The meaning of the guessed key exchange packet - SSH

This is a discussion on The meaning of the guessed key exchange packet - SSH ; When sending the key exchange initialization packet in SSH version 2, either party can specify that immediately following will be a guessed key exchange packet. What is this packet? In a freshly started session, at that point in the message ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: The meaning of the guessed key exchange packet

  1. The meaning of the guessed key exchange packet

    When sending the key exchange initialization packet in SSH
    version 2, either party can specify that immediately following will be a
    guessed key exchange packet.

    What is this packet? In a freshly started session, at that point
    in the message exchange neither party is likely to have a clue about the
    capabilities of the other. What is the point of even attempting to guess
    anything? What is the guess all about anyway? The Diffie-Hellman group
    parameters? Isn't that like guessing lottery numbers - ie a statistically
    hopeless undertaking?

    The way the standard means for this work is difficult to
    understand. Well, I find it difficult to understand; it may just be me -
    hence my question here :-)

    The standard says, quote, After receiving the SSH_MSG_KEXINIT
    packet from the other side, each party will know whether their guess was
    right, unquote (RFC 4253, section 7.1) It seems to me though that the
    SSH_MSG_KEXINIT will be received from the other party BEFORE the guess is
    even formulated, much less sent.

    In summary, this looks like a totally useless feature to me -
    which probably means that I am missing something important.

    Can anybody throw some light on this?



  2. Re: The meaning of the guessed key exchange packet

    In article ,
    K. Jennings wrote:
    > In summary, this looks like a totally useless feature to me -
    >which probably means that I am missing something important.
    >
    > Can anybody throw some light on this?


    I think you are missing something important, so rather than trying to
    reply to all your ill-conceived questions, I'll try to explain what the
    guess is and why it's useful (if underused).

    The guessed packet is simply the first packet of the key exchange
    process, so something like SSH_MSG_KEXDH_INIT. Normally, a client can't
    send this before receiving an SSH_MSG_KEXINIT from the server, but the
    guessing mechanism allows it to send it in advance, with the
    understanding that it will be ignored if it's not appropriate. The
    point of this is to reduce the number of round-trips required to set up
    an SSH connection. For instance, without a guess, you get (assuming
    diffie-hellman KEX throughout):

    C->S: SYN
    S->C: SYN+ACK
    C->S: ACK, SSH-2.0-foo\n, SSH_MSG_KEXINIT
    S->C: SSH-2.0-foo\n, SSH_MSG_KEXINIT
    C->S: SSH_MSG_KEXDH_INIT
    S->C: SSH_MSG_KEXDH_REPLY, SSH_MSG_NEWKEYS
    C->S: SSH_MSG_NEWKEYS, SSH_MSG_SERVICE_REQUEST
    etc.

    with a guess, you get:
    C->S: SYN
    S->C: SYN+ACK
    C->S: ACK, SSH-2.0-foo\n, SSH_MSG_KEXINIT, SSH_MSG_KEXDH_INIT
    S->C: SSH-2.0-foo\n, SSH_MSG_KEXINIT, SSH_MSG_KEXDH_REPLY, SSH_MSG_NEWKEYS
    C->S: SSH_MSG_NEWKEYS, SSH_MSG_SERVICE_REQUEST
    etc.

    A saving of one round-trip, which might be half a second or more on a
    long link. Even if the guess is wrong, it doesn't do much harm:

    C->S: SYN
    S->C: SYN+ACK
    C->S: ACK, SSH-2.0-foo\n, SSH_MSG_KEXINIT, SSH_MSG_KEXDH_INIT
    S->C: SSH-2.0-foo\n, SSH_MSG_KEXINIT
    C->S: SSH_MSG_KEXDH_INIT
    S->C: SSH_MSG_KEXDH_REPLY, SSH_MSG_NEWKEYS
    C->S: SSH_MSG_NEWKEYS, SSH_MSG_SERVICE_REQUEST
    etc.

    Even if the client knows nothing about the server, it may be worth its
    sending a guessed packet, either because it's very small (e.g. if it's
    guessed diffie-hellman-group-exchange-sha1), or because it knows that
    the majority of current servers agree with its preference. In any case,
    there are only four KEX methods in common use at present, so the
    likelihood of a correct guess is pretty good.

