Re: applying AES-GCM to secure shell: proposed "tweak"

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Thu, 9 Apr 2009 10:54:36 -0400 (EDT)

>> I admit that I haven't done any deep thinking of attacks based on
>> partial decryption.
> I have, and if you want to do it properly it makes the header read
> incredibly complicated.  I've just had a look and it's about 700
> lines of code to safely process the packet header with appropriate
> checking and whatnot, with a lot of awkward length-checking and data
> handling.  For TLS it's maybe 150 lines of quite straightforward code
> (read length, check validity, read data, decrypt).

Oddly enough, "read length, check validity, read data" is what moussh's
packet length handling looks like.  Perhaps the code you were reading
was so Byzantine because it was using an encryption interface that was
not well suited to the task?

My code for decrypting, reading packet length, checking, handling
compression and MAC, and passing off to the protocol stack, is about
131 lines[%].  It calls out to the encryption and compression
implementations, but the lower layers it calls are completely blind to
the binary packet format; they don't know anything about ssh's "length,
padding length, payload, padding, MAC" packet structure, so I don't
consider it unreasonable to not include their line count.  (Actually, I
get close to 700 lines if I _do_ include the next layer down - the
encryption algorithm glue layer runs from 94 (IDEA) to 265 (Rinjdael)
lines, and the zlib glue layer is 364 lines.)

[%] Lines 127 to 258 of
    ftp.rodents-montreal.org:/mouseware/local-src/moussh/moussh-20090319/bpp.c
    are the code in question.

> I wouldn't even bother looking for a crypto weakness, I'd exploit the
> complexity of the code required to handle this and look for
> overflows, off-by-one errors, bounds checking, all the usual stuff.
> For that the answer is "yes, many", although it'd depend on the
> implementation you're going after.

Certainly.  But if the code is really 700 lines, either a lot of
unrelated stuff is getting caught up in the line count or someone is
doing something very wrong.  It does not need to be that elaborate.

Not that I claim my code is perfect - if you do happen to notice any
mistakes in it, I'd be interested to hear, of course.  But runs and
interoperates with other implementations, so I can't have left out any
really major pieces.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Peter Gutmann

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index