Paper 2002/078

Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm

Mihir Bellare, Tadayoshi Kohno, and Chanathip Namprempre

Abstract

The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Metadata
Available format(s)
PDF PS
Category
Cryptographic protocols
Publication info
Published elsewhere. To appear in ACM Transactions on Information and System Security, ACM, 2004. An extended abstract of this paper appeared in Ninth ACM Conference on Computer and Communications Security, ACM, 2002.
Keywords
Authenticated EncryptionSecure ShellSSHStateful DecryptionSecurity Proofs.
Contact author(s)
tkohno @ cs ucsd edu
History
2004-03-30: last of 9 revisions
2002-06-18: received
See all versions
Short URL
https://ia.cr/2002/078
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2002/078,
      author = {Mihir Bellare and Tadayoshi Kohno and Chanathip Namprempre},
      title = {Breaking and Provably Repairing the {SSH} Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-{MAC} Paradigm},
      howpublished = {Cryptology {ePrint} Archive, Paper 2002/078},
      year = {2002},
      url = {https://eprint.iacr.org/2002/078}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.