IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: AEAD in ssh



That implementation, with unencrypted packet lengths, sabotages any hope of thwarting traffic analysis, even through high-overhead SSH_MSG_IGNORE padding.

If someone wants to do max bandwidth padding right now, using AES-CTR, they can just do it. With AES-GCM, this is no longer viable. Internal padding is too inflexible.

I think it's a shame to throw away implementation potential just because it's not currently being used. Right now we don't do max bandwidth padding because it's seen as inefficient. That may no longer be the case in 10 years.

25 years ago, encryption seemed inefficient, and no one did it.


Watson Ladd <watsonbladd%gmail.com@localhost> , 2/23/2016 6:57 PM:


On Feb 23, 2016 10:41 AM, "Niels Möller" <nisse%lysator.liu.se@localhost> wrote:
>
> Bryan Ford <brynosaurus%gmail.com@localhost> writes:
>
> > I can understand that position. However, one potentially
> > counter-balancing consideration is that the introduction of new
> > AEAD-based ciphersuites inherently introduces a new,
> > wire-protocol-incompatible “record format” anyway that needs to be
> > negotiated.
>
> I agree, but at least it's only a different per-packet transformation.
> Having to guess future packet sizes or emit extra packets is much more
> than a new record format. I don't think it's a good tradeoff, too much
> new complexity for little benefit.
>
> My understanding is that cleartext length fields are believed to be
> secure, in that the only thing leaked are message boundaries. And hiding
> them using a separate stream cipher is a simple way to stop that leak
> (and the benefit of doing that is under debate). In particular, the even
> simpler alternative, to apply the AEAD to the 4-byte length field,
> including authentication, seems like overkill.
>
> I think simplicity is essential for making progress here, if we go for a
> design of ssh version 3, discussion will never end.
>
> > Deferring useful record format changes until the next major protocol
> > version,
>
> I don't expect any need for a new major version of the ssh protocol for
> the next one or two decades. It's not too painful to add aead support
> (and all other additions of new algorithms have been smooth, as far as I
> can tell).

There already is a widely used SSH implementation with AEAD support. Copy what they do.
>
> Regards,
> /Niels
>
> --
> Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
> Internet email is subject to wholesale government surveillance.



Home | Main Index | Thread Index | Old Index