Paper 2011/276

Analysis of the SSH Key Exchange Protocol

Stephen C. Williams

Abstract

We provide an analysis of the widely deployed SSH protocol's key exchange mechanism. We exploit the design of the SSH key exchange to perform our analysis in a modular manner. First, a shared secret key is obtained via a Diffie-Hellman key exchange. Next, a transform is applied to obtain the application keys used by later stages of SSH. We define models, following well-established paradigms, that clarify the security provided by each type of key. Previously, there has been no formal analysis of the SSH key exchange protocol. We provide a modular proof of security for the SSH shared secret and application keys. We show that although the shared secret key exchanged by SSH is not indistinguishable, the transformation then applied yields indistinguishable application keys. Our proofs use random oracles to model the hash function used within SSH.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Keywords
SSHkey exchangesecurity proof
Contact author(s)
williams @ cs bris ac uk
History
2011-05-28: received
Short URL
https://ia.cr/2011/276
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2011/276,
      author = {Stephen C.  Williams},
      title = {Analysis of the {SSH} Key Exchange Protocol},
      howpublished = {Cryptology {ePrint} Archive, Paper 2011/276},
      year = {2011},
      url = {https://eprint.iacr.org/2011/276}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.