Re: AEAD in ssh

[denis bider <ietf-ssh3%denisbider.com@localhost>]

> You'd need to point to actual analysis (of the kind done in Peek-a-boo) to show that it works.

If I restrict myself to send the same amount of data, at regular intervals, independent of my packet queue; if I pick up packets from my queue if they are any, and send IGNORE messages otherwise; then this prevents keystroke analysis if done in 10 second bursts; and if I keep it up, it masks everything done on the connection.

A paper is not useful to show that this works. It evidently works. Yet, we cannot prove a negative. There are possible ways to get it wrong in practice.

If you can think of an attack, a paper can show if that particular attack is viable. But if you can't think of an attack, you can't write a paper to prove there isn't one.


> twenty years ago Tatu decided it was a good idea to use CRC32
> as an ICV, RC4 as a cipher, and encrypted lengths

By the same logic, Tatu also used C. Maybe we shouldn't use C because Tatu used that.


> So maybe we could do a profile for a special allegedly
> traffic-analysis resistant SSH, let's called it
> Data-oriented SSH or DoSSH,

You crack this joke, just after I pointed out that this costs 1 Mbps or less, whereas Netflix uses 3 - 5 Mbps. This is when Google Fiber is rolling out in the US, and we can expect 1 Gbps speeds to be normal in 15 years (if backward thinking people don't stop it).

You appear to be engaging in deliberate misunderstandings.

There's a repeated claim being made that there's an ongoing controversy about this topic. I'm now beginning to think that this would not be as much the case if we eliminated low-quality arguments.