IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
RE: AEAD in ssh
Niels Möller <nisse%lysator.liu.se@localhost> writes:
>My understanding is that cleartext length fields are believed to be secure,
>in that the only thing leaked are message boundaries.
They actually leak nothing, in that encrypting the length provides no security
benefit at all. See for example "Peek-a-Book, I Still See You: Why Efficient
Traffic Analysis Countermeasures Fail" by Dyer, Coult, Ristenpart and
Shrimpton. Their analysis, of TLS traffic with unencrypted lengths, completely
ignores TLS' plaintext length fields because they're irrelevant.
The encryption-of-lengths debate is a classic example of the assume-a-can-
opener problem:
A physicist, a chemist, and an economist were stranded on a desert island
with no implements and a can of food. The physicist and the chemist each
devised an ingenious mechanism for getting the can open; the economist
merely said, "Assume we have a can opener".
Instead of debating endlessly over the most efficient way to apply the assumed
can opener (encryption of lengths), we need to look at whether it serves any
purpose (as Dyer at el point out, it doesn't), and if it does serve a purpose,
whether it's worth the tradeoffs involved in implementing it (for which see
the previous point).
Peter.
Home |
Main Index |
Thread Index |
Old Index