IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: Binary packet protocol rethink



Niels Möller <nisse%lysator.liu.se@localhost> writes:

>The ssh transport machinery can encrypt these, then split them into fixed
>size blocks and send off with pre-determined intervals, and whatever else you
>think is a useful counter measure to traffic analysis. When an input message
>or message fragment is too short, insert ignore messages (preferable in
>*front* of the real data, for the byte-by-byte dribble attack).

The important point there is that it *can*, not that it actually *does*.  I've
heard that there was an OpenSSH patch some years ago that did something like
this, but in about 15 years of interop-testing my code I've never seen any
evidence that the other side is applying any traffic-analysis countermeasures.
A quick Google turns up this blog post from a few months ago:

http://malwaremusings.com/2015/07/13/traffic-analysis-openssh-with-an-interactive-shell/

which indicates that OpenSSH doesn't implement traffic-analysis protection
(not trying to single out OpenSSH here, but that seems to have the most bells
and whistles added to it so if it was implemented I'd sort of expect to see it
there first), and that some random guy with a copy of Wireshark (not an
intelligence agency, if that's what the perceived threat is) doesn't have much
problem in doing traffic analysis on it.

So there appears to be either zero or close to zero support out there for
anti-traffic-analysis.  Even if, say, OpenSSH were to add support, that would
only affect two similar OpenSSH implementations talking to each other.  As
soon as you get a single other SSH implementation involved (and there are a
lot of them out there), you lose the anti-traffic analysis.

>I'm happy to discuss the tradeoffs here, but it seems that you keep repeating
>that the attacker gets as much useful info from observing tcp segment
>boundaries as from observing ssh message boundaries.

At the moment it seems they do.  Unless actual, real countermeasures to
traffic analysis are actively applied by as many SSH implementations as
possible, encrypting the headers does nothing more than inconvenience
implementers.

So, let's turn this around: Show me evidence of assorted SSH implementations
performing anti-traffic-analysis measures, and then we can debate whether
encrypting the length hinders those countermeasures.

Peter.


Home | Main Index | Thread Index | Old Index