Cryptology ePrint Archive: Report 2002/078
Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm
Mihir Bellare and Tadayoshi Kohno and Chanathip Namprempre
Abstract: The Secure Shell (SSH) protocol is one of the most popular
cryptographic protocols on the Internet. Unfortunately, the current
SSH authenticated encryption mechanism is insecure. In this paper, we
propose several fixes to the SSH protocol and, using techniques from
modern cryptography, we prove that our modified versions of SSH meet
strong new chosen-ciphertext privacy and integrity requirements.
Furthermore, our proposed fixes will require relatively little
modification to the SSH protocol and to SSH implementations. We
believe that our new notions of privacy and integrity for encryption
schemes with stateful decryption algorithms will be of independent
Category / Keywords: cryptographic protocols / Authenticated Encryption, Secure Shell, SSH, Stateful Decryption, Security Proofs.
Publication Info: To appear in ACM Transactions on Information and System Security, ACM, 2004. An extended abstract of this paper appeared in Ninth ACM Conference on Computer and Communications Security, ACM, 2002.
Date: received 17 Jun 2002, last revised 29 Mar 2004
Contact author: tkohno at cs ucsd edu
Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation
Version: 20040330:073429 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]