Re: Binary packet protocol rethink

nisse@lysator.liu.se (Niels Möller ) Wed, 02 December 2015 07:24 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5A61B33F2 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 1 Dec 2015 23:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4B5Oii7GT25K for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 1 Dec 2015 23:24:29 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDC081B33F3 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 1 Dec 2015 23:24:29 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 46A1185E8A; Wed, 2 Dec 2015 07:24:28 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id E9E4B85E56; Wed, 2 Dec 2015 07:24:27 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2B40B85E71 for <ietf-ssh@netbsd.org>; Tue, 1 Dec 2015 12:31:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id SrxEvFZl_JW4 for <ietf-ssh@netbsd.org>; Tue, 1 Dec 2015 12:31:10 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0D6AE85E68 for <ietf-ssh@netbsd.org>; Tue, 1 Dec 2015 12:31:09 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id F3CC840018; Tue, 1 Dec 2015 13:31:07 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 0306F40014; Tue, 1 Dec 2015 13:31:06 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Tue, 01 Dec 2015 13:31:06 +0100
From: nisse@lysator.liu.se
To: Bryan Ford <brynosaurus@gmail.com>
Cc: Simon Tatham <anakin@pobox.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Damien Miller <djm@mindrot.org>, Simon Josefsson <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: Re: Binary packet protocol rethink
References: <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org> <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz> <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org> <9A043F3CF02CD34C8E74AC1594475C73F4B92EF0@uxcn10-5.UoA.auckland.ac.nz> <nn37vnsyoi.fsf@armitage.lysator.liu.se> <9A043F3CF02CD34C8E74AC1594475C73F4B9321A@uxcn10-5.UoA.auckland.ac.nz> <1448874084-sup-4376@atreus.tartarus.org> <nnpoyrra9p.fsf@armitage.lysator.liu.se> <55D41D88-55E6-4FC7-890B-62B5E075B3B7@gmail.com>
Date: Tue, 01 Dec 2015 13:31:05 +0100
In-Reply-To: <55D41D88-55E6-4FC7-890B-62B5E075B3B7@gmail.com> (Bryan Ford's message of "Mon, 30 Nov 2015 14:58:22 +0100")
Message-ID: <nntwo2pcza.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Bryan Ford <brynosaurus@gmail.com> writes:

> It’s hard for me to see how separately authenticating the length field
> would be a benefit; in fact I would worry about whether it could
> introduce a weakness, e.g., where an attacker could somehow contrive
> “mix-and-match” attacks

I'm also not sure there's a real benefit. If we do it, the length and
payload data must be securely linked together. E.g., using a single
incrementing sequence of nonces. And it *may* be worthwhile to do
something with a short and therefore relatively weak authentication tag.

> Thus, changing the header encoding while leaving the authentication
> and body-encryption unchanged from standard AEAD practice cannot make
> security any worse than just transmitting the header (AD part) in
> cleartext, and can (sometimes) be a security benefit.

This is a clear argument. For this to hold, it's crucial that the length
encryption and the payload encryption are independent. In SSH, there's
been subtle problem when encrypting length and payload together using
CBC (I don't quite grasp the fine details, but there have been
references posted to the list recently).

> SSH, which did something like this, ran into trouble with attackers
> being able to twiddle the record length field to make the record length
> look big, causing the receiver to try to receive a very large record,
> and hence appear to the user to hang,

I don't think we have had this particular problem; any reasonable ssh
implementation ought to disconnect with a protocol error if the length
is unexpectedly large. Lengths are maximum 32K (unless both ends have
negotiated something different, which I think is rare).

There have been problems, but of a more subtle kind. Like observing when
and how the other end disconnect to get partial information about the
decryption, and in addition, infer information about the preceding
cleartext block thanks to the CBC relation.

> The conceptually simplest approach I can think of: In the specification
> of how AEAD nonces are generated (section 5.2.2 of
> draft-ietf-tls-tls13-07), reserve the least-significant bit of the
> record sequence number, so that sequence numbers increment by 2 rather
> than 1 each record.  Thus, we get two unique nonces per record from the
> same set of symmetric keys.  We first use the nonce with a '0'
> least-significant bit to perform the regular AEAD-encryption of the
> record with the header info as additional_data.

I think I'd use them in the opposite order (to get the sequence numbers
in processing order; one has to process the lengths first, in particular
on the decryption side), but that's a very minor detail.

I like the alternating nonces idea.

> Then for the same record we use the nonce with a '1' least-significant
> to AEAD-encrypt a sequence of five zero bytes ("\0\0\0\0\0"), and use
> the first five bytes of result as the cipherstream to XOR the 5-byte TLS
> header with before transmitting.

I think AEAD constructions of practical importance generate a key stream
and xor it to the plaintext. In which case your proposal (as I'm sure
you intended) boils down to generating a key stream with a different
nonce than for the payload.

Not sure if doing a "general" construction on top of an arbitrary AEAD
is useful; the alternative would be to leave the details to the
specification of any particular aead suite.

We're kind of ending up with "authenticated encryption with auxillary
authenticated data and auxillary encrypted data". That's going to be a
really awful acronym.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.