RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 30 November 2015 01:57 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F241A1B03 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 29 Nov 2015 17:57:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level:
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2PKRLzTrlU8 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 29 Nov 2015 17:57:42 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF3721A1AFC for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 29 Nov 2015 17:57:42 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 7DE2D14A39D; Mon, 30 Nov 2015 01:57:39 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E254E14A39C for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 01:57:35 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id XhVKEnCLZ2ms for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 01:57:35 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 966EF14A39A for <ietf-ssh@netbsd.org>; Mon, 30 Nov 2015 01:57:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1448848654; x=1480384654; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=QN7RWBgFrDqcpweILryBSHzySRmrmL+WRbZrzZMuBmc=; b=OPJbaEgHeNWHJngP/ZD3IIlIFoODNgGpEp9YLupEkZspdjFl5/eNIML0 JXzaxLJcJzakWBGLip8Cpv51iMbkdUhBCdvV3FTujM3+0P9gD0goIoqak vbBNIB7flTEygmqJG6+i/sRa0RmlUKq0OsRdSlNV1PMDcLVXSAKrLrK4B vydmna1Cvb4AFtAGvHnIr6hc2A+BR/FxRNdwwjajzBV9HdKxM+/uJt0zQ iZKDBYmSRvs5dCxqcgShQsqgRUwDnk0gfgqJbtGDFxN8jKyEoO6bG8kol IgvexOlsuuzNCI4oz/oyPuSmvAL3JI4ADg8QTZqlr0+PKhUWU6vTXMEJp w==;
X-IronPort-AV: E=Sophos;i="5.20,361,1444647600"; d="scan'208";a="56733849"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Nov 2015 14:57:28 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0266.001; Mon, 30 Nov 2015 14:57:28 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Damien Miller <djm@mindrot.org>
CC: Simon Tatham <anakin@pobox.com>, Niels Möller <nisse@lysator.liu.se>, Simon Josefsson <simon@josefsson.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Thread-Topic: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Thread-Index: AQHRKNNHBRhQyFSywkSozIEr4kOK8p6vsC46gAJXdYCAAct5Jg==
Date: Mon, 30 Nov 2015 01:57:28 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B92EF0@uxcn10-5.UoA.auckland.ac.nz>
References: <87egfdxebo.fsf@latte.josefsson.org> <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se>, <1448554180-sup-7145@atreus.tartarus.org> <9A043F3CF02CD34C8E74AC1594475C73F4B857C7@uxcn10-5.UoA.auckland.ac.nz>, <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org>
In-Reply-To: <alpine.BSO.2.20.1511292228450.12629@natsu.mindrot.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Damien Miller <djm@mindrot.org> writes:

>There have been quite a few fingerprinting attack against websites using 
>object sizes, e.g. Vincent Berg's work.

Sure, I'm aware of just under three dozen, but encrypted vs.unencrypted
lengths don't play a major role, they're used because they're there, not
because they're critical to the success of the process.  You've got TCP
packet sizes (which generally make length-encryption irrelevant), packet
timing, message flows, everything that can be used will be used.  In
particular, "Timing Analysis of Keystrokes and Timing Attacks on SSH"
worked against SSH even though the lengths were encrypted.

More or less the same debate is currently occurring on the TLS list,
where I commented that:

  If you want to thwart traffic analysis, you need to do something
  like what's done by designs like Aqua ("Towards Efficient Traffic-
  analysis Resistant Anonymity Networks"), or ideas from any of the 
  other anti-traffic-analysis work that's emerged in the past decade 
  or two.  
  
  You get traffic analysis resistance by, for example, breaking data into 
  fixed-length packets, using cover traffic, and messing with packet 
  timings, not by encrypting TLS headers.

Peter.