Re: Binary packet protocol rethink

[nisse%lysator.liu.se@localhost (Niels Möller)]

Simon Tatham <anakin%pobox.com@localhost> writes:

> an attacker either guesses the true length by correlating to the
> TCP headers, or probes it by means of the byte-at-a-time dribbling
> attack, or actively corrupts the cipher block containing the length and
> waits to see when the resulting MAC failure is reported, 

Would you be happier if the length field were independently
authenticated? I'm not sure how strong an authenticator we need, it
seems a bit silly to use an authentication tag which is much larger than
the message, but maybe it's really needed.

> by making sure that the encrypted block boundaries do not also
> reveal the length or position of any actually important data, such as a
> particular SSH_MSG_anything.

Can we do that with the current protocol? If so, guidance is
appreciated. What I object to is removing a feature (encrypted message
lengths) which enables known counter measures to traffic analysis, and
replace it by nothing.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.