research-article

Multi-Ciphersuite Security of the Secure Shell (SSH) Protocol

Authors:

Florian Bergsma,

Benjamin Dowling,

Florian Kohlar,

Douglas StebilaAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 369 - 381

https://doi.org/10.1145/2660267.2660286

Published: 03 November 2014 Publication History

Abstract

The Secure Shell (SSH) protocol is widely used to provide secure remote access to servers, making it among the most important security protocols on the Internet. We show that the signed-Diffie--Hellman SSH ciphersuites of the SSH protocol are secure: each is a secure authenticated and confidential channel establishment (ACCE) protocol, the same security definition now used to describe the security of Transport Layer Security (TLS) ciphersuites. While the ACCE definition suffices to describe the security of individual ciphersuites, it does not cover the case where parties use the same long-term key with many different ciphersuites: it is common in practice for the server to use the same signing key with both finite field and elliptic curve Diffie--Hellman, for example. While TLS is vulnerable to attack in this case, we show that SSH is secure even when the same signing key is used across multiple ciphersuites. We introduce a new generic multi-ciphersuite composition framework to achieve this result in a black-box way.

References

[1]

M. R. Albrecht, K. G. Paterson, and G. J. Watson. Plaintext recovery attacks against SSH. In 2009 IEEE Symposium on Security and Privacy, pages 16--26. IEEE Computer Society Press, May 2009.

Digital Library

[2]

J. Alves-Foss. Multi-protocol attacks and the public key infrastructure. In Proc. 21st National Information Systems Security Conference, pages 566--576, October 1998.

[3]

R. J. Anderson and R. M. Needham. Robustness principles for public key protocols. In D. Coppersmith, editor, CRYPTO'95, volume 963 of LNCS, pages 236--247. Springer, Aug. 1995.

Digital Library

[4]

S. Andova, C. Cremers, K. Gjøsteen, S. Mauw, S. F. Mjølsnes, and S. Radomirovic. A framework for compositional verification of security protocols. Information and Computation, 206:425--459, 2008.

Digital Library

[5]

G. Bela and I. Ignat. Verifying the independence of security protocols. In Proc. 2007 IEEE International Conference on Intelligent Computer Communication and Processing, pages 155--162. IEEE, 2007.

[6]

M. Bellare, T. Kohno, and C. Namprempre. Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the encode-then-encrypt-and-MAC paradigm. ACM Transactions on Information and System Security, 7(2):206--241, May 2004. Extended abstract published in phACM CCS 2002.

Digital Library

[7]

M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson, editor, CRYPTO'93, volume 773 of LNCS, pages 232--249. Springer, Aug. 1993.

Digital Library

[8]

F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, and D. Stebila. Multi-ciphersuite security of the Secure Shell (SSH) protocol (full version). Cryptology ePrint Archive, Report 2013/813, 2014. http://eprint.iacr.org/.

Digital Library

[9]

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In 2013 IEEE Symposium on Security and Privacy, pages 445--459. IEEE Computer Society Press, May 2013.

Digital Library

[10]

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and S. Zanella-Beguelin. Proving the TLS handshake secure (as it is). In J. A. Garay and R. Gennaro, editors, CRYPTO 2014, volume 8617 of LNCS, pages 235--255. Springer, 2014.

[11]

C. Brzuska, M. Fischlin, N. P. Smart, B. Warinschi, and S. C. Williams. Less is more: Relaxed yet composable security notions for key exchange. International Journal of Information Security, 12(4):267--297, August 2013.

Digital Library

[12]

R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd FOCS, pages 136--145. IEEE Computer Society Press, Oct. 2001.

Digital Library

[13]

R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 453--474. Springer, May 2001.

Digital Library

[14]

R. Canetti, C. Meadows, and P. Syverson. Environmental requirements for authentication protocols. In M. Okada, B. C. Pierce, A. Scedrov, H. Tokuda, and A. Yonezawa, editors, Proc. Mext-NSF-JSPS Internaional Symposium on Software Security (ISSS) -- Theories and Systems, Part 9, volume 2609 of LNCS, pages 339--355. Springer, 2002.

Digital Library

[15]

C. J. F. Cremers. Feasibility of multi-protocol attacks. In Proc. 1st International Conference on Availability, Reliability, and Security (ARES) 2006, pages 287--294. IEEE, 2006.

Digital Library

[16]

A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. Secure protocol composition. Electronic Notes in Theoretical Computer Science, 83(15), 2004.

