IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
RE: AEAD in ssh
denis bider <ietf-ssh3%denisbider.com@localhost> writes:
>I have recently implemented AES-GCM, and I find the choice of unencrypted
>length fields dubious. It negates any means of obfuscating the lengths of some
>packets using SSH_MSG_IGNORE.
>
>The alternative - to encrypt packet lengths using a parallel construction -
>seems much preferable.
See "Peek-a-Book, I Still See You: Why Efficient Traffic Analysis
Countermeasures Fail" by Dyer, Coult, Ristenpart and Shrimpton. The
conclusion from the research: It's completely pointless, none of their attacks
even bother looking at the length field, so encrypting it is entirely
irrelevant.
Or, more importantly, it offers negative utility in that it makes processing
much harder and has led to exploitable vulnerabilities in the past.
Peter.
Home |
Main Index |
Thread Index |
Old Index