Cryptology ePrint Archive: Report 2002/078

Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm

Mihir Bellare and Tadayoshi Kohno and Chanathip Namprempre

Abstract: The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Category / Keywords: cryptographic protocols / Authenticated Encryption, Secure Shell, SSH, Stateful Decryption, Security Proofs.

Publication Info: To appear in ACM Transactions on Information and System Security, ACM, 2004. An extended abstract of this paper appeared in Ninth ACM Conference on Computer and Communications Security, ACM, 2002.

Date: received 17 Jun 2002, last revised 29 Mar 2004

Contact author: tkohno at cs ucsd edu

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20040330:073429 (All versions of this report)

Short URL: ia.cr/2002/078

Discussion forum: Show discussion | Start new discussion