A Surfeit of SSH Cipher Suites

Albrecht, M.; Degabriele, Jean Paul; Hansen, Torben Brandt; Paterson, Kenneth G.

doi:10.1145/2976749.2978364

Cited by 18 publications

(24 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The idea is that first the message is encrypted using some passively secure encryption scheme, and then the ciphertext is integrity-protected using the MAC, providing INT security and lifting IND-CPA to IND-CCA security. Many real-world protocols such as TLS [Gut14] and SSH [SSH,ADHP16] can be used with such an AEAD construction. Further, many direct AEAD constructions make use of this design principle as well, though rather implicitly.…”

Section: Etm-structured Aeadmentioning

confidence: 99%

Combiners for AEAD

Poettering¹,

Rösler²

2020

ToSC

View full text Add to dashboard Cite

The Authenticated Encryption with Associated Data (AEAD) primitive, which integrates confidentiality and integrity services under a single roof, found wide-spread adoption in industry and became indispensable in practical protocol design. Recognizing this, academic research put forward a large number of candidate constructions, many of which come with provable security guarantees. Nevertheless, the recent past has shaken up with the discovery of vulnerabilities, some of them fatal, in well-regarded schemes, stemming from weak underlying primitives, flawed security arguments, implementation-level vulnerabilities, and so on. Simply reacting to such findings by replacing broken candidates by better(?) ones is in many cases unduly, costly, and sometimes just impossible. On the other hand, as attack techniques and opportunities change over time, it seems venturous to propose any specific scheme if the intended lifetime of its application is, say, twenty years.In this work we study a workable approach towards increasing the resilience against unforeseen breaks of AEAD primitives. Precisely, we consider the ability to combine two AEAD schemes into one such that the resulting AEAD scheme is secure as long as at least one of its components is (or: as long as at most one component is broken). We propose a series of such combiners, some of which work with fully generic AEAD components while others assume specific internal structures of the latter (like an encrypt-then-MAC design). We complement our results by proving the optimality of our constructions by showing the impossibility of combiners that get along with less invocations of the component algorithms.

show abstract

Section: Etm-structured Aeadmentioning

confidence: 99%

Combiners for AEAD

Poettering¹,

Rösler²

2020

ToSC

View full text Add to dashboard Cite

show abstract

“…The path should be acyclic and its length is denoted . The circuit is then represented as a vector of nodes p [1], . .…”

Section: Modelling Onion Routing Networkmentioning

confidence: 99%

“…By convention, we set p[ + 1] = to indicate the end of a circuit, where the symbol is reserved solely for this purpose and cannot be assigned to any node. For any circuit, we use the terms sending node, receiving node and forwarding nodes to refer respectively to the OP, the path's last node p[ ] and intermediate nodes p [1], . .…”

Section: Modelling Onion Routing Networkmentioning

confidence: 99%

“…The first condition stops the adversary from correlating the endpoints merely through the number of cells that are input and output at each end. The latter condition is analogous to the suppression of output in stateful security definitions [1,6,11,22]. On the other hand, circuits that have a corrupted proxy or whose routers are either all corrupted or all honest are excluded from this requirement (since we quantify over I EN ).…”

Section: For All I There Existsmentioning

confidence: 99%

See 1 more Smart Citation

Untagging Tor: A Formal Treatment of Onion Encryption

Degabriele

Stam

2018

Advances in Cryptology – EUROCRYPT 2018

Self Cite

View full text Add to dashboard Cite

Abstract. Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling, 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher. We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261's relay protocol is circuit hiding and thus resistant against tagging attacks.

show abstract

“…However, in 2009 Albrecht et al [APW09] presented a plaintext-recovery attack against CBC mode with random IVs in SSH, a case covered by the proof. In 2016 further attacks were found against a patched version of the CBC mode construction used in OpenSSH [ADHP16]. The attacks of [APW09,ADHP16] exploit the fact that ciphertexts can be delivered as a sequence of fragments, with the attacker being able to observe the behaviour of the receiver as each fragment is delivered.…”

Section: Introductionmentioning

confidence: 99%

libInterMAC: Beyond Confidentiality and Integrity in Practice

Albrecht

Hansen

Paterson

2019

ToSC

Self Cite

View full text Add to dashboard Cite

Boldyreva et al. (Eurocrypt 2012) defined a fine-grained security model capturing ciphertext fragmentation attacks against symmetric encryption schemes. The model was extended by Albrecht et al. (CCS 2016) to include an integrity notion. The extended security model encompasses important security goals of SSH that go beyond confidentiality and integrity to include length hiding and denial-of-service resistance properties. Boldyreva et al. also defined and analysed the InterMAC scheme, while Albrecht et al. showed that InterMAC satisfies stronger security notions than all currently available SSH encryption schemes. In this work, we take the InterMAC scheme and make it fully ready for use in practice. This involves several steps. First, we modify the InterMAC scheme to support encryption of arbitrary length plaintexts and we replace the use of Encrypt-then-MAC in InterMAC with modern noncebased authenticated encryption. Second, we describe a reference implementation of the modified InterMAC scheme in the form of the library libInterMAC. We give a performance analysis of libInterMAC. Third, to test the practical performance of libInterMAC, we implement several InterMAC-based encryption schemes in OpenSSH and carry out a performance analysis for the use-case of file transfer using SCP. We measure the data throughput and the data overhead of using InterMAC-based schemes compared to existing schemes in OpenSSH. Our analysis shows that, for some network set-ups, using InterMAC-based schemes in OpenSSH only moderately affects performance whilst providing stronger security guarantees compared to existing schemes.

show abstract

A Surfeit of SSH Cipher Suites

Cited by 18 publications

References 17 publications

Combiners for AEAD

Combiners for AEAD

Untagging Tor: A Formal Treatment of Onion Encryption

libInterMAC: Beyond Confidentiality and Integrity in Practice

Contact Info

Product

Resources

About