Re: Terrapin

To: Niels Möller <nisse%lysator.liu.se@localhost>
Subject: Re: Terrapin
From: Alexandre Becoulet <alexandre.becoulet%free.fr@localhost>
Date: Thu, 28 Dec 2023 12:36:55 +0100

Niels Möller wrote:

> One subtlety if resetting sequence number to zero is that it risks
> breaking MSG_UNIMPLEMENTED (since seqno may get ambiguous in some cases,
> e.g., if for some reason there are multiple keyexchanges only few
> packets apart). So please keep this in mind.

I agree. That's why the proposed idea is to maintain two distinct
sequence counters. We could keep the originally specified sequence
number untouched for MSG_UNIMPLEMENTED and also for legacy algorithms
that are not secure anymore. A separate counter that is reset on
NEWKEYS could be used for the new algorithms. This way, we do not have
to rely on a single counter and mess with it in order to workaround
Terrapin.

> I see some value in the original seqno that is continuously incremented
> through out the connection, in that it makes it a little easier to think
> about correct packet order attacks regardless of the key exchange
> boundaries.

Yes, keeping the original sequence number as a unique packet identifier
looks like a good idea too me as well.

-- 
Alexandre
https://www.nongnu.org/libassh/

Follow-Ups:
- Re: Terrapin
  - From: Niels Möller
- Re: Terrapin
  - From: Sam Hartman

References:
- Terrapin
  - From: Mouse
- Re: Terrapin
  - From: Alexandre Becoulet
- Re: Terrapin
  - From: Niels Möller

Prev by Date: Re: Terrapin
Next by Date: Re: Terrapin
Previous by Thread: Re: Terrapin
Next by Thread: Re: Terrapin
Indexes:

Home | Main Index | Thread Index | Old Index