RE: AEAD in ssh

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>If I restrict myself to send the same amount of data, at regular intervals,
>independent of my packet queue; if I pick up packets from my queue if they
>are any, and send IGNORE messages otherwise; then this prevents keystroke
>analysis if done in 10 second bursts; and if I keep it up, it masks
>everything done on the connection.

Well, you *think* it does, in the same way that people once thought traffic
padding would mask everything on the connection (I'm assuming they did, given
that it's the only anti-TA measure present in both TLS and SSH).  Show me
empirical data of it resisting attacks of the kind described in Peekaboo and
other papers...

>You crack this joke, just after I pointed out that this costs 1 Mbps or less,
>whereas Netflix uses 3 - 5 Mbps. This is when Google Fiber is rolling out in
>the US, and we can expect 1 Gbps speeds to be normal in 15 years (if backward
>thinking people don't stop it).

Yeah, and that's part of the way-too-common thinking that in the future we'll
all have infinite CPU, infinite RAM, and infinite bandwidth that leads to
people creating totally unworkable Rube-goldberg contraptions of crypto
protocols.  A few days ago I got to review two proposed ISO standards for IoT
in which a bunch of networking engineers tried to invent some sort of crypto
mechanism that makes WEP look like a model of good design, because both TLS
and SSH are far too bloated to work for them.  It's not their fault, they're
networking engineers and shouldn't be expected to have to do this, but the
crypto community just assumes infinite resources and goes from there.  I've
got users who don't want to move from SHA-1 to SHA-256 because of the extra
size introduced by the larger MACs, and you're telling me that we can all
dream of 1GBPs in the near future...

Peter.