[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Packet length: header vs. context



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 7, 2007, at 3:19 PM, Levi Broderick wrote:

>
> The reason for my original question was that I was unsure if such a
> packet could be used to undermine the security of any protocols in the
> system.  Now that I think about it, though, I don't see how it  
> could be
> done.  It's unlike other attacks that use the software as an oracle
> since public key information is - well - public. :)

In the pre-OpenPGP protocols, there were "comment" packets. We  
removed them because people worried about them being a "covert"  
channel. I put "covert" in quotes because the specific case Jeff  
Schiller (then Security AD) gave was of an implementation that  
lowered the security to 40 bits by putting N-40 in a comment. This is  
also why the marker packet is defined the way it is.

I remember talking to Jeff and said that someone could stick anything  
in packet slack space. He said, "That's different. We shouldn't give  
a *defined* place for a covert channel." He was right.

A sufficiently devious person can put covert channels nearly  
anywhere. (This is why steganography isn't an interesting discipline.  
It's very easy to think of mats to leave keys under.) You could, for  
example, leak key bits or even code a secondary message in OpenPGP  
with partials. Imagine that each partial is a bit, denoted by log2 
(size) & 1. Whee.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.5.2
Charset: US-ASCII

wj8DBQFFoYtMsTedWZOD3gYRAjCiAJ42W7RYoN+KZ63mZUxypbiHcLrzvwCfXZgh
CMmAF1nfvL1k9zUQKkUIiJ8=
=G8Mw
-----END PGP SIGNATURE-----