Paper 2010/095

Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR

Kenneth G. Paterson and Gaven J. Watson

Abstract

This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Under reasonable assumptions on the block cipher and MAC algorithms used to construct the SSH Binary Packet Protocol (BPP), we are able to show that the SSH BPP meets a strong and appropriate notion of security: indistinguishability under buffered, stateful chosen-ciphertext attacks. This result helps to bridge the gap between the existing security analysis of the SSH BPP by Bellare et al. and the recently discovered attacks against the SSH BPP by Albrecht et al. which partially invalidate that analysis.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. A short version of this paper is to appear in the proceedings of Eurocrypt 2010. This is the full version.
Contact author(s)
kenny paterson @ rhul ac uk
History
2010-02-26: revised
2010-02-25: received
See all versions
Short URL
https://ia.cr/2010/095
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2010/095,
      author = {Kenneth G.  Paterson and Gaven J.  Watson},
      title = {Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR},
      howpublished = {Cryptology ePrint Archive, Paper 2010/095},
      year = {2010},
      note = {\url{https://eprint.iacr.org/2010/095}},
      url = {https://eprint.iacr.org/2010/095}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.