[mosh-devel] thoughts on mosh

Peter Jeremy peter at rulingia.com
Wed May 16 17:00:38 EDT 2012


On 2012-May-15 16:34:35 -0400, Keith Winstein <keithw at mit.edu> wrote:
>2) We do believe that the protocol provides confidentiality and
>authenticity for everything. The first 64 bits of the UDP payload is
>an incrementing nonce, and that should be the only thing you see in
>the clear. It serves the same purpose as the 32-bit TCP sequence
>number used in SSH and SSL/TLS (also obviously sent in the clear), or
>the 48-bit sequence number in DTLS, also in the clear. Generally
>speaking, you basically have to send the nonce in the clear.

This incrementing nonce does provide a very simple way to detect a
mosh session.  Even if you can't see the actual data, simple traffic
analysis can reveal information that users might prefer not to reveal.

A fairly simple way to hide this would be to encrypt the nonce (and
possibly the rest of the mosh header) using ECB.  During setup (which
is protected via SSH), the mosh server would return two keys - the
existing key used for encrypting the actual mosh session and a second
key used to encrypt the nonce.  Since the intent is just to whiten
the UDP packets and nonce's don't repeat, the downsides of ECB aren't
important here.

Of course, this still leaves the periodic keepalive packets but
detecting a session this way takes more effort (and you could add some
jitter to the keepalives to make it less obvious).

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/mosh-devel/attachments/20120516/f75049f0/attachment.bin


More information about the mosh-devel mailing list