RE: Binary packet protocol rethink

To: Niels Möller <nisse%lysator.liu.se@localhost>
Subject: RE: Binary packet protocol rethink
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Wed, 2 Dec 2015 01:09:33 +0000

Niels Möller <nisse%lysator.liu.se@localhost> writes:

>The ssh transport machinery can encrypt these, then split them into fixed
>size blocks and send off with pre-determined intervals, and whatever else you
>think is a useful counter measure to traffic analysis. When an input message
>or message fragment is too short, insert ignore messages (preferable in
>*front* of the real data, for the byte-by-byte dribble attack).

The important point there is that it *can*, not that it actually *does*.  I've
heard that there was an OpenSSH patch some years ago that did something like
this, but in about 15 years of interop-testing my code I've never seen any
evidence that the other side is applying any traffic-analysis countermeasures.
A quick Google turns up this blog post from a few months ago:

http://malwaremusings.com/2015/07/13/traffic-analysis-openssh-with-an-interactive-shell/

which indicates that OpenSSH doesn't implement traffic-analysis protection
(not trying to single out OpenSSH here, but that seems to have the most bells
and whistles added to it so if it was implemented I'd sort of expect to see it
there first), and that some random guy with a copy of Wireshark (not an
intelligence agency, if that's what the perceived threat is) doesn't have much
problem in doing traffic analysis on it.

So there appears to be either zero or close to zero support out there for
anti-traffic-analysis.  Even if, say, OpenSSH were to add support, that would
only affect two similar OpenSSH implementations talking to each other.  As
soon as you get a single other SSH implementation involved (and there are a
lot of them out there), you lose the anti-traffic analysis.

>I'm happy to discuss the tradeoffs here, but it seems that you keep repeating
>that the attacker gets as much useful info from observing tcp segment
>boundaries as from observing ssh message boundaries.

At the moment it seems they do.  Unless actual, real countermeasures to
traffic analysis are actively applied by as many SSH implementations as
possible, encrypting the headers does nothing more than inconvenience
implementers.

So, let's turn this around: Show me evidence of assorted SSH implementations
performing anti-traffic-analysis measures, and then we can debate whether
encrypting the length hinders those countermeasures.

Peter.

Follow-Ups:
- Re: Binary packet protocol rethink
  - From: Niels Möller
- Re: Binary packet protocol rethink
  - From: Bryan Ford
- RE: Binary packet protocol rethink
  - From: Peter Gutmann

References:
- ChaCha20-Poly1305 for SSH
  - From: Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH
  - From: Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
  - From: Simon Tatham
- RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
  - From: Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
  - From: Damien Miller
- RE: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
  - From: Peter Gutmann
- Re: Binary packet protocol rethink
  - From: Niels Möller
- RE: Binary packet protocol rethink
  - From: Peter Gutmann
- Re: Binary packet protocol rethink
  - From: Niels Möller

Prev by Date: Re: Binary packet protocol rethink
Next by Date: RE: Binary packet protocol rethink
Previous by Thread: Re: Binary packet protocol rethink
Next by Thread: RE: Binary packet protocol rethink
Indexes:

Home | Main Index | Thread Index | Old Index