Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm

The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

[1]  Acknowledgments , 2006, Molecular and Cellular Endocrinology.

[2]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[3]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[4]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[5]  Helger Lipmaa,et al.  Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption , 2000 .

[6]  Steven M. Bellovin,et al.  Problem Areas for the IP Security Protocols , 1996, USENIX Security Symposium.

[7]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[8]  Virgil D. Gligor,et al.  Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[9]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[10]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[11]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[12]  Bruce Schneier,et al.  Reaction Attacks Against Several Public-Key Cryptosystem , 1997 .

[13]  Chanathip Namprempre,et al.  SSH transport layer encryption modes , 2004 .

[14]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[15]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[16]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[17]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[18]  BellareMihir,et al.  Breaking and provably repairing the SSH authenticated encryption scheme , 2004 .

[19]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[20]  Tadayoshi Kohno,et al.  CWC: A High-Performance Conventional Authenticated Encryption Mode , 2004, FSE.

[21]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[22]  Tatu Ylonen,et al.  SSH Transport Layer Protocol , 1996 .

[23]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[24]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[25]  Chanathip Namprempre,et al.  The Secure Shell (SSH) Transport Layer Encryption Modes , 2006, RFC.

[26]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[27]  Silvio Micali,et al.  On the Cryptographic Applications of Random Functions , 1984, CRYPTO.

[28]  Chanathip Namprempre,et al.  Secure Channels Based on Authenticated Encryption Schemes: A Simple Characterization , 2002, ASIACRYPT.

[29]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[30]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[31]  Matt Blaze,et al.  Cryptographic Modes of Operation for the Internet , 2001 .

[32]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[33]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, CRYPTO.

[34]  M.E. Hellman,et al.  Privacy and authentication: An introduction to cryptography , 1979, Proceedings of the IEEE.

[35]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.