ABSTRACT
The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol or to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.
- J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In L. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS, pages 83--107. Springer-Verlag, Apr. 1995.]] Google ScholarDigital Library
- M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. In Proc. of the 38th FOCS, pages 394--403. IEEE Computer Society Press, 1997]] Google ScholarDigital Library
- M. Bellare, J. Kilian, and P. Rogaway. The security of the cipher block chaining message authentication code. In Y. Desmedt, editor, CRYPTO '94, volume 839 of LNCS, pages 341--358. Springer-Verlag, Aug. 1994.]] Google ScholarDigital Library
- M. Bellare, T. Kohno, and C. Namprempre. Authenticated encryption in SSH: Provably fixing the SSH Binary Packet Protocol. Cryptology ePrint Archive, Report 2002/078, 2002. http://eprint.iacr.org/.]]Google Scholar
- M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 531--545. Springer-Verlag, Dec. 2000.]] Google ScholarDigital Library
- M. Bellare and P. Rogaway. Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 317--330. Springer-Verlag, Dec. 2000.]] Google ScholarDigital Library
- S. Bellovin. Problem areas for the IP security protocols. In Proceedings of the 6th USENIX Security Symposium, San Jose, California, July 1996.]] Google ScholarDigital Library
- S. Bellovin and M. Blaze. Cryptographic modes of operation for the internet. In Second NIST Workshop on Modes of Operation, 2001.]]Google Scholar
- R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 451--472. Springer-Verlag, 2001.]] Google ScholarDigital Library
- W. Dai. An attack against SSH2 protocol, Feb. 2002. Email to the [email protected] email list.]]Google Scholar
- DES modes of operation. National Institute of Standards and Technology, NIST FIPS PUB 81, U.S. Department of Commerce, Dec. 1980.]]Google Scholar
- W. Diffie and M. E. Hellman. Privacy and authentication: An introduction to cryptography. Proceedings of the IEEE, 67(3):397--427, Mar. 1979.]]Google ScholarCross Ref
- V. Gligor and P. Donescu. Fast encryption and authentication: XCBC encryption and XECB authentication modes. In FSE 2001, LNCS. Springer-Verlag, 2001.]] Google ScholarDigital Library
- O. Goldreich, S. Goldwasser, and S. Micali. On the cryptographic applications of random functions. In R. Blakely, editor, CRYPTO '84, volume 196 of LNCS, pages 276--288. Springer-Verlag, 1985.]] Google ScholarDigital Library
- S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Science, 28:270--299, 1984.]]Google ScholarCross Ref
- C. Hall, I. Goldberg, and B. Schneier. Reaction attacks against several public-key cryptosystems. In Proceedings of Information and Communication Security, ICICS'99, 1999.]] Google ScholarDigital Library
- Internet Engineering Task Force. Secure Shell (secsh) charter, 2002. http://www.ietf.org/html.charters/secsh-charter.html.]]Google Scholar
- C. Jutla. Encryption modes with almost free message integrity. In B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 529--544. Springer-Verlag, May 2001.]] Google ScholarDigital Library
- J. Katz and M. Yung. Unforgeable encryption and chosen ciphertext secure modes of operation. In B. Schneier, editor, FSE 2000, volume 1978 of LNCS, pages 284--299. Springer-Verlag, Apr. 2000.]] Google ScholarDigital Library
- H. Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is SSL?). In J. Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 310--331. Springer-Verlag, Aug. 2001.]] Google ScholarDigital Library
- H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-hashing for message authenticationa. IETF Internet Request for Comments 2104, Feb. 1997.]] Google ScholarDigital Library
- H. Lipmaa, P. Rogaway, and D. Wagner. CTR-mode encryption. In First NIST Workshop on Modes of Operation, 2000.]]Google Scholar
- P. Rogaway. Problems with proposed IP cryptography, 1995. Available at http://www.cs.ucdavis.edu/ rogaway/papers/draft-rogaway-ipsec-comments-00.txt.]]Google Scholar
- P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A block-cipher mode of operation for efficient authenticated encryption. In Proc. of the 8th CCS, pages 196--205. ACM Press, 2001.]] Google ScholarDigital Library
- D. X. Song, D. Wagner, and X. Tian. Timing analysis of keystrokes and timing attacks on SSH. In Tenth USENIX Security Symposium, 2001.]] Google ScholarDigital Library
- S. Vaudenay. Security flaws induced by CBC padding -- applications to SSL, IPSEC, WTLS ....]]Google Scholar
- T. Ylonen. SSH --- Secure login connections over the Internet. In Sixth USENIX Security Symposium, 1996.]] Google ScholarDigital Library
- T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen. SSH transport layer protocol, 2002. Draft 12, available at {17}.]]Google Scholar
Index Terms
- Authenticated encryption in SSH: provably fixing the SSH binary packet protocol
Recommendations
Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm
The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using ...
Convertible multi-authenticated encryption scheme
A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert ...
Improved convertible authenticated encryption scheme with provable security
Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated ...
Comments