research-article

A Surfeit of SSH Cipher Suites

Authors:

Martin R. Albrecht,

Jean Paul Degabriele,

Torben Brandt Hansen,

Kenneth G. PatersonAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1480 - 1491

https://doi.org/10.1145/2976749.2978364

Published: 24 October 2016 Publication History

Abstract

This work presents a systematic analysis of symmetric encryption modes for SSH that are in use on the Internet, providing deployment statistics, new attacks, and security proofs for widely used modes. We report deployment statistics based on two Internet-wide scans of SSH servers conducted in late 2015 and early 2016. Dropbear and OpenSSH implementations dominate in our scans. From our first scan, we found 130,980 OpenSSH servers that are still vulnerable to the CBC-mode-specific attack of Albrecht et al. (IEEE S&P 2009), while we found a further 20,000 OpenSSH servers that are vulnerable to a new attack on CBC-mode that bypasses the counter-measures introduced in OpenSSH 5.2 to defeat the attack of Albrecht et al. At the same time, 886,449 Dropbear servers in our first scan are vulnerable to a variant of the original CBC-mode attack. On the positive side, we provide formal security analyses for other popular SSH encryption modes, namely ChaCha20-Poly1305, generic Encrypt-then-MAC, and AES-GCM. Our proofs hold for detailed pseudo-code descriptions of these algorithms as implemented in OpenSSH. Our proofs use a corrected and extended version of the "fragmented decryption" security model that was specifically developed for the SSH setting by Boldyreva et al. (Eurocrypt 2012). These proofs provide strong confidentiality and integrity guarantees for these alternatives to CBC-mode encryption in SSH. However, we also show that these alternatives do not meet additional, desirable notions of security (boundary-hiding under passive and active attacks, and denial-of-service resistance) that were formalised by Boldyreva et al.

References

[1]

Albrecht, M. R., Paterson, K. G., and Watson, G. J. Plaintext recovery attacks against SSH. In 2009 IEEE Symposium on Security and Privacy (May 2009), IEEE Computer Society Press, pp. 16--26.

Digital Library

[2]

AlFardan, N. J., and Paterson, K. G. Lucky thirteen: Breaking the TLS and DTLS record protocols. In 2013 IEEE Symposium on Security and Privacy (May 2013), IEEE Computer Society Press, pp. 526--540.

Digital Library

[3]

Bellare, M., Kohno, T., and Namprempre, C. Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol. In ACM CCS 02 (Nov. 2002), V. Atluri, Ed., ACM Press, pp. 1--11.

Digital Library

[4]

Bellare, M., Kohno, T., and Namprempre, C. Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the encode-then-encrypt-and-mac paradigm. ACM Trans. Inf. Syst. Secur. 7, 2 (2004), 206--241.

Digital Library

[5]

Bellare, M., Kohno, T., and Namprempre, C. The Secure Shell (SSH) Transport Layer Encryption Modes. RFC 4344 (Proposed Standard), Jan. 2006.

[6]

Bellare, M., and Namprempre, C. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In ASIACRYPT 2000 (Dec. 2000), T. Okamoto, Ed., vol. 1976 of LNCS, Springer, Heidelberg, pp. 531--545.

Digital Library

[7]

Bernstein, D. Chacha, a variant of salsa20. http://cr.yp.to/chacha/chacha-20080128.pdf, 2008.

[8]

Bernstein, D. J. The poly1305-AES message-authentication code. In FSE 2005 (Feb. 2005), H. Gilbert and H. Handschuh, Eds., vol. 3557 of LNCS, Springer, Heidelberg, pp. 32--49.

Digital Library

[9]

Bider, D., and Baushke, M. SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol. RFC 6668 (Proposed Standard), July 2012.

[10]

Boldyreva, A., Degabriele, J. P., Paterson, K. G., and Stam, M. Security of symmetric encryption in the presence of ciphertext fragmentation. In EUROCRYPT 2012 (Apr. 2012), D. Pointcheval and T. Johansson, Eds., vol. 7237 of LNCS, Springer, Heidelberg, pp. 682--699.

Digital Library

[11]

Boldyreva, A., Degabriele, J. P., Paterson, K. G., and Stam, M. On symmetric encryption with distinguishable decryption failures. In FSE 2013 (Mar. 2014), S. Moriai, Ed., vol. 8424 of LNCS, Springer, Heidelberg, pp. 367--390.

[12]

Dai, W. SSH2 attack. http://www.weidai.com/ssh2-attack.txt, 2002.

[13]

Durumeric, Z., Wustrow, E., and Halderman, J. A. Zmap: Fast internet-wide scanning and its security applications. In Usenix Security (2013), vol. 2013.

Digital Library

[14]

Igoe, K., and Solinas, J. AES Galois Counter Mode for the Secure Shell Transport Layer Protocol. RFC 5647 (Informational), Aug. 2009.

[15]

Lyon, G. F. Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure, 2009.

Digital Library

[16]

McGrew, D., and Viega, J. The galois/counter mode of operation (gcm). Submission to NIST Modes of Operation Process, 2004.

[17]

Miller, D., and Josefsson, S. The [email protected] authenticated encryption cipher. Working Draft, Nov 2015.

[18]

Miller, D., and Valchev, P. The use of umac in the ssh transport layer protocol. https://tools.ietf.org/html/draft-miller-secsh-umac-01, September 2007.

