Plaintext Recovery Attacks against SSH

This paper presents a variety of plaintext-recovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-14}$ and 32 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-18}$. These attacks assume the default configuration of a 128-bit block cipher operating in CBC mode. The paper explains why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, why current provable security results for SSH do not cover our attacks, and how the attacks can be prevented in practice.

[1]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[2]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[3]  Antoine Joux,et al.  Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC , 2002, CRYPTO.

[4]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[5]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[6]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[7]  Clemens Heinrich,et al.  Transport Layer Security (TLS) , 2011, Encyclopedia of Cryptography and Security.

[8]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[9]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[10]  Kenneth G. Paterson,et al.  Cryptography in Theory and Practice: The Case of Encryption in IPsec , 2006, EUROCRYPT.

[11]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[12]  Tatu Ylönen,et al.  The Secure Shell (SSH) Authentication Protocol , 2006, RFC.

[13]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[14]  Chanathip Namprempre,et al.  The Secure Shell (SSH) Transport Layer Encryption Modes , 2006, RFC.

[15]  Tatu Ylönen,et al.  The Secure Shell (SSH) Connection Protocol , 2006, RFC.

[16]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[18]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[19]  Kenneth G. Paterson,et al.  Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment , 2008, SCN.

[20]  Simon Josefsson,et al.  Internet Engineering Task Force (ietf) Using Kerberos Version 5 over the Transport Layer Security (tls) Protocol , 2011 .