Re: Binary packet protocol rethink

nisse@lysator.liu.se (Niels Möller ) Mon, 30 November 2015 11:34 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83AD91A9250 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 30 Nov 2015 03:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.29
X-Spam-Level:
X-Spam-Status: No, score=0.29 tagged_above=-999 required=5 tests=[MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cNGdSDFFbItu for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 30 Nov 2015 03:34:35 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF8F1A924B for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 30 Nov 2015 03:34:35 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id B4AC214A2F4; Mon, 30 Nov 2015 11:34:33 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id C3A3614A234 for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 11:34:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id vAV-waiDmZPW for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 11:34:30 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id F108914A1C3 for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 11:34:29 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 26AC640038; Mon, 30 Nov 2015 12:34:28 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id D390040036; Mon, 30 Nov 2015 12:34:26 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Mon, 30 Nov 2015 12:34:26 +0100
From: nisse@lysator.liu.se
To: Simon Tatham <anakin@pobox.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Damien Miller <djm@mindrot.org>, "\"Simon Josefsson\"" <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: Re: Binary packet protocol rethink
References: <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org> <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz> <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org> <9A043F3CF02CD34C8E74AC1594475C73F4B92EF0@uxcn10-5.UoA.auckland.ac.nz> <nn37vnsyoi.fsf@armitage.lysator.liu.se> <9A043F3CF02CD34C8E74AC1594475C73F4B9321A@uxcn10-5.UoA.auckland.ac.nz> <1448874084-sup-4376@atreus.tartarus.org>
Date: Mon, 30 Nov 2015 12:34:26 +0100
In-Reply-To: <1448874084-sup-4376@atreus.tartarus.org> (Simon Tatham's message of "Mon, 30 Nov 2015 09:11:13 +0000")
Message-ID: <nnpoyrra9p.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Simon Tatham <anakin@pobox.com> writes:

> an attacker either guesses the true length by correlating to the
> TCP headers, or probes it by means of the byte-at-a-time dribbling
> attack, or actively corrupts the cipher block containing the length and
> waits to see when the resulting MAC failure is reported, 

Would you be happier if the length field were independently
authenticated? I'm not sure how strong an authenticator we need, it
seems a bit silly to use an authentication tag which is much larger than
the message, but maybe it's really needed.

> by making sure that the encrypted block boundaries do not also
> reveal the length or position of any actually important data, such as a
> particular SSH_MSG_anything.

Can we do that with the current protocol? If so, guidance is
appreciated. What I object to is removing a feature (encrypted message
lengths) which enables known counter measures to traffic analysis, and
replace it by nothing.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.