happy to discuss the tradeoffs here, but it seems that you keep repeating >> that the attacker gets as much useful info from observing tcp segment >> boundaries as from observing ssh message boundaries. > > At the moment it seems they do. Unless actual, real countermeasures to > traffic analysis are actively applied by as many SSH implementations as > possible, encrypting the headers does nothing more than inconvenience > implementers. > > So, let's turn this around: Show me evidence of assorted SSH implementations > performing anti-traffic-analysis measures, and then we can debate whether > encrypting the length hinders those countermeasures. Your point that “serious" anti-traffic-analysis measures such as uniform padding are (currently) rarely implemented, which I believe, only makes the case stronger that we need to do everything we can to make traffic streams coming from that vast majority of non-traffic-analysis-protected implementations even just a bit more protected “at the outset” from even a subset of traffic analysis attackers. Security is not a black-or-white, all-or-nothing thing where you might as well give up unless you can win the whole war in the first battle. B > > Peter.
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller