Re: Albrecht/Paterson/Watson's attack

To: ietf-ssh%NetBSD.org@localhost, mouse%Rodents-Montreal.ORG@localhost
Subject: Re: Albrecht/Paterson/Watson's attack
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Sat, 10 May 2014 22:01:31 +1200

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>> If you still need to run crypto ops before you can verify the MAC
>> you're not actually doing EtM, or at least not getting the security
>> benefits that it provides.
>
>What benefits _does_ it provide?  Why do they outweigh exposing packet sizes?

It eliminates about a decade's worth of assorted oracle attacks on encryption
algorithms, implementations, packet-handling code, and so on.

The "not exposing packet sizes" is rather overrated in any case, unless you go
to extraordinary lengths in your implementation all an attacker has to do is
look at the TCP traffic to see where one packet stops and the next one starts.
In any case apart from sensitive packets like ones containing password info
(e.g. the userauth messages), which one would hope are padded to a fixed size,
what real, actual benefit (not gedanken-experiment hypothesis) does an
attacker gain from knowing the packet length?  My guess is that most (all?)
SSH implementations have been exposing packet lengths (at the TCP level) for
more than a decade without anyone being able to exploit it.

Peter.

Follow-Ups:
- Re: Albrecht/Paterson/Watson's attack
  - From: Mouse

References:
- Re: Albrecht/Paterson/Watson's attack
  - From: Mouse

Prev by Date: Re: Albrecht/Paterson/Watson's attack
Next by Date: Re: Albrecht/Paterson/Watson's attack
Previous by Thread: Re: Albrecht/Paterson/Watson's attack
Next by Thread: Re: Albrecht/Paterson/Watson's attack
Indexes:

Home | Main Index | Thread Index | Old Index