Da RFC 4253 :
Each packet is in the following format:
uint32 packet_length
byte padding_length
byte[n1] payload; n1 = packet_length - padding_length - 1
byte[n2] random padding; n2 = padding_length
byte[m] mac (Message Authentication Code - MAC); m = mac_length
[...]
random padding
Arbitrary-length padding, such that the total length of
(packet_length || padding_length || payload || random padding)
is a multiple of the cipher block size or 8, whichever is
larger. There MUST be at least four bytes of padding. The
padding SHOULD consist of random bytes. The maximum amount of
padding is 255 bytes.
Perché SSH richiede (o raccomanda con SHOULD) il riempimento casuale , a differenza del riempimento non casuale?
E perché RFC 4344 dice che non è necessario quando usi la modalità CTR?
As an additional note, when one of the stateful-decryption counter
mode encryption methods (Section 4) is used, then the padding
included in an SSH packet (Section 4 of [RFC4253]) need not be (but
can still be) random. This eliminates the need to generate
cryptographically secure pseudorandom bytes for each packet.