IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Albrecht/Paterson/Watson's attack
Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:
>> If you still need to run crypto ops before you can verify the MAC
>> you're not actually doing EtM, or at least not getting the security
>> benefits that it provides.
>
>What benefits _does_ it provide? Why do they outweigh exposing packet sizes?
It eliminates about a decade's worth of assorted oracle attacks on encryption
algorithms, implementations, packet-handling code, and so on.
The "not exposing packet sizes" is rather overrated in any case, unless you go
to extraordinary lengths in your implementation all an attacker has to do is
look at the TCP traffic to see where one packet stops and the next one starts.
In any case apart from sensitive packets like ones containing password info
(e.g. the userauth messages), which one would hope are padded to a fixed size,
what real, actual benefit (not gedanken-experiment hypothesis) does an
attacker gain from knowing the packet length? My guess is that most (all?)
SSH implementations have been exposing packet lengths (at the TCP level) for
more than a decade without anyone being able to exploit it.
Peter.
Home |
Main Index |
Thread Index |
Old Index