RE: AEAD in ssh

To: denis bider <ietf-ssh3%denisbider.com@localhost>, NielsMöller <nisse%lysator.liu.se@localhost>, "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: RE: AEAD in ssh
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Wed, 3 Feb 2016 06:20:43 +0000

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>I have recently implemented AES-GCM, and I find the choice of unencrypted
>length fields dubious. It negates any means of obfuscating the lengths of some
>packets using SSH_MSG_IGNORE.
>
>The alternative - to encrypt packet lengths using a parallel construction -
>seems much preferable.

See "Peek-a-Book, I Still See You: Why Efficient Traffic Analysis
Countermeasures Fail" by Dyer, Coult, Ristenpart and Shrimpton.  The
conclusion from the research: It's completely pointless, none of their attacks
even bother looking at the length field, so encrypting it is entirely
irrelevant.

Or, more importantly, it offers negative utility in that it makes processing
much harder and has led to exploitable vulnerabilities in the past.

Peter.

Follow-Ups:
- Re: AEAD in ssh
  - From: Mark D. Baushke

References:
- Re: AEAD in ssh
  - From: denis bider

Prev by Date: Re: AEAD in ssh
Next by Date: Re: AEAD in ssh
Previous by Thread: Re: AEAD in ssh
Next by Thread: Re: AEAD in ssh
Indexes:

Home | Main Index | Thread Index | Old Index