Re: draft-ietf-secsh-newmodes-01.txt: WG Last Call!

[nisse%lysator.liu.se@localhost (Niels Möller)]

Bill Sommerfeld <sommerfeld%east.sun.com@localhost> writes:

> WG Members: please send comments on this document to this mailing list
> and the author as soon as possible.

Section 5.1, rekeying considerations, third paragraph, says

   Similarly, the use of random (and unpredictable to
   an adversary) padding will not prevent information leakage through
   the underlying MAC [BKN].

I don't think this statement is quite right.

The attacker needs MAC:s for identical plaintexts to collide, and uses
this to confirm that a guessed plaintext and an actual plaintext
match. For fix padding, this happens with probability 1, which implies
that a *single* chosen plaintext message is sufficient to confirm one
correctly guessed message. With four bytes of random padding, it
happens with probability (1/2)^32, which is a significant difference.

Reading of the BKN paper seems to confirm that random padding makes
the attack considerably less practical.

Of course, this doens't mean that it's harmless to reuse the sequence
number. Reusing the sequence number makes it possible for an attacker
to replay ssh packets (this is also documented in the BKN paper).

To me, replay attacks are a more compelling reason to avoid sequence
number reuse than the information leak, and I think the newmodes
document should mention this class of attacks.

Regards,
/Niels