On 2010/11/09 (Nov), at 4:06 PM, Matthew Toseland wrote: > > Yes, the padding is encrypted. >> >> btw, do resends have "new" random padding each time? If that is case >> it would also not matter, b/c even a weak attacker could drop your >> packets and correlate them to find the precise length (and ignore the >> padding). > > No, they can't. On the current FNP, the hash (which includes the > padding, as well as the 12 bytes of junk data i.e. hard randomness) > goes first, and influences the encryption for the whole packet (as > an IV). Plus the sequence number is encrypted. On new packet format, > the crypto is determined by the IV which is generated from the > packet number, but we never reuse packet numbers even on resends.
Then it sounds like the source of the padding is not important. I'd optimize for performance in this case. Weak-random is already a security improvement over just zeros (which might still be "acceptable" in this case). -- Robert Hailey -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20101109/2bdd41bd/attachment.html>
