Re: Binary packet protocol rethink

nisse@lysator.liu.se (Niels Möller ) Thu, 26 November 2015 20:42 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC0911B2EA5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 12:42:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.185
X-Spam-Level:
X-Spam-Status: No, score=-2.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1On8dQ6U1ecS for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 12:42:32 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8B8E1B2EA4 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 26 Nov 2015 12:42:32 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 084B014A290; Thu, 26 Nov 2015 20:42:30 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id B361114A28C for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 20:42:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id W1jSu9vj1dSf for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 20:42:22 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 992CE14A267 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 20:42:21 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 4ACD54002E; Thu, 26 Nov 2015 21:42:19 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 02AAB4001D; Thu, 26 Nov 2015 21:42:17 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Thu, 26 Nov 2015 21:42:17 +0100
From: nisse@lysator.liu.se
To: Simon Tatham <anakin@pobox.com>
Cc: Simon Josefsson <simon@josefsson.org>, ietf-ssh@netbsd.org
Subject: Re: Binary packet protocol rethink
References: <87egfdxebo.fsf@latte.josefsson.org> <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org>
Date: Thu, 26 Nov 2015 21:42:17 +0100
In-Reply-To: <1448554180-sup-7145@atreus.tartarus.org> (Simon Tatham's message of "Thu, 26 Nov 2015 16:41:26 +0000")
Message-ID: <nntwo8sdau.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Simon Tatham <anakin@pobox.com> writes:

> Is there any possible way - and would people be interested in pursuing
> it if there were - to invent a replacement binary packet protocol for
> SSH which decouples the unit of encryption and the unit of protocol
> semantics into completely separate layers?

I think it's interesting to explore, but I'm not sure it's possible to
get it much better than the ssh protocol with careful use of IGNORE
packets.

The problem is the interactivity. Let's consider the simplest example
(but I'm not saying this example captures all essentials of the
problem). Say I let my shell connection idle for some time, then I type
a couple of characters, and I want a timely response before I type the
next command. Then my typing has to correspond to a TCP segment that can
be decrypted and authenticated and passed on to the remote shell. With
the current ssh protocol, that TCP segment will carry a single
CHANNEL_DATA packet, possibly in combination with fragments of IGNORE
messages and possibly other piggybacking messages, e.g., WINDOW_ADJUST.

To hide the user's typing from traffic analysis is a tradeoff, with
varying amounts of cover traffic (preferably including responses;
there's maybe some use for an IGNORE_CONTENTS_BUT_PLEASE_REPLY message
type). It's highly desirable to hide details of the user's typing; some
reasonable counter measures are to collect keystrokes for a few 100 ms
before generating any packet, and use padding to hide the number of
keystrokes included in each packet.

> And even if you encrypt the length field in a way
> that avoids that mistake, you still don't reliably hide your _padded_
> packet lengths anyway, in the face of an active attacker who can proxy
> the TCP stream, dribble it out a byte at a time, and wait to see which
> byte triggers a response. I suspect some defensive uses of
> SSH_MSG_IGNORE may still have this issue.

This is a good point which is easy to overlook. The lesson here is that
it is better to add the padding data at the start of the TCP segment
rather than at the end; the boundary between initial padding and the
start of the message is *not* revealed by the dribbel attack. And we
should also keep in mind that there are relevant attackers which are
only passive eavesdroppers, so a defense which is effective only against
passive adverseries but fails with an active adversary still has value.

For design of a cryptographic transport protocol, interactivity implies
that there has to be some kind of flush/sync mechanism. The input can't
be just a cleartext byte stream, it has to be a byte stream with
syncronization points. A syncronization point means that data up to that
point must be delivered without waiting for further input. So the
cryptographic transport protocol must encrypt it, send it out on the
wire in a timely manner, and attach an authentication tag and any other
signalling needed for the receiver to decrypt, authenticate, and process
the data. Which breaks a pure separation between layers.

And those synchronization points are going to be revealed by the dribble
attack.

One possible design would be to make the block of the crypto layer a
fixed size, say around 200 bytes, and then to get a synchronization
point, just insert an ignore message of at least 200 bytes (possibly
with randomized larger size). Probably not a good idea for a general
purpose crypto protocol, though.

> I've always thought a good way to solve this _in principle_ would be to
> replace our current all-in-one message/packet structure with two
> independent layers.

It's long time since I looked into the details of TLS, but doesn't it
have more of this kind of separation? How does it handle the
syncronization issue?

> Is this an idea that appeals to anyone else?

I definitely see the appeal, but I'm a bit skeptic that it can work out.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.