On 27/05/15 11.07, Dirk-Willem van Gulik wrote:> As a practical suggestion - we ran for a while with a hack where we abuse the version human readable string with a > base64 string of a _salted_ hash of the server we where trying to get to. > > Sharing both salt and hash. > > This let the server figure out the right key to present without too much ado; but without leaking all that much*. The idea was to make it a tiny bit more costly to get a decent selector really early in a connection.That approach seems to rely on the proxy knowing the full list of possible hostnames in advance. In my case the proxy doesn't know the list of hostnames in advance.> > However - as keeping a few 10?s of packets in state is no longer that costly; key init and exchange always start at a packet; And the DH modulus (identical but for its last for bytes) in the DH group exchange (31) and what not follow soon thereafter; it seems all a bit superfluous.That sentence I did not understand. Could you elaborate or explain it differently? -- Kasper Dupont -- Rigtige m?nd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);
On 27 May 2015, at 12:09, Kasper Dupont <kasperd at fzcpf.25.may.2015.kasperd.net> wrote:> > On 27/05/15 11.07, Dirk-Willem van Gulik wrote: >> As a practical suggestion - we ran for a while with a hack where we abuse the version human readable string with a >> base64 string of a _salted_ hash of the server we where trying to get to. >> >> Sharing both salt and hash. >> >> This let the server figure out the right key to present without too much ado; but without leaking all that much*. The idea was to make it a tiny bit more costly to get a decent selector really early in a connection. > > That approach seems to rely on the proxy knowing the full > list of possible hostnames in advance. In my case the > proxy doesn't know the list of hostnames in advance.Correct.>> However - as keeping a few 10?s of packets in state is no longer that costly; key init and exchange always start at a packet; And the DH modulus (identical but for its last four bytes) in the DH group exchange (31) and what not follow soon thereafter; it seems all a bit superfluous. > > That sentence I did not understand. Could you elaborate > or explain it differently?One could argue that putting the host name as plain text in the initial unencrypted exchange is leaking something (ignoring the DNS aspect here). As this a) reveals whom you are talking to and b) may be a good trigger/selector for something pen-register/trap/trace. However a bit later in the exchange we get, in the clear, a somewhat finger printable list of possible cyphers supported (Key Exchange Init) is flashed by the server in the clear. Followed a packet later by the Diffie-Hellman Group Exchange Group; which contains the DH modulus in the clear (from the list of some 200 pre calculated safe primes, ?ssh/moduli'; in groups of 40; that are identical but for the last 4 bytes or so). So I guess that that makes not revealing some identifier as to whom you want to talk a bit of a moot point; as a few packets later it is revealed anyway. Dw.
On 27/05/15 12.41, Dirk-Willem van Gulik wrote:> One could argue that putting the host name as plain text in the initial unencrypted exchange is leaking something (ignoring the DNS aspect here). > > As this a) reveals whom you are talking to and b) may be a good trigger/selector for something pen-register/trap/trace. > > However a bit later in the exchange we get, in the clear, a somewhat finger printable list of possible cyphers supported (Key Exchange Init) is flashed by the server in the clear. Followed a packet later by the Diffie-Hellman Group Exchange Group; which contains the DH modulus in the clear (from the list of some 200 pre calculated safe primes, ?ssh/moduli'; in groups of 40; that are identical but for the last 4 bytes or so). > > So I guess that that makes not revealing some identifier as to whom you want to talk a bit of a moot point; as a few packets later it is revealed anyway.Got it. And not to forget the host public key of the server is also being sent in clear during the key exchange. -- Kasper Dupont -- Rigtige m?nd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);