Article

Authenticated encryption in SSH: provably fixing the SSH binary packet protocol

Authors:
Mihir Bellare

UC San Diego

UC San Diego
View Profile

,
Tadayoshi Kohno

UC San Diego

UC San Diego
View Profile

,
Chanathip Namprempre

Thammasat University, Thailand

Thammasat University, Thailand
View Profile

CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityNovember 2002Pages 1–11https://doi.org/10.1145/586110.586112

Published:18 November 2002Publication History

CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

Pages 1–11

ABSTRACT

The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol or to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

References

J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In L. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS, pages 83--107. Springer-Verlag, Apr. 1995.]] Google ScholarDigital Library
M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. In Proc. of the 38th FOCS, pages 394--403. IEEE Computer Society Press, 1997]] Google ScholarDigital Library
M. Bellare, J. Kilian, and P. Rogaway. The security of the cipher block chaining message authentication code. In Y. Desmedt, editor, CRYPTO '94, volume 839 of LNCS, pages 341--358. Springer-Verlag, Aug. 1994.]] Google ScholarDigital Library
M. Bellare, T. Kohno, and C. Namprempre. Authenticated encryption in SSH: Provably fixing the SSH Binary Packet Protocol. Cryptology ePrint Archive, Report 2002/078, 2002. http://eprint.iacr.org/.]]Google Scholar
M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 531--545. Springer-Verlag, Dec. 2000.]] Google ScholarDigital Library
M. Bellare and P. Rogaway. Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 317--330. Springer-Verlag, Dec. 2000.]] Google ScholarDigital Library
S. Bellovin. Problem areas for the IP security protocols. In Proceedings of the 6th USENIX Security Symposium, San Jose, California, July 1996.]] Google ScholarDigital Library
S. Bellovin and M. Blaze. Cryptographic modes of operation for the internet. In Second NIST Workshop on Modes of Operation, 2001.]]Google Scholar
R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 451--472. Springer-Verlag, 2001.]] Google ScholarDigital Library
W. Dai. An attack against SSH2 protocol, Feb. 2002. Email to the [email protected] email list.]]Google Scholar
DES modes of operation. National Institute of Standards and Technology, NIST FIPS PUB 81, U.S. Department of Commerce, Dec. 1980.]]Google Scholar
W. Diffie and M. E. Hellman. Privacy and authentication: An introduction to cryptography. Proceedings of the IEEE, 67(3):397--427, Mar. 1979.]]Google ScholarCross Ref
V. Gligor and P. Donescu. Fast encryption and authentication: XCBC encryption and XECB authentication modes. In FSE 2001, LNCS. Springer-Verlag, 2001.]] Google ScholarDigital Library
O. Goldreich, S. Goldwasser, and S. Micali. On the cryptographic applications of random functions. In R. Blakely, editor, CRYPTO '84, volume 196 of LNCS, pages 276--288. Springer-Verlag, 1985.]] Google ScholarDigital Library
S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Science, 28:270--299, 1984.]]Google ScholarCross Ref
C. Hall, I. Goldberg, and B. Schneier. Reaction attacks against several public-key cryptosystems. In Proceedings of Information and Communication Security, ICICS'99, 1999.]] Google ScholarDigital Library
Internet Engineering Task Force. Secure Shell (secsh) charter, 2002. http://www.ietf.org/html.charters/secsh-charter.html.]]Google Scholar
C. Jutla. Encryption modes with almost free message integrity. In B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 529--544. Springer-Verlag, May 2001.]] Google ScholarDigital Library
J. Katz and M. Yung. Unforgeable encryption and chosen ciphertext secure modes of operation. In B. Schneier, editor, FSE 2000, volume 1978 of LNCS, pages 284--299. Springer-Verlag, Apr. 2000.]] Google ScholarDigital Library
H. Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is SSL?). In J. Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 310--331. Springer-Verlag, Aug. 2001.]] Google ScholarDigital Library
H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-hashing for message authenticationa. IETF Internet Request for Comments 2104, Feb. 1997.]] Google ScholarDigital Library
H. Lipmaa, P. Rogaway, and D. Wagner. CTR-mode encryption. In First NIST Workshop on Modes of Operation, 2000.]]Google Scholar
P. Rogaway. Problems with proposed IP cryptography, 1995. Available at http://www.cs.ucdavis.edu/ rogaway/papers/draft-rogaway-ipsec-comments-00.txt.]]Google Scholar
P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A block-cipher mode of operation for efficient authenticated encryption. In Proc. of the 8th CCS, pages 196--205. ACM Press, 2001.]] Google ScholarDigital Library
D. X. Song, D. Wagner, and X. Tian. Timing analysis of keystrokes and timing attacks on SSH. In Tenth USENIX Security Symposium, 2001.]] Google ScholarDigital Library
S. Vaudenay. Security flaws induced by CBC padding -- applications to SSL, IPSEC, WTLS ....]]Google Scholar
T. Ylonen. SSH --- Secure login connections over the Internet. In Sixth USENIX Security Symposium, 1996.]] Google ScholarDigital Library
T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen. SSH transport layer protocol, 2002. Draft 12, available at {17}.]]Google Scholar

Index Terms

Authenticated encryption in SSH: provably fixing the SSH binary packet protocol

Recommendations

Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm

The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using ...
Read More
Convertible multi-authenticated encryption scheme

A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert ...
Read More
Improved convertible authenticated encryption scheme with provable security

Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security
November 2002
284 pages
ISBN:1581136129
DOI:10.1145/586110
Editor:
Vijay Atluri
Rutgers University
,
General Chair:
Sushil Jajodia
George Mason University
,
Program Chair:
Ravi Sandhu
SingleSignOn.Net and George Mason University
Copyright © 2002 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 November 2002
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
SSH
authenticated encryption
secure shell
security proofs
stateful decryption
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 48
  Total Citations
  View Citations
- 1,687
  Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Authenticated encryption in SSH: provably fixing the SSH binary packet protocol

CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm

Convertible multi-authenticated encryption scheme

Improved convertible authenticated encryption scheme with provable security