Digital Library

[17]

F. Giesen, F. Kohlar, and D. Stebila. On the security of TLS renegotiation. In A.-R. Sadeghi, V. D. Gligor, and M. Yung, editors, ACM CCS 13, pages 387--398. ACM Press, Nov. 2013.

Digital Library

[18]

J. D. Guttman and F. J. Thayer Fabrega. Protocol independence through disjoint encryption. In Proceedings 13th IEEE Computer Security Foundations Workshop (CSFW-13), pages 24--34. IEEE, 2000.

Digital Library

[19]

B. Harris. RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4432 (Proposed Standard), Mar. 2006.

[20]

T. Jager, F. Kohlar, S. Sch\"age, and J. Schwenk. On the security of TLS-DHE in the standard model. In R. Safavi-Naini and R. Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 273--293. Springer, Aug. 2012.

[21]

T. Jager, K. G. Paterson, and J. Somorovsky. One bad apple: Backwards compatibility attacks on state-of-the-art cryptography. In Proc. Internet Society Network and Distributed System Security Symposium (NDSS) 2013, 2013.

[22]

J. Jonsson and B. S. Kaliski Jr. On the security of RSA encryption in TLS. In M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages 127--142. Springer, Aug. 2002.

Digital Library

[23]

J. Kelsey, B. Schneier, and D. Wagner. Protocol interactions and the chosen protocol attack. In B. Christianson, B. Crispo, M. Lomas, and M. Roe, editors, Proc. 5th International Workshop on Security Protocols, volume 1361 of LNCS, pages 91--104. Springer, 1997.

Digital Library

[24]

F. Kohlar, S. Sch\"age, and J. Schwenk. On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367, 2013. http://eprint.iacr.org/2013/367.

[25]

H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 631--648. Springer, Aug. 2010.

Digital Library

[26]

H. Krawczyk, K. G. Paterson, and H. Wee. On the security of the TLS protocol: A systematic analysis. In R. Canetti and J. A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 429--448. Springer, Aug. 2013.

[27]

B. A. LaMacchia, K. Lauter, and A. Mityagin. Stronger security of authenticated key exchange. In W. Susilo, J. K. Liu, and Y. Mu, editors, ProvSec 2007, volume 4784 of LNCS, pages 1--16. Springer, Nov. 2007.

Digital Library

[28]

N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In T. Yu, G. Danezis, and V. D. Gligor, editors, ACM CCS 12, pages 62--72. ACM Press, Oct. 2012.

Digital Library

[29]

P. Morrissey, N. P. Smart, and B. Warinschi. A modular security analysis of the TLS handshake protocol. In J. Pieprzyk, editor, ASIACRYPT 2008, volume 5350 of LNCS, pages 55--73. Springer, Dec. 2008.

Digital Library

[30]

K. G. Paterson and G. J. Watson. Plaintext-dependent decryption: A formal security treatment of SSH-CTR. In H. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 345--361. Springer, May 2010.

Digital Library

[31]

P. Rogaway. Formalizing human ignorance. In P. Q. Nguyen, editor, Progress in Cryptology - VIETCRYPT 06, volume 4341 of LNCS, pages 211--228. Springer, Sept. 2006.

Digital Library

[32]

D. Stebila and J. Green. Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer. RFC 5656 (Proposed Standard), Dec. 2009.

[33]

F. J. Thayer Fabrega, J. Herzog, and J. D. Guttman. Mixed strand spaces. In Proceedings 12th IEEE Computer Security Foundations Workshop (CSFW-12), pages 72--82, 1999.

Digital Library

[34]

W.-G. Tzeng and C.-M. Hu. Inter-protocol interleaving attacks on some authentication and key distribution protocols. Information Processing Letters, 69(6):297--302, March 1999.

Digital Library

[35]

D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In Proc. 2nd USENIX Workshop on Electronic Commerce, 1996.

Digital Library

[36]

S. C. Williams. Analysis of the SSH key exchange protocol. Cryptology ePrint Archive, Report 2011/276, 2011. http://eprint.iacr.org/2011/276.

