Re: Binary packet protocol rethink

[Damien Miller <djm%mindrot.org@localhost>]

On Fri, 27 Nov 2015, denis bider wrote:

> I agree with Niels's observation that there probably isn't a much better
> defense than SSH_MSG_IGNORE already offers.
> 
> The fundamental problem of defending against traffic analysis is that if you
> don't want the attacker to learn anything, then no observable aspect of the
> connection can change. In order to reconcile this with the need to USE the
> connection, if you want to maximize defense, the connection always has to
> operate at its maximum potential. You must always, and constantly, be
> streaming SSH_MSG_IGNORE packets in both directions at maximum bandwidth, or
> else you must restrict your usage of the connection to a lower rate of
> streaming that you are comfortable maintaining indefinitely.

I don't think this is correct - the chaff only needs to be sufficient to
obscure the "real" packets' lengths and timings. It doesn't need to
indefinitely saturate the link to achieve this.

E.g. an implementation that quantised packet send times (e.g. send every
10ms) and which continued to send random chaff packets for some random
interval after the last real packet and in approximate volume to the real
ones would remove the worst of the timing channels. 

> Maybe there are users who want to go for that tradeoff. But in 15 years, we
> haven't heard that request, yet.

FWIW quite a people have told me that they like the OpenSSH chacha/poly1305
AEAD because it preserves privacy of length fields. I'm a little more
ambivalent.

-d