Mihir Bellare
Tadayoshi Kohno
Abstract
The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.
- An, J. H., Dodis, Y., and Rabin, T. 2002. On the security of joint signature and encryption. In Advances in Cryptology---EUROCRYPT, L. Knudsen, ed. Lecture Notes in Computer Science, vol. 2332. Springer-Verlag, Berlin, Germany, 83--107.]] Google Scholar
- Bellare, M., Desai, A., Jokipii, E. and Rogaway, P. 1997. A concrete security treatment of symmetric encryption. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, 394--403.]] Google Scholar
- Bellare, M., Kilian, J., and Rogaway, P. 1994. The security of the cipher block chaining message authentication code. In Advances in Cryptology---CRYPTO' 94, Y. Desmedt, ed. Lecture Notes in Computer Science, vol. 839. Springer-Verlag, Berlin, Germany, 341--358.]] Google Scholar
- Bellare, M., Kohno, T., and Namprempre, C. 2002. Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol. In Proceedings of the 9th Conference on Computer and Communications Security, V. Atluri, ed. ACM Press, 1--11.]] Google Scholar
- Bellare, M., Kohno, T., and Namprempre, C. 2004. SSH Transport Layer Encryption Modes. Available at http://www.ietf.org/html.charters/secsh-charter.html.]]Google Scholar
- Bellare, M. and Namprempre, C. 2000. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In Advances in Cryptology---ASIACRYPT 2000, T. Okamoto, ed. Lecture Notes in Computer Science, vol. 1976. Springer-Verlag, Berlin, Germany, 531--545.]] Google Scholar
- Bellare, M. and Rogaway, P. 2000. Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In Advances in Cryptology---ASIACRYPT 2000, T. Okamoto, ed. Lecture Notes in Computer Science, vol. 1976. Springer-Verlag, Berlin, Germany, 317--330.]] Google Scholar
- Bellare, M., Rogaway, P., and Wagner, D. 2004. The EAX mode of operation. In Fast Software Encryption---FSE 2004, W. Meier and B. Roy, eds. Lecture Notes in Computer Science. Springer-Verlag, Berlin, Germany.]]Google Scholar
- Bellovin, S. 1996. Problem areas for the IP security protocols. In Proceedings of the 6th USENIX Security Symposium. San Jose, California. 1--16.]] Google Scholar
- Bellovin, S. and Blaze, M. 2001. Cryptographic modes of operation for the Internet. In Second NIST Workshop on Modes of Operation.]]Google Scholar
- Black, J. and Rogaway, P. 2000. CBC MACs for arbitrary-length messages: The three-key construction. In Advances in Cryptology---CRYPTO 2000, M. Bellare, ed. Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany, 197--215.]] Google Scholar
- Canetti, R. and Krawczyk, H. 2001. Analysis of key-exchange protocols and their use for building secure channels. In Advances in Cryptology---EUROCRYPT 2001, B. Pfitzmann, ed. Lecture Notes in Computer Science, vol. 2045. Springer-Verlag, Berlin Germany, 451--472.]] Google Scholar
- Canvel, B., Hiltgen, A., Vaudenay, S., and Vuagnoux, M. 2003. Password interception in a SSL/TLS channel. In Advances in Cryptology---CRYPTO 2003, D. Boneh, ed. Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany.]]Google Scholar
- Dai, W. 2002. An Attack Against SSH2 Protocol. Available from [email protected].]]Google Scholar
- Des. 1980. DES Modes of Operation. National Institute of Standards and Technology, NIST FIPS PUB 81, U.S. Department of Commerce.]]Google Scholar
- Diffie, W. and Hellman, M. E. 1979. Privacy and authentication: An introduction to cryptography. Proceedings of the IEEE 67, 3 (Mar.), 397--427.]]Google Scholar
- Dodis, Y. and An, J. H. 2003. Concealment and its applications to authenticated encryption. In Advances in Cryptology---EUROCRYPT 2003, E. Biham, ed. Lecture Notes in Computer Science, vol. 2656. Springer-Verlag, Berlin Germany, 312--329.]]Google Scholar
- Gligor, V. and Donescu, P. 2001. Fast encryption and authentication: XCBC encryption and XECB authentication modes. In Fast Software Encryption---FSE 2001, M. Matsui, ed. Lecture Notes in Computer Science, vol. 2355. Springer-Verlag, Berlin Germany, 92--108.]] Google Scholar
- Goldreich, O., Goldwasser, S., and Micali, S. 1985. On the cryptographic applications of random functions. In Advances in Cryptology---CRYPTO '84, R. Blakely, ed. Lecture Notes in Computer Science, vol. 196. Springer-Verlag, Berlin Germany, 276--288.]] Google Scholar
- Goldwasser, S. and Micali, S. 1984. Probabilistic encryption. Journal of Computer and System Science 28, 270--299.]]Google Scholar
- Hall, C., Goldberg, I., and Schneier, B. 1999. Reaction attacks against several public-key cryptosystems. In Proceedings of Information and Communication Security, ICICS '99, Vol. 1726, V. Varadharajan and Y. Mu, eds. Springer-Verlag, Berlin Germany, 2--12.]] Google Scholar
- Jutla, C. 2001. Encryption modes with almost free message integrity. In Advances in Cryptology---EUROCRYPT 2001, B. Pfitzmann, ed. Lecture Notes in Computer Science, vol. 2045. Springer-Verlag, Berlin Germany, 529--544.]] Google Scholar
- Katz, J. and Yung, M. 2000. Unforgeable encryption and chosen ciphertext secure modes of operation. In Fast Software Encryption---FSE 2000, B. Schneier, ed. Lecture Notes in Computer Science, vol. 1978. Springer-Verlag, Berlin Germany, 284--299.]] Google Scholar
- Kohno, T., Viega, J., and Whiting, D. 2004. CWC: A high-performance conventional authenticated encryption mode. In Fast Software Encryption---FSE 2004, W. Meier and B. Roy, Eds. Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany.]]Google Scholar
- Krawczyk, H. 2001. The order of encryption and authentication for protecting communications (or How secure is SSL?). In Advances in Cryptology---CRYPTO 2001, J. Kilian, ed. Lecture Notes in Computer Science, vol. 2139. Springer-Verlag, Berlin Germany, 310--331.]] Google Scholar
- Krawczyk, H., Bellare, M., and Canetti, R. 1997. HMAC: Keyed-hashing for message authentication. IETF Internet Request for Comments 2104.]] Google Scholar
- Lipmaa, H., Rogaway, P., and Wagner, D. 2000. CTR-mode encryption. In First NIST Workshop on Modes of Operation.]]Google Scholar
- Namprempre, C. 2002. Secure channels based on authenticated encryption schemes: A simple characterization. In Advances in Cryptology---ASIACRYPT 2002, Y. Zheng, ed. Lecture Notes in Computer Science, vol. 2501. Springer-Verlag, Berlin Germany, 515--532.]] Google Scholar
- Rogaway, P. 1995. Problems with Proposed IP Cryptography. Available at http://www.cs.ucdavis.edu/ rogaway/papers/draft-rogaway-ipsec-comments-00.txt.]]Google Scholar
- Rogaway, P. 2002. Authenticated encryption with associated data. In Proceedings of the 9th Conference on Computer and Communications Security, V. Atluri, ed.]] Google Scholar
- Rogaway, P., Bellare, M., Black, J., and Krovetz, T. 2001. OCB: A block-cipher mode of operation for efficient authenticated encryption. In Proceedings of the 8th Conference on Computer and Communications Security. ACM Press, 196--205.]] Google Scholar
- Song, D. X., Wagner, D., and Tian, X. 2001. Timing analysis of keystrokes and timing attacks on SSH. In Proceedings of the 10th USENIX Security Symposium, Washington, DC. 337--352.]] Google Scholar
- Vaudenay, S. 2002. Security flaws induced by CBC padding---Applications to SSL, IPSEC, WTLS, … In Advances in Cryptology---EUROCRYPT 2002, L. Knudsen, ed. Lecture Notes in Computer Science, vol. 2332. Springer-Verlag, Berlin Germany, 534--545.]] Google Scholar
- Whiting, D., Ferguson, N., and Housley, R. 2002. Counter with CBC-MAC (CCM). Submission to NIST. Available at http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/.]]Google Scholar
- Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T., and Lehtinen, S. 2002. SSH Transport Layer Protocol, Draft 12. Available at http://www.ietf.org/html.charters/secsh-charter.html.]]Google Scholar
Index Terms
- Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm
Recommendations
Authenticated encryption in SSH: provably fixing the SSH binary packet protocol
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityThe Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using ...
Improvement of Provably Secure Self-Certified Proxy Convertible Authenticated Encryption Scheme
INCOS '12: Proceedings of the 2012 Fourth International Conference on Intelligent Networking and Collaborative SystemsBy integrating self-certified public-key systems and the designated verifier proxy signature with message recovery, Wu and Lin proposed the first self-certified proxy convertible authenticated encryption (SP-CAE) scheme and its variants based on ...
Convertible multi-authenticated encryption scheme
A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert ...
Reviews
Jesus Villadangos
Bellare, Kohno, and Namprempre analyze the authentication encryption scheme of the secure shell (SSH) protocol. They present the building blocks of the SSH protocol, focusing their attention on the binary packet protocol (BPP) responsible for the underlying symmetric encryption and authentication of all messages in an SSH session. The SSH BPP component states that it should be used in cipher block chaining (CBC) mode encryption, with chained initialization vectors (IVs). However, it has been proven previously that CBC mode is insecure, and this insecurity is propagated to SSH. The authors propose modifications to the SSH that satisfy the strongest notions of security, in the sense that they will resist chosen-plaintext and chosen-ciphertext privacy attacks, as well as forgery, replay, and out-of order delivery attacks. The main objective of the designs is to provide efficient and provably secure alternatives. The authors provide alternatives to the SSH authenticated encryption mechanism. First is the use of randomized CBC mode encryption, which results in having to encipher more blocks than original SSH, and at least one more full block of random padding. Another alternative is the modification of the CBC mode, where IV is generated with different keys. In this case, random padding is not required. The next option considers the use of the encryption scheme with a variant of counter mode, in which the sender and the receiver maintain a copy of the counter. Instead, to maintain the SSH philosophy, a new paradigm is proposed called the encrypt-then-MAC. In this case, the message is first encrypted, and then the resulting ciphertext is MACed with an underlying message authentication scheme. However, this alternative requires more intrusive modifications to the current SSH. Finally, the last option is to use a symmetric key-based authenticated encryption scheme, from scratch. This option implies a modification of the SSH standard, or replacement of the current encryption scheme in the SSH design. The implementation has some drawbacks, because of the use of counters by the proposed alternative; as the authors say, however, the inelegant solution to overcome this problem is to modify the interpretation of internal SSH counters. One very interesting part of the paper discusses the extension of the notions of privacy and integrity, to encryption schemes with state description algorithms. Such notions are, as stated by the authors, more appropriate for applications that require a higher level of protection, such as protection against out-of-order delivery attacks. The paper presents rigorous proofs, based on the idea of reduction-based provable security. Using this approach, the authors provide some atomic primitives (hard problems), on whose computational hardness the security of the desired alternative is based. They present their notion of security, and the adversary models. The former captures the security objectives of the alternatives, and the latter determines the conditions in which the adversary operates. This technique supports the conclusion that the only way to defeat the desired alternative in the prescribed models is to break the underlying primitives. The paradigm is used in this paper to compare the resources required to break the primitives, and the alternative. I consider the main contribution of this paper to be the authors' provable security-based analysis of the BPP authenticated encryption mechanism. This analysis allows them to find some problems with the SSH protocol. The authors then provide some secure alternatives to the SSH protocol. These proposals are discussed and evaluated, in terms of efficiency and necessary modifications in the SSH protocol. I consider the paper to be very interesting, due to its presentation of a paradigm to reason about security, in terms of primitive constructs and adversary models. The paper provides several examples of the paradigm applied to the SSH protocol, and some alternatives to such protocol. The paper proposes some alternatives that make the SSH protocol provably secure. Some of these, as the authors declare, require modifications of the standard itself. However, such consideration should be taken into account, in order to provide more secure channels.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments