Provable Security in Practice: Analysis of SSH and CBC mode with Padding

This thesis illustrates and examines the gap that exists between theoretical and practical cryptography. Provable security is a useful tool which allows cryptographers to perform formal security analyses within a strict mathematical framework. Unfortunately, the formal modelling of provable security sometimes fails to match how particular schemes or protocols are implemented in real life. We examine how certain types of attack are not covered by the current techniques and show how this can be remedied by expanding existing security models to capture a much wider array of attacks. We begin by studying padding oracle attacks, a powerful class of side-channel, plaintext-recovering attacks introduced by Vaudenay. These attacks have been shown to work in practice against CBC mode when it is implemented in certain ways. In particular, padding oracle attacks have been demonstrated for certain implementations of SSL/TLS and IPsec. We develop new security models and proofs of security for CBC mode (with padding). These models show how to select padding schemes and in what order to combine CBC mode encryption, padding and authentication to provably provide a strong notion of security incorporating padding oracle attacks. Next we study the secure network protocol SSH. The first formal security analysis of the SSH Binary Packet Protocol (BPP) was performed by Bellare, Kohno and Namprempre. We present new plaintext-recovery attacks against the SSH BPP which partially invalidate this work. By examining why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, we are able to determine what features are missing from Bellare et al.’s original provable security analysis for SSH. Using this knowledge we define new security models that accurately capture the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Our new models then give us the ability to prove that SSH using counter mode encryption is secure against a much wider array of attacks, including our plaintext-recovery attacks. We conclude with further discussion of why the gap between theory and practice exists and suggest other ways of narrowing the gap.

[1]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[2]  Alexandra Boldyreva,et al.  Online Encryption Schemes: New Security Notions and Constructions , 2004, CT-RSA.

[3]  Kenneth G. Paterson,et al.  Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR , 2010, IACR Cryptol. ePrint Arch..

[4]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[5]  Peter Wright,et al.  Spy Catcher : The Candid Autobiography of a Senior Intelligence Officer , 1987 .

[6]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[7]  Gregory V. Bard,et al.  A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL , 2006, SECRYPT.

[8]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[9]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on the ISO CBC Mode Encryption Standard , 2004, CT-RSA.

[10]  Ralph Howard,et al.  Data encryption standard , 1987 .

[11]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[12]  Pierre-Alain Fouque,et al.  Practical Symmetric On-Line Encryption , 2003, FSE.

[13]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[14]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[15]  H. Feistel Cryptography and Computer Privacy , 1973 .

[16]  Abhijit Choudhury,et al.  AES Galois Counter Mode (GCM) Cipher Suites for TLS , 2008, RFC.

[17]  David A. Umphress,et al.  Information leakage from optical emanations , 2002, TSEC.

[18]  Tatu Ylönen,et al.  The Secure Shell (SSH) Authentication Protocol , 2006, RFC.

[19]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[20]  Stephen T. Kent,et al.  IP Authentication Header , 1995, RFC.

[21]  Ronald L. Rivest,et al.  The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms , 1996, RFC.

[22]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[23]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[24]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[25]  Tatu Ylönen,et al.  The Secure Shell (SSH) Connection Protocol , 2006, RFC.

[26]  Chris J. Mitchell,et al.  Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? , 2005, ISC.

[27]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[28]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[29]  Alexander W. Dent,et al.  A Brief History of Provably-Secure Public-Key Encryption , 2008, AFRICACRYPT.

[30]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[31]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[32]  Antoine Joux,et al.  Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC , 2002, CRYPTO.

[33]  John Sullivan,et al.  Another Look at , 1979 .

[34]  Khawaja Amer Hayat,et al.  Password Interception in a SSL/TLS Channel , 2004 .

[35]  Dengguo Feng,et al.  Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing , 2005, IACR Cryptol. ePrint Arch..

[36]  Frederic P. Miller,et al.  Advanced Encryption Standard , 2009 .

[37]  Mihir Bellare,et al.  Practice-Oriented Provable Security , 1998, Lectures on Data Security.

[38]  Alfred Menezes,et al.  Another Look at "Provable Security". II , 2006, INDOCRYPT.

[39]  Alfred Menezes,et al.  Another Look at Provable Security , 2012, EUROCRYPT.

[40]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on CBC-Mode Encryption with Secret and Random IVs , 2005, FSE.

[41]  Antoine Joux,et al.  Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes , 2004, Selected Areas in Cryptography.

[42]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[43]  John Black,et al.  Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[44]  Antoine Joux,et al.  Authenticated On-Line Encryption , 2003, Selected Areas in Cryptography.

[45]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[46]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[47]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[48]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[49]  Chanathip Namprempre,et al.  The Secure Shell (SSH) Transport Layer Encryption Modes , 2006, RFC.

[50]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[51]  Kenneth G. Paterson,et al.  Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment , 2008, SCN.

[52]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[53]  Phillip Rogaway,et al.  Authentication without Elision: Partially Specified Protocols, Associated Data, and Cryptographic Models Described by Code , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[54]  Stephen T. Kent,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[55]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[56]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[57]  Moni Naor,et al.  Non-Malleable Cryptography (Extended Abstract) , 1991, STOC 1991.

[58]  Gregory V. Bard Blockwise-Adaptive Chosen-Plaintext Attack and Online Modes of Encryption , 2007, IMACC.

[59]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[60]  Donald E. Eastlake rd Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) , 2005 .