[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Packet length: header vs. context
-----BEGIN PGP SIGNED MESSAGE-----
On Jan 7, 2007, at 3:19 PM, Levi Broderick wrote:
> The reason for my original question was that I was unsure if such a
> packet could be used to undermine the security of any protocols in the
> system. Now that I think about it, though, I don't see how it
> could be
> done. It's unlike other attacks that use the software as an oracle
> since public key information is - well - public. :)
In the pre-OpenPGP protocols, there were "comment" packets. We
removed them because people worried about them being a "covert"
channel. I put "covert" in quotes because the specific case Jeff
Schiller (then Security AD) gave was of an implementation that
lowered the security to 40 bits by putting N-40 in a comment. This is
also why the marker packet is defined the way it is.
I remember talking to Jeff and said that someone could stick anything
in packet slack space. He said, "That's different. We shouldn't give
a *defined* place for a covert channel." He was right.
A sufficiently devious person can put covert channels nearly
anywhere. (This is why steganography isn't an interesting discipline.
It's very easy to think of mats to leave keys under.) You could, for
example, leak key bits or even code a secondary message in OpenPGP
with partials. Imagine that each partial is a bit, denoted by log2
(size) & 1. Whee.
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.5.2
-----END PGP SIGNATURE-----