Re: Binary packet protocol rethink
nisse@lysator.liu.se (Niels Möller ) Thu, 26 November 2015 20:42 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC0911B2EA5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 12:42:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.185
X-Spam-Level:
X-Spam-Status: No, score=-2.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1On8dQ6U1ecS for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 12:42:32 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8B8E1B2EA4 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 26 Nov 2015 12:42:32 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 084B014A290; Thu, 26 Nov 2015 20:42:30 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id B361114A28C for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 20:42:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id W1jSu9vj1dSf for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 20:42:22 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 992CE14A267 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 20:42:21 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 4ACD54002E; Thu, 26 Nov 2015 21:42:19 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 02AAB4001D; Thu, 26 Nov 2015 21:42:17 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Thu, 26 Nov 2015 21:42:17 +0100
From: nisse@lysator.liu.se
To: Simon Tatham <anakin@pobox.com>
Cc: Simon Josefsson <simon@josefsson.org>, ietf-ssh@netbsd.org
Subject: Re: Binary packet protocol rethink
References: <87egfdxebo.fsf@latte.josefsson.org> <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se> <1448554180-sup-7145@atreus.tartarus.org>
Date: Thu, 26 Nov 2015 21:42:17 +0100
In-Reply-To: <1448554180-sup-7145@atreus.tartarus.org> (Simon Tatham's message of "Thu, 26 Nov 2015 16:41:26 +0000")
Message-ID: <nntwo8sdau.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Simon Tatham <anakin@pobox.com> writes: > Is there any possible way - and would people be interested in pursuing > it if there were - to invent a replacement binary packet protocol for > SSH which decouples the unit of encryption and the unit of protocol > semantics into completely separate layers? I think it's interesting to explore, but I'm not sure it's possible to get it much better than the ssh protocol with careful use of IGNORE packets. The problem is the interactivity. Let's consider the simplest example (but I'm not saying this example captures all essentials of the problem). Say I let my shell connection idle for some time, then I type a couple of characters, and I want a timely response before I type the next command. Then my typing has to correspond to a TCP segment that can be decrypted and authenticated and passed on to the remote shell. With the current ssh protocol, that TCP segment will carry a single CHANNEL_DATA packet, possibly in combination with fragments of IGNORE messages and possibly other piggybacking messages, e.g., WINDOW_ADJUST. To hide the user's typing from traffic analysis is a tradeoff, with varying amounts of cover traffic (preferably including responses; there's maybe some use for an IGNORE_CONTENTS_BUT_PLEASE_REPLY message type). It's highly desirable to hide details of the user's typing; some reasonable counter measures are to collect keystrokes for a few 100 ms before generating any packet, and use padding to hide the number of keystrokes included in each packet. > And even if you encrypt the length field in a way > that avoids that mistake, you still don't reliably hide your _padded_ > packet lengths anyway, in the face of an active attacker who can proxy > the TCP stream, dribble it out a byte at a time, and wait to see which > byte triggers a response. I suspect some defensive uses of > SSH_MSG_IGNORE may still have this issue. This is a good point which is easy to overlook. The lesson here is that it is better to add the padding data at the start of the TCP segment rather than at the end; the boundary between initial padding and the start of the message is *not* revealed by the dribbel attack. And we should also keep in mind that there are relevant attackers which are only passive eavesdroppers, so a defense which is effective only against passive adverseries but fails with an active adversary still has value. For design of a cryptographic transport protocol, interactivity implies that there has to be some kind of flush/sync mechanism. The input can't be just a cleartext byte stream, it has to be a byte stream with syncronization points. A syncronization point means that data up to that point must be delivered without waiting for further input. So the cryptographic transport protocol must encrypt it, send it out on the wire in a timely manner, and attach an authentication tag and any other signalling needed for the receiver to decrypt, authenticate, and process the data. Which breaks a pure separation between layers. And those synchronization points are going to be revealed by the dribble attack. One possible design would be to make the block of the crypto layer a fixed size, say around 200 bytes, and then to get a synchronization point, just insert an ignore message of at least 200 bytes (possibly with randomized larger size). Probably not a good idea for a general purpose crypto protocol, though. > I've always thought a good way to solve this _in principle_ would be to > replace our current all-in-one message/packet structure with two > independent layers. It's long time since I looked into the details of TLS, but doesn't it have more of this kind of separation? How does it handle the syncronization issue? > Is this an idea that appeals to anyone else? I definitely see the appeal, but I'm a bit skeptic that it can work out. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller