Abstract
The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.
- An, J. H., Dodis, Y., and Rabin, T. 2002. On the security of joint signature and encryption. In Advances in Cryptology---EUROCRYPT, L. Knudsen, ed. Lecture Notes in Computer Science, vol. 2332. Springer-Verlag, Berlin, Germany, 83--107.]] Google Scholar
- Bellare, M., Desai, A., Jokipii, E. and Rogaway, P. 1997. A concrete security treatment of symmetric encryption. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, 394--403.]] Google Scholar
- Bellare, M., Kilian, J., and Rogaway, P. 1994. The security of the cipher block chaining message authentication code. In Advances in Cryptology---CRYPTO' 94, Y. Desmedt, ed. Lecture Notes in Computer Science, vol. 839. Springer-Verlag, Berlin, Germany, 341--358.]] Google Scholar
- Bellare, M., Kohno, T., and Namprempre, C. 2002. Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol. In Proceedings of the 9th Conference on Computer and Communications Security, V. Atluri, ed. ACM Press, 1--11.]] Google Scholar
- Bellare, M., Kohno, T., and Namprempre, C. 2004. SSH Transport Layer Encryption Modes. Available at http://www.ietf.org/html.charters/secsh-charter.html.]]Google Scholar
- Bellare, M. and Namprempre, C. 2000. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In Advances in Cryptology---ASIACRYPT 2000, T. Okamoto, ed. Lecture Notes in Computer Science, vol. 1976. Springer-Verlag, Berlin, Germany, 531--545.]] Google Scholar
- Bellare, M. and Rogaway, P. 2000. Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In Advances in Cryptology---ASIACRYPT 2000, T. Okamoto, ed. Lecture Notes in Computer Science, vol. 1976. Springer-Verlag, Berlin, Germany, 317--330.]] Google Scholar
- Bellare, M., Rogaway, P., and Wagner, D. 2004. The EAX mode of operation. In Fast Software Encryption---FSE 2004, W. Meier and B. Roy, eds. Lecture Notes in Computer Science. Springer-Verlag, Berlin, Germany.]]Google Scholar
- Bellovin, S. 1996. Problem areas for the IP security protocols. In Proceedings of the 6th USENIX Security Symposium. San Jose, California. 1--16.]] Google Scholar
- Bellovin, S. and Blaze, M. 2001. Cryptographic modes of operation for the Internet. In Second NIST Workshop on Modes of Operation.]]Google Scholar
- Black, J. and Rogaway, P. 2000. CBC MACs for arbitrary-length messages: The three-key construction. In Advances in Cryptology---CRYPTO 2000, M. Bellare, ed. Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany, 197--215.]] Google Scholar
- Canetti, R. and Krawczyk, H. 2001. Analysis of key-exchange protocols and their use for building secure channels. In Advances in Cryptology---EUROCRYPT 2001, B. Pfitzmann, ed. Lecture Notes in Computer Science, vol. 2045. Springer-Verlag, Berlin Germany, 451--472.]] Google Scholar
- Canvel, B., Hiltgen, A., Vaudenay, S., and Vuagnoux, M. 2003. Password interception in a SSL/TLS channel. In Advances in Cryptology---CRYPTO 2003, D. Boneh, ed. Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany.]]Google Scholar
- Dai, W. 2002. An Attack Against SSH2 Protocol. Available from [email protected].]]Google Scholar
- Des. 1980. DES Modes of Operation. National Institute of Standards and Technology, NIST FIPS PUB 81, U.S. Department of Commerce.]]Google Scholar
- Diffie, W. and Hellman, M. E. 1979. Privacy and authentication: An introduction to cryptography. Proceedings of the IEEE 67, 3 (Mar.), 397--427.]]Google Scholar
- Dodis, Y. and An, J. H. 2003. Concealment and its applications to authenticated encryption. In Advances in Cryptology---EUROCRYPT 2003, E. Biham, ed. Lecture Notes in Computer Science, vol. 2656. Springer-Verlag, Berlin Germany, 312--329.]]Google Scholar
- Gligor, V. and Donescu, P. 2001. Fast encryption and authentication: XCBC encryption and XECB authentication modes. In Fast Software Encryption---FSE 2001, M. Matsui, ed. Lecture Notes in Computer Science, vol. 2355. Springer-Verlag, Berlin Germany, 92--108.]] Google Scholar
- Goldreich, O., Goldwasser, S., and Micali, S. 1985. On the cryptographic applications of random functions. In Advances in Cryptology---CRYPTO '84, R. Blakely, ed. Lecture Notes in Computer Science, vol. 196. Springer-Verlag, Berlin Germany, 276--288.]] Google Scholar
- Goldwasser, S. and Micali, S. 1984. Probabilistic encryption. Journal of Computer and System Science 28, 270--299.]]Google Scholar
- Hall, C., Goldberg, I., and Schneier, B. 1999. Reaction attacks against several public-key cryptosystems. In Proceedings of Information and Communication Security, ICICS '99, Vol. 1726, V. Varadharajan and Y. Mu, eds. Springer-Verlag, Berlin Germany, 2--12.]] Google Scholar
- Jutla, C. 2001. Encryption modes with almost free message integrity. In Advances in Cryptology---EUROCRYPT 2001, B. Pfitzmann, ed. Lecture Notes in Computer Science, vol. 2045. Springer-Verlag, Berlin Germany, 529--544.]] Google Scholar
- Katz, J. and Yung, M. 2000. Unforgeable encryption and chosen ciphertext secure modes of operation. In Fast Software Encryption---FSE 2000, B. Schneier, ed. Lecture Notes in Computer Science, vol. 1978. Springer-Verlag, Berlin Germany, 284--299.]] Google Scholar
- Kohno, T., Viega, J., and Whiting, D. 2004. CWC: A high-performance conventional authenticated encryption mode. In Fast Software Encryption---FSE 2004, W. Meier and B. Roy, Eds. Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany.]]Google Scholar
- Krawczyk, H. 2001. The order of encryption and authentication for protecting communications (or How secure is SSL?). In Advances in Cryptology---CRYPTO 2001, J. Kilian, ed. Lecture Notes in Computer Science, vol. 2139. Springer-Verlag, Berlin Germany, 310--331.]] Google Scholar
- Krawczyk, H., Bellare, M., and Canetti, R. 1997. HMAC: Keyed-hashing for message authentication. IETF Internet Request for Comments 2104.]] Google Scholar
- Lipmaa, H., Rogaway, P., and Wagner, D. 2000. CTR-mode encryption. In First NIST Workshop on Modes of Operation.]]Google Scholar
- Namprempre, C. 2002. Secure channels based on authenticated encryption schemes: A simple characterization. In Advances in Cryptology---ASIACRYPT 2002, Y. Zheng, ed. Lecture Notes in Computer Science, vol. 2501. Springer-Verlag, Berlin Germany, 515--532.]] Google Scholar
- Rogaway, P. 1995. Problems with Proposed IP Cryptography. Available at http://www.cs.ucdavis.edu/ rogaway/papers/draft-rogaway-ipsec-comments-00.txt.]]Google Scholar
- Rogaway, P. 2002. Authenticated encryption with associated data. In Proceedings of the 9th Conference on Computer and Communications Security, V. Atluri, ed.]] Google Scholar
- Rogaway, P., Bellare, M., Black, J., and Krovetz, T. 2001. OCB: A block-cipher mode of operation for efficient authenticated encryption. In Proceedings of the 8th Conference on Computer and Communications Security. ACM Press, 196--205.]] Google Scholar
- Song, D. X., Wagner, D., and Tian, X. 2001. Timing analysis of keystrokes and timing attacks on SSH. In Proceedings of the 10th USENIX Security Symposium, Washington, DC. 337--352.]] Google Scholar
- Vaudenay, S. 2002. Security flaws induced by CBC padding---Applications to SSL, IPSEC, WTLS, … In Advances in Cryptology---EUROCRYPT 2002, L. Knudsen, ed. Lecture Notes in Computer Science, vol. 2332. Springer-Verlag, Berlin Germany, 534--545.]] Google Scholar
- Whiting, D., Ferguson, N., and Housley, R. 2002. Counter with CBC-MAC (CCM). Submission to NIST. Available at http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/.]]Google Scholar
- Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T., and Lehtinen, S. 2002. SSH Transport Layer Protocol, Draft 12. Available at http://www.ietf.org/html.charters/secsh-charter.html.]]Google Scholar
Index Terms
- Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm
Recommendations
Authenticated encryption in SSH: provably fixing the SSH binary packet protocol
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityThe Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using ...
Improvement of Provably Secure Self-Certified Proxy Convertible Authenticated Encryption Scheme
INCOS '12: Proceedings of the 2012 Fourth International Conference on Intelligent Networking and Collaborative SystemsBy integrating self-certified public-key systems and the designated verifier proxy signature with message recovery, Wu and Lin proposed the first self-certified proxy convertible authenticated encryption (SP-CAE) scheme and its variants based on ...
Convertible multi-authenticated encryption scheme
A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert ...
Comments