Re: potential disclaimer for the transport draft.

[nisse%lysator.liu.se@localhost (Niels Möller)]

Wei Dai <weidai%eskimo.com@localhost> writes:

> Regarding the parenthetical suggestion, I thought each SSH packet can
> contain only one message. Is that incorrect?

That's right, but if the implementation does some buffering, i.e.
assembles a sequence on n packets

  P_1, P_2, ... P_n

before the first packet (in encrypted form) is sent across the
network, then I beleive packets P_2 ... P_n are not susceptible to the
known iv attacks: Their contents is fixed before the attacker learns
their iv:s. So if you make sure that each such sequence of packets
starts with an SSH_MSG_IGNORE packet P_0, no other packets have their
iv:s known in advance.

This solution is impractical in my implementation, as I buffer the
data to be written later, after encryption, so I hope we can find
other solutions. Adding SSH_MSG_IGNORE at the end of the sequence is
easier, and I'm considering doing that, to make traffic analysis
harder.

(And furthermore, the sequence of packets above need not correspond at
all to actual ip-packets: ssh-packet boundaries and ip-packet
boundaries are independent. For instance, one could arrange that every
ip-packet that is transmitted starts and ends with a partial
SSH_MSG_IGNORE packet, and as the length fields are encrypted. That
would make it hard for an attacker to even see the ssh-packet
boundaries).

/Niels