libInterMAC: Beyond Confidentiality and Integrity in Practice

Boldyreva et al. (Eurocrypt 2012) defined a fine-grained security model capturing ciphertext fragmentation attacks against symmetric encryption schemes. The model was extended by Albrecht et al. (CCS 2016) to include an integrity notion. The extended security model encompasses important security goals of SSH that go beyond confidentiality and integrity to include length hiding and denial-of-service resistance properties. Boldyreva et al. also defined and analysed the InterMAC scheme, while Albrecht et al. showed that InterMAC satisfies stronger security notions than all currently available SSH encryption schemes. In this work, we take the InterMAC scheme and make it fully ready for use in practice. This involves several steps. First, we modify the InterMAC scheme to support encryption of arbitrary length plaintexts and we replace the use of Encrypt-then-MAC in InterMAC with modern noncebased authenticated encryption. Second, we describe a reference implementation of the modified InterMAC scheme in the form of the library libInterMAC. We give a performance analysis of libInterMAC. Third, to test the practical performance of libInterMAC, we implement several InterMAC-based encryption schemes in OpenSSH and carry out a performance analysis for the use-case of file transfer using SCP. We measure the data throughput and the data overhead of using InterMAC-based schemes compared to existing schemes in OpenSSH. Our analysis shows that, for some network set-ups, using InterMAC-based schemes in OpenSSH only moderately affects performance whilst providing stronger security guarantees compared to existing schemes.

[1]  Gilles Barthe,et al.  Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC , 2016, IACR Cryptol. ePrint Arch..

[2]  Juraj Somorovsky,et al.  Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS , 2016, WOOT.

[3]  N. Ferguson Authentication weaknesses in GCM , 2005 .

[4]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[5]  Marc Fischlin,et al.  Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove , 2018, IACR Cryptol. ePrint Arch..

[6]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[7]  Gordon Procter A Security Analysis of the Composition of ChaCha20 and Poly1305 , 2014, IACR Cryptol. ePrint Arch..

[8]  Martijn Stam,et al.  Rogue Decryption Failures: Reconciling AE Robustness Notions , 2015, IMACC.

[9]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[10]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[11]  Fabian Monrose,et al.  Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks , 2011, 2011 IEEE Symposium on Security and Privacy.

[12]  Phillip Rogaway,et al.  Simplifying Game-Based Definitions: Indistinguishability up to Correctness and Its Application to Stateful AE , 2018, IACR Cryptol. ePrint Arch..

[13]  Kenneth G. Paterson,et al.  Analyzing Multi-key Security Degradation , 2017, ASIACRYPT.

[14]  Kenneth G. Paterson,et al.  Limits on Authenticated Encryption Use in TLS , 2024, IACR Cryptol. ePrint Arch..

[15]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[16]  Simon Josefsson,et al.  The chacha20-poly1305@openssh.com authenticated encryption cipher , 2015 .

[17]  Russ Housley,et al.  Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms , 2015, RFC.

[18]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[19]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[20]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation , 2012, IACR Cryptol. ePrint Arch..

[21]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[22]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[23]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[24]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[25]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[26]  Damian Vizár,et al.  Linking Online Misuse-Resistant Authenticated Encryption and Blockwise Attack Models , 2016, IACR Trans. Symmetric Cryptol..

[27]  Kenneth G. Paterson,et al.  Data Is a Stream: Security of Stream-Based Channels , 2015, CRYPTO.

[28]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[29]  Kenneth G. Paterson,et al.  A Surfeit of SSH Cipher Suites , 2016, CCS.

[30]  Jerome A. Solinas,et al.  AES Galois Counter Mode for the Secure Shell Transport Layer Protocol , 2009, RFC.

[31]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[32]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[33]  Stefano Tessaro,et al.  The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization , 2018, CCS.

[34]  Mihir Bellare,et al.  The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3 , 2016, CRYPTO.

[35]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[36]  Damian Vizár,et al.  Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance , 2015, CRYPTO.

[37]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.