Re: Binary packet protocol rethink
nisse@lysator.liu.se (Niels Möller ) Wed, 02 December 2015 07:24 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5A61B33F2 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 1 Dec 2015 23:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4B5Oii7GT25K for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 1 Dec 2015 23:24:29 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDC081B33F3 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 1 Dec 2015 23:24:29 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 46A1185E8A; Wed, 2 Dec 2015 07:24:28 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id E9E4B85E56; Wed, 2 Dec 2015 07:24:27 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2B40B85E71 for <ietf-ssh@netbsd.org>; Tue, 1 Dec 2015 12:31:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id SrxEvFZl_JW4 for <ietf-ssh@netbsd.org>; Tue, 1 Dec 2015 12:31:10 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0D6AE85E68 for <ietf-ssh@netbsd.org>; Tue, 1 Dec 2015 12:31:09 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id F3CC840018; Tue, 1 Dec 2015 13:31:07 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 0306F40014; Tue, 1 Dec 2015 13:31:06 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Tue, 01 Dec 2015 13:31:06 +0100
From: nisse@lysator.liu.se
To: Bryan Ford <brynosaurus@gmail.com>
Cc: Simon Tatham <anakin@pobox.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Damien Miller <djm@mindrot.org>, Simon Josefsson <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: Re: Binary packet protocol rethink
References: <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org> <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz> <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org> <9A043F3CF02CD34C8E74AC1594475C73F4B92EF0@uxcn10-5.UoA.auckland.ac.nz> <nn37vnsyoi.fsf@armitage.lysator.liu.se> <9A043F3CF02CD34C8E74AC1594475C73F4B9321A@uxcn10-5.UoA.auckland.ac.nz> <1448874084-sup-4376@atreus.tartarus.org> <nnpoyrra9p.fsf@armitage.lysator.liu.se> <55D41D88-55E6-4FC7-890B-62B5E075B3B7@gmail.com>
Date: Tue, 01 Dec 2015 13:31:05 +0100
In-Reply-To: <55D41D88-55E6-4FC7-890B-62B5E075B3B7@gmail.com> (Bryan Ford's message of "Mon, 30 Nov 2015 14:58:22 +0100")
Message-ID: <nntwo2pcza.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Bryan Ford <brynosaurus@gmail.com> writes: > It’s hard for me to see how separately authenticating the length field > would be a benefit; in fact I would worry about whether it could > introduce a weakness, e.g., where an attacker could somehow contrive > “mix-and-match” attacks I'm also not sure there's a real benefit. If we do it, the length and payload data must be securely linked together. E.g., using a single incrementing sequence of nonces. And it *may* be worthwhile to do something with a short and therefore relatively weak authentication tag. > Thus, changing the header encoding while leaving the authentication > and body-encryption unchanged from standard AEAD practice cannot make > security any worse than just transmitting the header (AD part) in > cleartext, and can (sometimes) be a security benefit. This is a clear argument. For this to hold, it's crucial that the length encryption and the payload encryption are independent. In SSH, there's been subtle problem when encrypting length and payload together using CBC (I don't quite grasp the fine details, but there have been references posted to the list recently). > SSH, which did something like this, ran into trouble with attackers > being able to twiddle the record length field to make the record length > look big, causing the receiver to try to receive a very large record, > and hence appear to the user to hang, I don't think we have had this particular problem; any reasonable ssh implementation ought to disconnect with a protocol error if the length is unexpectedly large. Lengths are maximum 32K (unless both ends have negotiated something different, which I think is rare). There have been problems, but of a more subtle kind. Like observing when and how the other end disconnect to get partial information about the decryption, and in addition, infer information about the preceding cleartext block thanks to the CBC relation. > The conceptually simplest approach I can think of: In the specification > of how AEAD nonces are generated (section 5.2.2 of > draft-ietf-tls-tls13-07), reserve the least-significant bit of the > record sequence number, so that sequence numbers increment by 2 rather > than 1 each record. Thus, we get two unique nonces per record from the > same set of symmetric keys. We first use the nonce with a '0' > least-significant bit to perform the regular AEAD-encryption of the > record with the header info as additional_data. I think I'd use them in the opposite order (to get the sequence numbers in processing order; one has to process the lengths first, in particular on the decryption side), but that's a very minor detail. I like the alternating nonces idea. > Then for the same record we use the nonce with a '1' least-significant > to AEAD-encrypt a sequence of five zero bytes ("\0\0\0\0\0"), and use > the first five bytes of result as the cipherstream to XOR the 5-byte TLS > header with before transmitting. I think AEAD constructions of practical importance generate a key stream and xor it to the plaintext. In which case your proposal (as I'm sure you intended) boils down to generating a key stream with a different nonce than for the payload. Not sure if doing a "general" construction on top of an arbitrary AEAD is useful; the alternative would be to leave the details to the specification of any particular aead suite. We're kind of ending up with "authenticated encryption with auxillary authenticated data and auxillary encrypted data". That's going to be a really awful acronym. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller