Cryptology ePrint Archive: Report 2013/813

Multi-ciphersuite security and the SSH protocol

Benjamin Dowling and Florian Giesen and Florian Kohlar and Jörg Schwenk and Douglas Stebila

Abstract: Real-world cryptographic protocols, such as the Transport Layer Security (TLS) and Secure Shell (SSH) protocols, support the negotiation of different combinations of cryptographic algorithms, often known as ciphersuites. An individual ciphersuite can be modelled as an authenticated and confidential channel establishment (ACCE) protocol, and recently all widely deployed TLS ciphersuites have been individually proven ACCE-secure. In practice, users often re-use long-term keys across ciphersuites, for example using the same digital signature key in two different signed Diffie--Hellman (DH) ciphersuites. Recently, a cross-ciphersuite attack on TLS was discovered in which a signed elliptic curve DH structure can be interpreted as a signed finite-field DH structure, breaking authentication. Thus, ACCE security of individual ciphersuites does not generically imply collective security when long-term keys are re-used across ciphersuites.

We investigate the security of multi-ciphersuite protocols with re-used long-term keys. We show how to "open" the ACCE definition slightly so that, after each ciphersuites has been proven secure individually, they can then be used together in a secure multi-ciphersuite protocol, even when long-term keys are re-used across ciphersuites, provided the ciphersuites' messages satisfy an independence property. We apply our definitions and composition theorem to the SSH protocol, showing that signed Diffie--Hellman SSH ciphersuites are individually ACCE-secure; they also satisfy the preconditions of our composition theorem, and thus SSH is multi-ciphersuite-secure even with re-use of long-term keys.

Category / Keywords: cryptographic protocols / Secure Shell (SSH), key agility, cross-protocol security, authenticated and confidential channel establishment

Date: received 3 Dec 2013

Contact author: stebila at qut edu au

Available format(s): PDF | BibTeX Citation

Version: 20131206:201922 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]