    --
    Ben Harris

  3. Re: The meaning of the guessed key exchange packet

    On Fri, 10 Aug 2007 18:55:17 +0100, Ben Harris wrote:

    > In article , K. Jennings
    > wrote:
    >> In summary, this looks like a totally useless feature to me -
    >>which probably means that I am missing something important.
    >>
    >> Can anybody throw some light on this?

    >
    > I think you are missing something important, so rather than trying to
    > reply to all your ill-conceived questions, I'll try to explain what the
    > guess is and why it's useful (if underused).
    >
    > The guessed packet is simply the first packet of the key exchange
    > process, so something like SSH_MSG_KEXDH_INIT. Normally, a client can't
    > send this before receiving an SSH_MSG_KEXINIT from the server, but the
    > guessing mechanism allows it to send it in advance, with the
    > understanding that it will be ignored if it's not appropriate. The
    > point of this is to reduce the number of round-trips required to set up
    > an SSH connection. For instance, without a guess, you get (assuming
    > diffie-hellman KEX throughout):
    >
    > C->S: SYN
    > S->C: SYN+ACK
    > C->S: ACK, SSH-2.0-foo\n, SSH_MSG_KEXINIT S->C: SSH-2.0-foo\n,
    > SSH_MSG_KEXINIT
    > C->S: SSH_MSG_KEXDH_INIT
    > S->C: SSH_MSG_KEXDH_REPLY, SSH_MSG_NEWKEYS C->S: SSH_MSG_NEWKEYS,
    > SSH_MSG_SERVICE_REQUEST etc.
    >
    > with a guess, you get:
    > C->S: SYN
    > S->C: SYN+ACK
    > C->S: ACK, SSH-2.0-foo\n, SSH_MSG_KEXINIT, SSH_MSG_KEXDH_INIT S->C:
    > SSH-2.0-foo\n, SSH_MSG_KEXINIT, SSH_MSG_KEXDH_REPLY, SSH_MSG_NEWKEYS
    > C->S: SSH_MSG_NEWKEYS, SSH_MSG_SERVICE_REQUEST etc.
    >
    > A saving of one round-trip, which might be half a second or more on a
    > long link. Even if the guess is wrong, it doesn't do much harm:
    >
    > C->S: SYN
    > S->C: SYN+ACK
    > C->S: ACK, SSH-2.0-foo\n, SSH_MSG_KEXINIT, SSH_MSG_KEXDH_INIT S->C:
    > SSH-2.0-foo\n, SSH_MSG_KEXINIT
    > C->S: SSH_MSG_KEXDH_INIT
    > S->C: SSH_MSG_KEXDH_REPLY, SSH_MSG_NEWKEYS C->S: SSH_MSG_NEWKEYS,
    > SSH_MSG_SERVICE_REQUEST etc.
    >
    > Even if the client knows nothing about the server, it may be worth its
    > sending a guessed packet, either because it's very small (e.g. if it's
    > guessed diffie-hellman-group-exchange-sha1), or because it knows that
    > the majority of current servers agree with its preference. In any case,
    > there are only four KEX methods in common use at present, so the
    > likelihood of a correct guess is pretty good.


    Thanks for your feedback. I was under the impression though that
    for a guessed key exchange packet to be a hit, both the key exchange
    algorithm and server key type had to be guessed correctly. Anyway, I
    think I understand what you are saying - and, although not useless, its
    usefulness seems to be quite limited.




  4. Re: The meaning of the guessed key exchange packet

    In article ,
    K. Jennings wrote:
    >On Fri, 10 Aug 2007 18:55:17 +0100, Ben Harris wrote:
    >> Even if the client knows nothing about the server, it may be worth its
    >> sending a guessed packet, either because it's very small (e.g. if it's
    >> guessed diffie-hellman-group-exchange-sha1), or because it knows that
    >> the majority of current servers agree with its preference. In any case,
    >> there are only four KEX methods in common use at present, so the
    >> likelihood of a correct guess is pretty good.

    >
    > Thanks for your feedback. I was under the impression though that
    >for a guessed key exchange packet to be a hit, both the key exchange
    >algorithm and server key type had to be guessed correctly.


    Indeed. I had forgotten that.

    >Anyway, I
    >think I understand what you are saying - and, although not useless, its
    >usefulness seems to be quite limited.


    Indeed. I don't know of any implementation that sends guessed KEX
    packets.

    --
    Ben Harris

+ Reply to Thread