[37]

T. Ylonen and C. Lonvick. The Secure Shell (SSH) Authentication Protocol. RFC 4252 (Proposed Standard), Jan. 2006.

[38]

T. Ylonen and C. Lonvick. The Secure Shell (SSH) Connection Protocol. RFC 4254 (Proposed Standard), Jan. 2006.

[39]

T. Ylonen and C. Lonvick. The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard), Jan. 2006.

[40]

T. Ylonen and C. Lonvick. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard), Jan. 2006. Updated by RFC 6668.

Cited By

Santillán Carranza HEnríquez Sandoval JBonilla Castro J(2024)Desarrollo de una Herramienta Educativa Inalámbrica Basada en Raspberry PiINGENIO10.29166/ingenio.v7i1.56307:1(13-22)Online publication date: 14-Feb-2024
https://doi.org/10.29166/ingenio.v7i1.5630
Blanchet BJacomme C(2024)Post-Quantum Sound CryptoVerif and Verification of Hybrid TLS and SSH Key-Exchanges2024 IEEE 37th Computer Security Foundations Symposium (CSF)10.1109/CSF61375.2024.00050(543-556)Online publication date: 8-Jul-2024
https://doi.org/10.1109/CSF61375.2024.00050
Lawrence LShreelekshmi R(2024)Letter to the editor: “Edwards curve digital signature algorithm for video integrity verification on blockchain framework”Science & Justice10.1016/j.scijus.2024.08.00564:5(583-584)Online publication date: Oct-2024
https://doi.org/10.1016/j.scijus.2024.08.005
Show More Cited By

Index Terms

Multi-Ciphersuite Security of the Secure Shell (SSH) Protocol
1. Security and privacy
  1. Network security

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
900
Total Downloads

Downloads (Last 12 months)78
Downloads (Last 6 weeks)7

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Santillán Carranza HEnríquez Sandoval JBonilla Castro J(2024)Desarrollo de una Herramienta Educativa Inalámbrica Basada en Raspberry PiINGENIO10.29166/ingenio.v7i1.56307:1(13-22)Online publication date: 14-Feb-2024
https://doi.org/10.29166/ingenio.v7i1.5630
Blanchet BJacomme C(2024)Post-Quantum Sound CryptoVerif and Verification of Hybrid TLS and SSH Key-Exchanges2024 IEEE 37th Computer Security Foundations Symposium (CSF)10.1109/CSF61375.2024.00050(543-556)Online publication date: 8-Jul-2024
https://doi.org/10.1109/CSF61375.2024.00050
Lawrence LShreelekshmi R(2024)Letter to the editor: “Edwards curve digital signature algorithm for video integrity verification on blockchain framework”Science & Justice10.1016/j.scijus.2024.08.00564:5(583-584)Online publication date: Oct-2024
https://doi.org/10.1016/j.scijus.2024.08.005
Shutka DProdan RTataryn V(2023)MEASUREMENT AND ANALYSIS OF AGRICULTURAL FIELD STATE USING CLOUD-BASED DATA PROCESSING PIPELINEMeasuring Equipment and Metrology10.23939/istcmtm2023.03.00584:3(5-10)Online publication date: 2023
https://doi.org/10.23939/istcmtm2023.03.005
Schwenk JSchwenk J(2022)Secure Shell (SSH)Guide to Internet Cryptography10.1007/978-3-031-19439-9_13(329-339)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_13
Hawedi HBentaher OAbodhir K(2021)REMOTE ACCESS TO A ROUTER SECURELY USING SSHJournal of the Academic Forum10.59743/jaf.v5i1.1775:1(174-189)Online publication date: 31-Jan-2021
https://doi.org/10.59743/jaf.v5i1.177
Brendel JCremers CJackson DZhao M(2021)The Provable Security of Ed25519: Theory and Practice2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00042(1659-1676)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00042
Brendel JFischlin MGünther FJanson CStebila D(2021)Towards Post-Quantum Security for Signal’s X3DH HandshakeSelected Areas in Cryptography10.1007/978-3-030-81652-0_16(404-430)Online publication date: 21-Jul-2021
https://doi.org/10.1007/978-3-030-81652-0_16
Dowling BRösler PSchwenk J(2020)Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol FrameworkPublic-Key Cryptography – PKC 202010.1007/978-3-030-45374-9_12(341-373)Online publication date: 4-May-2020
https://dl.acm.org/doi/10.1007/978-3-030-45374-9_12
Bikrat YSalmi KAzghiou KBenlghazi ABenali AMoussaid D(2019)Intelligent Wireless System for PV Supervision Based on The Raspberry PiAdvances in Science, Technology and Engineering Systems Journal10.25046/aj0406114:6Online publication date: 2019
https://doi.org/10.25046/aj040611
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten