3

According to the end of RFC 4253 § 6, the random padding introduced to each SSH packet is an arbitrary multiple of 8. It mentions that random padding lengths can mitigate traffic analysis:

Note that the length of the concatenation of 'packet_length', 'padding_length', 'payload', and 'random padding' MUST be a multiple of the cipher block size or 8, whichever is larger. This constraint MUST be enforced, even when using stream ciphers. Note that the 'packet_length' field is also encrypted, and processing it requires special care when sending or receiving packets. Also note that the insertion of variable amounts of 'random padding' may help thwart traffic analysis.

Emphasis mine. I am aware that the padding contents themselves are required to be random, but does OpenSSH itself use random padding lengths for any cipher modes? The padding length field itself is encrypted for some modes. Looking at the source, it doesn't look like it uses padding of random lengths, but I am not particularly familiar with the internals of OpenSSH.

Community
  • 1
forest
  • 64,616
  • 20
  • 206
  • 257

1 Answers1

3

As per this article it does not, but I arrived at this topic seeking confirmation of this article to begin with so take it for what it's worth. The relevant quote from the article is:

OpenSSH does not implement the “random padding” feature of RFC4253 The secure shell protocol which says " the insertion of variable amounts of ‘random padding’ may help thwart traffic analysis". Until they fix that we can use this technique to detect tunnels.

forest
  • 64,616
  • 20
  • 206
  • 257
RedAero
  • 46
  • 2
  • This is what I suspected, thanks. I'm surprised that I didn't notice that part of the article. – forest Feb 14 '19 at 11:59