RE: AEAD in ssh

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Niels Möller <nisse%lysator.liu.se@localhost> writes:

>My understanding is that cleartext length fields are believed to be secure,
>in that the only thing leaked are message boundaries.

They actually leak nothing, in that encrypting the length provides no security
benefit at all.  See for example "Peek-a-Book, I Still See You: Why Efficient
Traffic Analysis Countermeasures Fail" by Dyer, Coult, Ristenpart and
Shrimpton. Their analysis, of TLS traffic with unencrypted lengths, completely
ignores TLS' plaintext length fields because they're irrelevant.

The encryption-of-lengths debate is a classic example of the assume-a-can-
opener problem:

  A physicist, a chemist, and an economist were stranded on a desert island
  with no implements and a can of food. The physicist and the chemist each
  devised an ingenious mechanism for getting the can open; the economist
  merely said, "Assume we have a can opener".

Instead of debating endlessly over the most efficient way to apply the assumed
can opener (encryption of lengths), we need to look at whether it serves any
purpose (as Dyer at el point out, it doesn't), and if it does serve a purpose,
whether it's worth the tradeoffs involved in implementing it (for which see
the previous point).

Peter.