[19]

Namprempre, C., Rogaway, P., and Shrimpton, T. Reconsidering generic composition. In EUROCRYPT 2014 (May 2014), P. Q. Nguyen and E. Oswald, Eds., vol. 8441 of LNCS, Springer, Heidelberg, pp. 257--274.

[20]

Nir, Y., and Langley, A. ChaCha20 and Poly1305 for IETF Protocols. RFC 7539 (Informational), May 2015.

[21]

Paterson, K. G., and Watson, G. J. Plaintext-dependent decryption: A formal security treatment of SSH-CTR. In EUROCRYPT 2010 (May 2010), H. Gilbert, Ed., vol. 6110 of LNCS, Springer, Heidelberg, pp. 345--361.

Digital Library

[22]

Rogaway, P. Problems with proposed ip cryptography. http://www.cs.ucdavis.edu/ rogaway/papers/draft-rogaway-ipsec-comments-00.txt, April 1995.

[23]

Rogaway, P. Nonce-based symmetric encryption. In FSE 2004 (Feb. 2004), B. K. Roy and W. Meier, Eds., vol. 3017 of LNCS, Springer, Heidelberg, pp. 348--359.

[24]

Rogaway, P., and Shrimpton, T. A provable-security treatment of the key-wrap problem. In EUROCRYPT 2006 (May / June 2006), S. Vaudenay, Ed., vol. 4004 of LNCS, Springer, Heidelberg, pp. 373--390.

Digital Library

[25]

Ylonen, T., and Lonvick, C. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard), Jan. 2006. Updated by RFC 6668.

Cited By

Schwenk JSchwenk J(2022)Secure Shell (SSH)Guide to Internet Cryptography10.1007/978-3-031-19439-9_13(329-339)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_13
Fischlin MGünther FMuth P(2020)Information-Theoretic Security of Cryptographic ChannelsInformation and Communications Security10.1007/978-3-030-61078-4_17(295-311)Online publication date: 28-Nov-2020
https://doi.org/10.1007/978-3-030-61078-4_17
Janovsky ANemec MSvenda PSekan PMatyas V(2020)Biased RSA Private Keys: Origin Attribution of GCD-Factorable KeysComputer Security – ESORICS 202010.1007/978-3-030-59013-0_25(505-524)Online publication date: 13-Sep-2020
https://doi.org/10.1007/978-3-030-59013-0_25
Show More Cited By

Index Terms

A Surfeit of SSH Cipher Suites
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Network security

Recommendations

Authenticated encryption in SSH: provably fixing the SSH binary packet protocol
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using ...
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

We introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. ...
Attacking and repairing the winZip encryption scheme
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

WinZip is a popular compression utility for Microsoft Windows computers, the latest version of which is advertised as having "easy-to-use AES encryption to protect your sensitive data." We exhibit several attacks against WinZip's new encryption method, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

EPSRC
Huawei Technologies
UK government

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
670
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Schwenk JSchwenk J(2022)Secure Shell (SSH)Guide to Internet Cryptography10.1007/978-3-031-19439-9_13(329-339)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_13
Fischlin MGünther FMuth P(2020)Information-Theoretic Security of Cryptographic ChannelsInformation and Communications Security10.1007/978-3-030-61078-4_17(295-311)Online publication date: 28-Nov-2020
https://doi.org/10.1007/978-3-030-61078-4_17
Janovsky ANemec MSvenda PSekan PMatyas V(2020)Biased RSA Private Keys: Origin Attribution of GCD-Factorable KeysComputer Security – ESORICS 202010.1007/978-3-030-59013-0_25(505-524)Online publication date: 13-Sep-2020
https://doi.org/10.1007/978-3-030-59013-0_25
Fujita RIsobe TMinematsu K(2020)ACE in Chains: How Risky Is CBC Encryption of Binary Executable Files?Applied Cryptography and Network Security10.1007/978-3-030-57808-4_10(187-207)Online publication date: 27-Aug-2020
https://doi.org/10.1007/978-3-030-57808-4_10
Vetterl AClayton RRossow CYounan Y(2018)Bitter harvestProceedings of the 12th USENIX Conference on Offensive Technologies10.5555/3307423.3307432(9-9)Online publication date: 13-Aug-2018
https://dl.acm.org/doi/10.5555/3307423.3307432
Patton CShrimpton TLie DMannan MBackes MWang X(2018)Partially Specified ChannelsProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243789(1415-1428)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243789
Leurent GSibleyras F(2018)The Missing Difference Problem, and Its Applications to Counter Mode EncryptionAdvances in Cryptology – EUROCRYPT 201810.1007/978-3-319-78375-8_24(745-770)Online publication date: 31-Mar-2018
https://doi.org/10.1007/978-3-319-78375-8_24
Degabriele JStam M(2018)Untagging Tor: A Formal Treatment of Onion EncryptionAdvances in Cryptology – EUROCRYPT 201810.1007/978-3-319-78372-7_9(259-293)Online publication date: 31-Mar-2018
https://doi.org/10.1007/978-3-319-78372-7_9
Degabriele JFischlin M(2018)Simulatable Channels: Extended Security that is Universally Composable and Easier to ProveAdvances in Cryptology – ASIACRYPT 201810.1007/978-3-030-03332-3_19(519-550)Online publication date: 26-Oct-2018
https://doi.org/10.1007/978-3-030-03332-3_19
Schaumont P(2017)Security in the internet of thingsProceedings of the Conference on Design, Automation & Test in Europe10.5555/3130379.3130543(674-679)Online publication date: 27-Mar-2017
https://dl.acm.org/doi/10.5555/3130379.3130543
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents