RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Damien Miller <djm%mindrot.org@localhost> writes:

>There have been quite a few fingerprinting attack against websites using 
>object sizes, e.g. Vincent Berg's work.

Sure, I'm aware of just under three dozen, but encrypted vs.unencrypted
lengths don't play a major role, they're used because they're there, not
because they're critical to the success of the process.  You've got TCP
packet sizes (which generally make length-encryption irrelevant), packet
timing, message flows, everything that can be used will be used.  In
particular, "Timing Analysis of Keystrokes and Timing Attacks on SSH"
worked against SSH even though the lengths were encrypted.

More or less the same debate is currently occurring on the TLS list,
where I commented that:

  If you want to thwart traffic analysis, you need to do something
  like what's done by designs like Aqua ("Towards Efficient Traffic-
  analysis Resistant Anonymity Networks"), or ideas from any of the 
  other anti-traffic-analysis work that's emerged in the past decade 
  or two.  
  
  You get traffic analysis resistance by, for example, breaking data into 
  fixed-length packets, using cover traffic, and messing with packet 
  timings, not by encrypting TLS headers.

Peter.