Re: Albrecht/Paterson/Watson's attack

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: Albrecht/Paterson/Watson's attack
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Mon, 12 May 2014 17:02:07 +0200

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>> If you do it similarly to what I do, you'd need to add a (short)
>> queue of unencrypted packets before the output buffer.  I think
>> that's more sane than a "crypto rollback".
>
> I don't see how that would help.  I'd still need to either encrypt the
> possibly-desired IGNORE or do the write without it and risk a BPP-level
> packet boundary appearing as a TCP segment boundary via being a write
> boundary.

The idea is that you collect a queue of cleartext packets. Then one of
two events can get you to encrypt messages, filling the output buffer
with encrypted data.

1. When you have collected enough data to generate a tcp packet of the
   desired size. Encrypt messages one at a time until you have enough
   data in the output buffer. Do a single write of the desired size.

2. Otherwise, if you get a message with the push flag set, generate a
   large enough ignore message, then go to step 1. My code appends the
   ignore message.

>From this discussion I've understood that it would in some ways be
better to insert the ignore message somewhere *before* the message
needing push. E.g, SSH_MSG_IGNORE | SSH_MSG_USERAUTH provides better
hiding than SSH_MSG_USERAUTH | SSH_MSG_IGNORE, but I haven't digested
the implications of that.

> How do you tell how large TCP segments are?

I don't, I'm just thinking that if all my writes are of a fixed size,
say 1300 bytes, the tcp stack can split that into segments anyway it
likes, segment boundaries ought to be independent of the ssh message
boundaries regardless.

And then in practice, I don't use a *single* large packet size, but a
small number of allowed packet sizes, in order to not bloat an
interactive terminal session too much, where I typically collect only a
few keystrokes per message (using VMIN = 3, VTIME = 2 for the tty).

> Sounds to me as though you'll end up sprinkling IGNOREs all through
> most traffic.  That's one of the effects I'd like to avoid.

They will be omitted whenever the output buffer starts to fill up. But
otherwise, the intention is that a typical tcp segment will consist of

   | ...end of SSH_MSG_IGNORE | SSH_MSG_other | start of SSH_MSG_IGNORE... |

Regards,
/Niels

> /~\ The ASCII				  Mouse
> \ / Ribbon Campaign
>  X  Against HTML		mouse%rodents-montreal.org@localhost
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

References:
- Albrecht/Paterson/Watson's attack
  - From: Mouse
- Re: Albrecht/Paterson/Watson's attack
  - From: denis bider (Bitvise)
- Re: Albrecht/Paterson/Watson's attack
  - From: Niels Möller
- Re: Albrecht/Paterson/Watson's attack
  - From: Mouse
- Re: Albrecht/Paterson/Watson's attack
  - From: Niels Möller
- Re: Albrecht/Paterson/Watson's attack
  - From: Mouse
- Re: Albrecht/Paterson/Watson's attack
  - From: Niels Möller
- Re: Albrecht/Paterson/Watson's attack
  - From: Mouse

Prev by Date: Re: Albrecht/Paterson/Watson's attack
Next by Date: should I let conference CfP etc onto ietf-ssh?
Previous by Thread: Re: Albrecht/Paterson/Watson's attack
Next by Thread: Fwd: [IANA #758943] early allocation request for draft-moonesamy-sshfp-ed25519
Indexes:

Home | Main Index | Thread Index | Old Index