Paper 2013/813

Multi-ciphersuite security of the Secure Shell (SSH) protocol

Florian Bergsma, Benjamin Dowling, Florian Kohlar, Jörg Schwenk, and Douglas Stebila

Abstract

The Secure Shell (SSH) protocol is widely used to provide secure remote access to servers, making it among the most important security protocols on the Internet. We show that the signed-Diffie--Hellman SSH ciphersuites of the SSH protocol are secure: each is a secure authenticated and confidential channel establishment (ACCE) protocol, the same security definition now used to describe the security of Transport Layer Security (TLS) ciphersuites. While the ACCE definition suffices to describe the security of individual ciphersuites, it does not cover the case where parties use the same long-term key with many different ciphersuites: it is common in practice for the server to use the same signing key with both finite field and elliptic curve Diffie--Hellman, for example. While TLS is vulnerable to attack in this case, we show that SSH is secure even when the same signing key is used across multiple ciphersuites. We introduce a new generic multi-ciphersuite composition framework to achieve this result in a black-box way.

Note: Minor corrections and revisions. Full version of paper appearing in ACM CCS 2014. June 5 2020 revision clarifies use of strongly unforgeable signature scheme.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Major revision. ACM CCS 2014
DOI
10.1145/2660267.2660286
Keywords
Secure Shell (SSH)key agilitycross-protocol securitymulti-ciphersuite
Contact author(s)
dstebila @ uwaterloo ca
History
2020-06-05: last of 2 revisions
2013-12-06: received
See all versions
Short URL
https://ia.cr/2013/813
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/813,
      author = {Florian Bergsma and Benjamin Dowling and Florian Kohlar and Jörg Schwenk and Douglas Stebila},
      title = {Multi-ciphersuite security of the Secure Shell ({SSH}) protocol},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/813},
      year = {2013},
      doi = {10.1145/2660267.2660286},
      url = {https://eprint.iacr.org/2013/813}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.