RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Damien Miller <djm@mindrot.org> Sun, 29 November 2015 11:33 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D3F1A014F for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 29 Nov 2015 03:33:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.085
X-Spam-Level:
X-Spam-Status: No, score=-1.085 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UatexdMwVLd5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 29 Nov 2015 03:32:58 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D72F31A0149 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 29 Nov 2015 03:32:58 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id ACC8614A2E1; Sun, 29 Nov 2015 11:32:55 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7A62A14A2A2 for <ietf-ssh@netbsd.org>; Sun, 29 Nov 2015 11:32:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id OX4Uw_JCzu_c for <ietf-ssh@netbsd.org>; Sun, 29 Nov 2015 11:32:51 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub2.soe.uq.edu.au [130.102.132.209]) by mail.netbsd.org (Postfix) with ESMTP id 79ADA14A23B for <ietf-ssh@netbsd.org>; Sun, 29 Nov 2015 11:32:49 +0000 (UTC)
Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id tATBWMbO048137; Sun, 29 Nov 2015 21:32:22 +1000
Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id tATBWMGd023231 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Nov 2015 21:32:22 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id tATBWLAh008060; Sun, 29 Nov 2015 21:32:21 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 9AE39A4F2E; Sun, 29 Nov 2015 22:32:21 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 95B00A4F07; Sun, 29 Nov 2015 22:32:21 +1100 (AEDT)
Date: Sun, 29 Nov 2015 22:32:21 +1100
From: Damien Miller <djm@mindrot.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
cc: Simon Tatham <anakin@pobox.com>, Niels Möller <nisse@lysator.liu.se>, Simon Josefsson <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz>
Message-ID: <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org>
References: <87egfdxebo.fsf@latte.josefsson.org> <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se>, <1448554180-sup-7145@atreus.tartarus.org> <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17
X-UQ-FilterTime: 1448796744
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
On Fri, 27 Nov 2015, Peter Gutmann wrote: > I've asked for this in the past too. SSL/TLS have used unencrypted lengths > for twenty years without there being any (known) attack or weakness based on > this. OTOH SSH has used encrypted lengths for nearly the same period, and > there have been several attacks/weaknesses based on that. Security-wise, it > has the opposite effect of the one intended, it makes the protocol weaker, not > stronger. There have been quite a few fingerprinting attack against websites using object sizes, e.g. Vincent Berg's work. > My real issue with it though is that, as you've pointed out, it makes it > impossible to create an efficient streaming implementation. With TLS you read > the length at the start, stream the rest into the target memory location, and > decrypt in place. With SSH you have to read a single block, decrypt it, make > sure you're not providing an oracle for the attacker, copy what's left around, > read more encrypted data onto the end, decrypt the remainder, ugh. > > I would really like to see a protocol that: > > 1) Doesn't encrypt the length so you can create an efficient streaming > implementation. > > 2) Uses encrypt-then-MAC for security rather than MAC-then-encrypt. OpenSSH has had this for some time in our *-etm MAC modes. https://anongit.mindrot.org/openssh.git/tree/PROTOCOL?id=b1d6b397#n54 -d
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller