Authenticated Encryption in SSH · Introduction to SSH 30 Secure Shell or SSH is a network protocol...

transcript

AuthenticatedEncryptioninSSH

KennyPaterson

InformationSecurityGroup

@kennyog;www.isg.rhul.ac.uk/~kp

Overview(bothlectures)

•  Securechannelsandtheirproperties•  AEAD(revision)•  AEAD≠securechannel–the[APW09]attackonSSH

•  ThestateofAEADinSSHtoday•  AnewattackonCBC-modeinOpenSSH

•  SecurityanalysisofotherSSHandOpenSSHmodes–CTR,ChaChaPoly,gEtM,AES-GCM.

Securechannelsandtheirproperties

Whydoweneedsecurechannels?

•  Securecommunicationsisthemostcommonreal-worldapplicationofcryptographytoday.

•  Securecommunicationssystemsareextremelywidely-deployedinpractice:

•  SSL/TLS,DTLS,IPsec,SSH,OpenVPN,…•  WEP/WPA/WPA2•  GSM/UMTS/4g/LTE•  Cryptocat,OTR,SilentCircle•  OpenPGP,iMessage,Telegram,Signal,anda

thousandothermessagingapps•  QUIC,MinimalT,TCPcrypt

Securityproperties

•  Confidentiality–privacyfordata•  Integrity–detectionofdatamodification

•  Authenticity–assuranceconcerningthesourceofdata

Somelessobvioussecurityproperties

•  Anti-replay•  Detectionthatmessageshavebeenrepeated.

•  Detectionofdeletion•  Detectionthatmessageshavebeendeletedbythe

adversaryordroppedbythenetwork.

•  Detectionofre-0rdering•  Ensuringthattherelativeorderofmessagesineach

directiononthesecurechannelispreserved.•  Possiblyre-orderingtheeventofviolation.

•  Preventionoftraffic-analysis.•  Usingtrafficpaddingandlength-hidingtechniques.

Possiblefunctionalityrequirements

•  Speedy•  Low-memory

•  On-line/parallelisablecrypto-operations•  Performanceisheavilyhardware-dependent.

•  Mayhavedifferentalgorithmsfordifferentplatforms.

•  IPR-friendly•  Thisissuehassloweddownadoptionofmany

otherwisegoodalgorithms,e.g.OCB.

•  Easytoimplement•  Withoutintroducinganyside-channels.

Additionalrequirements

•  Weneedacleanandwell-definedAPI.

•  Becausetherealityisthatoursecurechannelprotocolwillprobablybeusedblindlybyasecurity-naïvedeveloper.

•  Developerswantto“open”and“close”securechannels,andissue“send”and“recv”commands.

•  They’dliketosimplyreplaceTCPwitha“secureTCP”havingthesameAPI.

•  Ortojusthaveablack-boxfordeliveringmessagessecurely.

AdditionalAPI-drivenrequirements

•  Doesthechannelprovideastream-basedfunctionalityoramessage-orientedfunctionality?

•  Doesthechannelacceptmessagesofarbitrarylengthandperformitsownfragmentationandreassembly,oristhereamaximummessagelength?

•  Howiserrorhandlingperformed?Isasingleerrorfatal,leadingtotear-downofchannel,oristhechanneltolerantoferrors?

•  Howaretheseerrorssignalledtothecallingapplication?Howshouldtheprogrammerhandlethem?

•  Doesthesecurechannelitselfhandleretransmissions?Oristhislefttotheapplication?Orisitguaranteedbytheunderlyingnetworktransport?

•  Doesthechannelofferdatacompression?•  Thesearedesignchoicesthatallimpactonsecurity•  Theyarenotwell-reflectedinthesecuritydefinitionsfor

symmetricencryption99

AEAD(Revision)

SecurityforSymmetricEncryption

PicturesbyGiorgiaAzzurraMarson

SecurityforSymmetricEncryption

c1=EncK(m1)

m2=DecK(c2)

m1=DecK(c1)

c2=EncK(m2)

SecurityforSymmetricEncryption–Confidentiality

c1=EncK(m1)

m2=DecK(c2)

m1=DecK(c1)

c2=EncK(m2)

EncOracle

learnbin{0,1}fromc*=EncK(mb)

IND-CPA(Goldwasser-Micali,1984;Bellare-Desai-Jokipii-Rogaway,1997).

SecurityforSymmetricEncryption–Confidentiality

c1=EncK(m1)

m2=DecK(c2)

m1=DecK(c1)

c2=EncK(m2)

EncOracle

IND-CPA(Goldwasser-Micali,1984;Bellare-Desai-Jokipii-Rogaway,1997).

DecOracle

IND-CCA(Naor-Yung,1990;

Rackoff-Simon,1997).

SecurityforSymmetricEncryption–Integrity

c1=EncK(m1)

m2=DecK(c2)

m1=DecK(c1)

c2=EncK(m2)

Isthiswhatyouwrote?

c1=EncK(m1)

m2=DecK(c2)

m1=DecK(c1)

c2=EncK(m2)

EncOracle

comeupwithvalidc*

DecOracle

INT-CTXT(Bellare,Rogaway,2000)

c1=EncK(m1)

m2=DecK(c2)

m1=DecK(c1)

c2=EncK(m2)

EncOracle

comeupwithvalidc*foranewm*

DecOracle

INT-PTXT(Bellare-Namprempre,2000)

SecurityforSymmetricEncryption–AE

c1=EncK(m1)

m2=DecK(c2)

m1=DecK(c1)

c2=EncK(m2)

EncOracle DecOracle

INT-PTXT(Bellare-Namprempre,2000)

AuthenticatedEncryptionIND-CPA+INT-CTXT

(èIND-CCA)

SecurityforSymmetricEncryption–AEAD

c1=EncK(AD1,m1)

m2=DecK(AD2,c2)

m1=DecK(AD1,c1)

c2=EncK(AD2,m2)

EncOracle DecOracle

AuthenticatedEncryptionwithAssociatedDataAEsecurityformessagem

IntegrityforassociateddataADStrongbindingbetweencandAD

(Rogaway2002)

Whichcamefirst?

SecurityforSymmetricEncryption–statefulAEAD

c1=EncK(AD1,m1)

m2=DecK(AD2,c2)m3=DecK(AD3,c3)

m1=DecK(AD1,c1)

c2=EncK(AD2,m2)c3=EncK(AD3,m3)

c1=EncK(AD1,m1)

m1=DecK(AD1,c1)

EncOracle DecOracle

IND-sfCCA (Bellare-Kohno-Namprempre,2002)

c1=EncK(AD1,m1)

m1=DecK(AD1,c1)

EncOracle DecOracle

learnbin{0,1}fromc*=EncK(mb)orcomeupwith

valid/outoforderc*

IND-sfCCA (Bellare-Kohno-Namprempre,2002)

INT-sfCTXT

INT-sfPTXT(Brzuska-Smart-Warinschi-Watson,2013)

StatefulAEAD

SecurityforSymmetricEncryption–nonce-basedAEAD

c1=EncK(N1,AD1,m1)

m2=DecK(N2,AD2,c2)

m1=DecK(N1,AD1,c1)

c2=EncK(N2,AD2,m2)

EncOracle DecOracle

Nonce-basedAuthenticatedEncryptionwithAssociatedDataAsperAEAD,butwithadditionalinputNtoEncandDecalgorithms

AdversarymayarbitrarilyspecifyN,but“norepeats”ruleEncandDeccannowbestatelessanddeterministic

(Rogaway2004)

SecurityforSymmetricEncryption–furthernotions

•  LH-(stateful)AE(AD)•  Ontopofeverythingelse,ciphertextsprovidea

modicumofhidingofplaintextlengths.

•  cfvariablelengthpaddinginSSL/TLS.

•  IntroducedbyPaterson-Ristenpart-Shrimpton,2011.

•  IncorporatedintoACCEframeworkforanalysisofTLSbyJager-Kohlar-Schage-Schwenk,2012.

CAESAR

•  CAESAR:CompetitionforAuthenticatedEncryption:Security,Applicability,andRobustness.

•  InitiatedbyDanBernstein,supportedbycommitteeofexperts.

•  MaingoalisthedesignofaportfolioofAEschemes.•  CAESARhasinvolveddozensofperson-yearsofeffort

andledtoamajoruptickinresearchactivity.

•  Itseemsthatmostofthecryptographiccommunityhassettledonnonce-basedAE/AEADastheirworkingabstraction.

AEAD≠securechannel–the[APW09]attackonSSH

AEAD≠securechannel

•  Recallourapplicationdeveloper:•  Hewantsadrop-inreplacementforTCPthat’ssecure.

•  Actually,hemightjustwanttosendandreceivesomeatomicmessagesandnotaTCP-likestream.

•  TowhatextentdoesAEADmeettheserequirements?

•  Itdoesn’t…

AEAD≠securechannel

There’sasignificantsemanticgapbetweenAEAD’sfunctionalityandrawsecurityguarantees,andallthethingsadeveloperexpectsasecurechanneltoprovide.

ChEnc(.,.,.)

Dec(.,.,.)

IntroductiontoSSH

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for TELNET and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.

– Wikipedia

SSHBinaryPacketProtocol(RFC4253)

•  Encode-then-E&Mconstruction,statefulbecauseofinclusionof4-bytesequencenumber.

•  EncryptionoptionsinRFC4253:CBCmode;RC4.•  AES-CTRdefinedinRFC4344.31

Encrypt

PRF-MAC

Payload

Ciphertext MAC tag

Sequence Number 4

Packet Length 4

Pad Len 1

Padding ≥4

CBCmodeinSSH

•  RFC4253mandates3DES-CBCandrecommendsAES-CBC.

•  SSHusesachainedIVinCBCmode:–  IVforcurrentpacketisthelast

ciphertextblockfromthepreviouspacket.

–  EffectivelycreatesasinglestreamofdatafrommultipleSSHpackets.

Ci-1 Ci

Pi-1 Pi

Ci-1 Ci

CTRmodeinSSH

•  CTRmodeusesblockciphertobuildastreamcipher.

•  CTRmodeforSSHisstandardisedinRFC4344.•  Initialvalueofcounteris

obtainedfromhandshakeprotocol.

•  Counterrunsacrosspackets.•  Packetformatispreservedfrom

CBCcase.•  RFCrecommendsuseofAES-

CTRwith128,192and256-bitkeys,and3DES-CTR.

•  IVchainingattack:•  Chosenplaintext,distinguishingattackduetoRogaway,appliedtoSSHin[BKN02].•  NotfullyrealisticforSSHbecauseofformatrequirementsonthefirstblockof

plaintextandbecauseofchosenplaintextrequirement.•  ConstructionwithrandomIVsisIND-sfCCAsecure[BKN02].

Encrypt

PRF-MAC

Payload

Ciphertext MAC tag

Sequence Number 4

Packet Length 4

Pad Len 1

Padding ≥4

•  Howdoesdecryptionwork?•  Recall:receivergetsastreamofbytes,andasingleciphertext

canbefragmentedoverseveralTCPmessages.

Encrypt

PRF-MAC

Payload

Ciphertext MAC tag

Sequence Number 4

Packet Length 4

Pad Len 1

Padding ≥4

BreakingCBCmodeinSSH[APW09]

IV Ci*

•  Thereceiverwilltreatthefirst32bitsofthecalculatedplaintextblockasthepacketlengthfieldforthenewpacket.

•  Here: P0’=IV⊕dK(Ci*)whereIVisknown.

Targetciphertextblockfromstream

Lengthfield

IV Ci*

Theattackerthenfeedsrandomblockstothereceiver–  Oneblockatatime,waitingtoseewhathappensattheserver

wheneachnewblockisprocessed–  ThisispossiblebecauseSSHrunsoverTCPandtriestodoonline

processingofincomingblocks

IV Ci*

•  Onceenoughdatahasarrived,thereceiverwillreceivewhatitthinksistheMACtag–  TheMACcheckwillfailwithoverwhelmingprobability–  Consequentlytheconnectionisterminated(withanerrormessage)

•  Howmuchdatais“enough”sothatthereceiverdecidestochecktheMAC?

•  Answer:whateverisspecifiedinthelengthfield:

MAC tag

IV Ci*

Ci-1* Ci

•  KnowingIVand32bitsofP0’,theattackercannowrecover

32bitsofthetargetplaintextblockPi*:

Pi*=Ci-1

*⊕dK(Ci*)=Ci-1

*⊕IV⊕P0’

Furtherdetails

•  Theattackasdescribedrequirestheinjectionofcirca231bytesofciphertext(expectedvalueoflengthfield).

•  Itrecovers32bitsofplaintextwithprobability1.

•  AndleadstoanSSHconnectionteardown(onMACfailure).

•  TheattackworkswithrandomIVstoo,breakingtheschemethatwasprovensecurein[BKN02].

•  Somethingwentwrongsomewhere!

Furtherdetails–Lengthchecking

•  RFC4253requiresimplementationstocheckthatlengthfieldis“reasonable”.

•  Detailsareimplementation-specific.

•  Backin2009,theleadingimplementationwasOpenSSH,thenatversion5.1.

•  AccordingtoSSHwebpage,80%ofserversontheInternetwereusingOpenSSHaroundthattime.

Furtherdetails–LengthcheckinginOpenSSH

•  OpenSSH5.1performstwolengthchecksonthelengthfield(LF)whendecryptingthefirstciphertextblock:

•  Check1:5≤LF≤218.

•  Check2:totallength(4+LF)isamultipleoftheblocksize:

LF+4modBL=0.

•  Eachcheckproducesadifferenterrormessageonthenetwork,distinguishablebyattacker.

•  Ifbothcheckspass,thenOpenSSHwaitsformorebytes,thenperformsMACcheck,resultinginathirdkindoferrormessage.

Furtherdetails–LengthcheckinginOpenSSH

•  Check1(5≤LF≤218)passeswithprobabilityapprox.2-14.

•  Ifitpasses,thenwithhighprobability,14MSBsofLFare“0”.•  Pass/faildetectableviaerrormessage.

•  Henceattackwithsuccessprob.2-14recovering14bitsofconfirmedplaintext.

•  Check2(LF+4modBL=0)passeswithprobability1/BL,typically2-3or2-4.•  Ifitpasses,thensome(3or4)LSBsofLFarerevealed.

•  Pass/faildetectableviaerrormessage/connectionenteringwaitstate.

•  Ifwaitstateisentered,thentheattackproceedsasbefore.

•  Overall,theattackonOpenSSH5.1recovers32bitsofplaintextwithprob.2-18(forBL=16)andrequiresinjectionofatmost218bytesofdata.

Doestheattackmatter?

•  Ontheonehand,theattackhaslowsuccessrate,onlyrecovers32bitsofplaintext,andcausestheSSHconnectiontoabort.

•  Ontheotherhand,anattackercanapplytheattacktomanyconnections,boostinghisoverallsuccessrate.

•  Canalsoiteratetheattackagainstclientsthatperformauto-reconnects.

•  ThinkaboutwhatkindsofdataSSHmightbeprotecting.•  SSHwasmeanttobebullet-proof;theattackshoweditwasnot.

•  ItlefttheprovablesecurityoftheSSHBPPunresolved.44

Countermeasurestotheattack

•  AbandonCBC-mode?•  Alternativesavailableatthattime:CTR,RC4.

•  DropbearimplementedCTRandrelegatedCBCmodeinversion0.53.

•  Developnewmodes?•  ModesbasedonGenericEtM,AES-GCM,ChaCha20-Poly1305

weresubsequentlyaddedtoOpenSSH.

•  PatchCBC-mode?•  OpenSSH5.2alsointroducedapatchtostopthespecificattack

onCBCmode.

TheOpenSSHpatch

•  Basicidea:hidetheerrorsfromtheadversary.•  Ifthelengthchecksfail,donotsendanerrormessage,but

waituntil218byteshavearrived,thenchecktheMAC.

•  Ifthelengthcheckspass,buttheMACcheckeventuallyfails,thenwaituntil218byteshavearrived,thenchecktheMAC.

•  Noerrormessageiseversentuntil218bytesofciphertexthavearrived.

•  CannolongercountbytestoseehowmanyarerequiredtotriggerMACfailure.

TheorylessonfromtheSSHattack

•  Modelusedforsecurityproofin[BKN02]wasinadequate.•  Itassumedlengthwasknownandatomicprocessingof

ciphertexts.

•  ButfragmentedadversarialdeliveryofciphertextoverTCPispossible.

•  Implementationshavetodecryptfirstblocktofindouthowlongplaintextismeanttobe,andactonitbeforeperforminganyauthentication.

•  That’snotreflectedinanyoftheAE/AEADsecuritymodels!

•  Andthere’snoCAESARrequirementthatlookslikethis!

TheStateofAEADinSSHToday

ThestateofAEADinSSHtoday

•  In[ADHP16],weperformedameasurementstudyofSSHdeployment.

•  WeconductedtwoIPv4addressspacescansinNov/Dec2015andJan2016usingZGrab/ZMap.

•  GrabbingbannersandSSHservers’preferredciphers.•  ActualcipherusedinagivenSSHconnectiondependsonclient

andserverpreferences.

•  Roughly224serversfoundineachscan.

•  Nmapfingerprintingsuggestsmostlyembeddedrouters,firewalls.

ThestateofAEADinSSHtoday:SSHversions

MostlyOpenSSHanddropbear;others

lessthan5%.

Dropbearat56-58%.886kolderthenversion0.53,sovulnerabletovariantof2009CBC-

modeattack!

OpenSSHat37-39%.130-166kolderthenversion5.2andprefer

CBCmode,sovulnerableto2009

attack!

•  DropbearnowdominatesOpenSSH.•  Butmaybeswitchingbackagain:ComcastcableIPaddress

rangedroppedfrom2M+devicesrunningDropbear(Feb2016)to83k(May2016).

•  Longtailofoldsoftwareversions.•  MostpopularversionofOpenSSHisversion5.3,releasedOct

2009(currentversionis7.2).

•  DeterminedbymajorLinuxdistros?

•  SignificantpercentageofDropbearandOpenSSHserversarepotentiallystillvulnerabletothe2009attack.•  8.4%forDropbear.

ThestateofAEADinSSHtoday:preferredalgorithms

OpenSSH preferred algorithms

•  Lotsofdiversity,surprisingamountof“genericEtM”(gEtM).

•  CTRdominates,followedbyCBC.

•  ChaCha20-Poly1305ontherise?(becamedefaultinOpenSSH6.9).

•  SmallamountofGCM.

ThestateofAEADinSSHtoday:preferredalgorithms

Dropbear preferred algorithms

•  LessdiversitythanOpenSSH.

•  CTRdominates,followedatalongdistancebyCBC.

•  No“exotic”options.

ANewAttackonCBCmodeinOpenSSH

TheOpenSSHpatch

•  Version5.2+CBCmodepreferredbyroughly20kOpenSSHservers.

•  RecalltheOpenSSHpatch,inversion5.2andup:•  Ifthelengthchecksfail,donotsendanerrormessage,butwait

until218byteshavearrived,thenchecktheMAC.

•  Ifthelengthcheckspass,buttheMACcheckeventuallyfails,thenwaituntil218byteshavearrived,thenchecktheMAC.

•  OneMACcheckisdoneiflengthchecksfail:on218bytes.

•  TwoMACchecksaredoneiflengthcheckspass:oneonroughlyLFbytes,theotheron218bytes.

AttackingtheOpenSSHpatch[ADHP16]

•  ThisleadstoatimingattackonCBCmodeinOpenSSH5.2andup:1. InjecttargetciphertextblockCi

*.2. Thensend218bytesasquicklyaspossibletoserver.

3. TimethearrivaloftheMACfailuremessage.

•  FastarrivalindicatesthatlengthchecksfailedandoneMACcomputation.

•  SlowarrivalindicatesthatthelengthcheckspassedandtwoMACcomputations.

•  Thisleaks18bitsofinformationaboutthelengthfield,andhence18bitsaboutthetargetblock.

•  Sizeoftimingdifference:•  AMACcomputationonroughly217bytes(theexpectedvalueofLF).

•  ForHMAC-SHA1,thisrequires211hashcompressionfunctionevaluations.

•  cf.Lucky13timingdifference:asinglehashcompressionfunction!

•  Remoteattackercaneasilydetectdifference.

•  Successprobabilityoftheattack:•  Needtopassbothlengthchecks,so2-18.

•  Canincreasesuccessrategivenpartialplaintextknowledgeintargetblock.

•  (Idea:waitfortherightIVbeforemountingtheattack;moresevereattackforrandom,explicitIVversion.)

•  Increasenumberofplaintextbitsrecoveredbyusingfiner-grainedtiminginformation.•  BecausethetimingdelayisproportionaltothevalueofLF.

•  Iftiminggranularity=1compressionfunctionevaluation,thenwecanrecoverupto30bitsofplaintextfromtargetblock.

•  Challenging,butnotimpossibleinco-residentattackerscenario.

•  Possiblecountermeasuretotheattack:ifMACfails,thencomputesecondMACon218–LFbytesinsteadofonall218bytes.

•  StillleavesresidualtimingdifferencebecauseoffinedetailsofHMAC.

•  Reallyneedconstanttimeimplementationofdecryptionalgorithmtoeliminatethisclassofattack.

Disclosureoftheattack

•  WenotifiedtheOpenSSHteamoftheattackon5thMay2016.

•  TheyareconsideringaddingcountermeasuresforthenextreleaseofOpenSSH(7.3).

•  “…wedonotfeelthatanemergencyreleaseisnecessary,northattheattackremainsecretaheadofsucharelease.”

•  OpenSSHhassteadilybeendeprecatingoldalgorithmsandmodes.

•  CBCmodewasalreadydisabledbydefaultinOpenSSH6.7(butcanbere-enabled).

•  ButOpenSSHcannotforcepeopletostopusingoldversionsofthesoftware.

SecurityanalysisofotherSSHandOpenSSHmodes–CTR,gEtM,AES-GCM,ChaCha20Poly1305

Securityanalysisofotherencryptionmodes

•  The[APW09]attacksexploitstheattacker’sabilitytodeliverciphertextfragmentsandthe“cut-and-paste”propertiesofCBC-mode:

•  Decryptionoftargetblockinwrongpositionismeaningfullyrelatedtoitsdecryptionintrueposition:

IV Ci*

Ci-1* Ci

Securityanalysisofotherencryptionmodes

•  ThecutandpastepropertydoesnotholdforCTRmode.

•  InsertingCi*inthestreamresultsinunrelatedplaintext:

P0’=Ci

*⊕eK(ctr0)=Pi*⊕eK(ctri)⊕eK(ctr0)

•  ButisCTRmodesecureagainstanadversarywhocandeliverciphertextinafragmentedfashion?

•  Classicalsecuritymodelsforsymmetricencryptioncannottellustheanswer.

•  AndwhatabouttheothermodesthathavebeenaddedtoOpenSSHsince2009?•  gEtM,AES-GCM,ChaCha20Poly1305.

SecurityanalysisofCTRmodeinSSH

•  [PW10]developedabespokesecuritymodelforCTRmodeinSSHandproveditsecure(assumingblockcipherisaPRP).

•  Themodelallowstheattackertodeliverciphertextstodecryptionoracleinabyte-by-bytefashion.

•  DecryptionoracleintendedtoaccuratelymodelOpenSSH’sCTRmodeimplementation.

•  Sanitycheckingoflengthfield,withrelatederrormessages,MACfailures,etc.

•  Complexpseudo-codedescriptionsofalgorithmsandoracles.

SecurityanalysisofotherOpenSSHencryptionmodes

•  [BDPS12]developedageneralframeworkforstudying“SymmetricEncryptionschemessupportingfragmenteddecryption”.

•  TheIND-CFAmodelallowstheattackertodeliverciphertexttoadecryptionoracleinasymbol-by-symbolfashionandobserveanyerrors/messageoutputs.

•  [BDPS12]alsoidentifiedadditionalsecuritypropertiesthatSSHattemptstoprovide:•  BoundaryHiding(BH)andDenial-of-Serviceresistance.

SecurityanalysisofotherOpenSSHencryptionmodes

•  [ADHP16]usedtheframeworkof[BDPS12]tostudygEtM,AES-GCM,andChaCha20-Poly1305inOpenSSH.

•  gEtMandAES-GCM:•  DerivedfromAEADschemeswithAD=lengthfield(nowunencrypted).

•  Hencesanitycheckingoflengthfieldcannotrevealanythingusefultoadversary.

•  IssueinOpenSSHcodeforgEtM:becauseofsharedpathwithlegacyE&Mcode,theMACiscomputedoncetheciphertexthasarrivedbutisnotcomparedtoreceivedMACuntilafterdecryption.

•  Henceanyerrorsarisingduringdecryptionstepwillbesignalledtoattacker.

•  Notasecuritythreatforanycurrentlyspecifiedencryptionschemes.

•  Both(fixed)gEtMandAES-GCMareprovablysecure.

ChaCha20-Poly1305inOpenSSH

Payload

MAC tag

Packet Length 4

Pad Len 1

Padding ≥4

K1IV = SQN||064 ChaCha20 ChaCha20

K2IV = SQN||0631

ChaCha20 K2

IV = SQN||0630

KpolyPoly1305

SecurityanalysisofChaCha20-Poly1305inOpenSSH

•  ChaCha20-Poly1305inOpenSSH:•  64-bytekeyissplitintotwohalves,K1,K2.

•  K1usedtoencryptSSHlengthfieldusingChaCha20.

•  K2usedtoencrypteverythingelse,alsousingChaCha20.

•  Poly1305MACkeyisobtainedas:

ChaCha20(K2,IV=SQN||0630,M=0256).

•  MACappliedtobothciphertextcomponents.

•  Analysismorecomplexbecauseofencryptedlengthfield.

•  Ideaisthatusingseparatekeysforencryptinglengthfieldandthereststopsattacks.

•  CTRmodeanalysisshowsthistobeunnecessary.

Closingremarks

•  Simplesecuritymodelsforsymmetricencryptionversuscomplexsecuritypropertiesdesiredofsecurechannels.

•  Infact,ourmodelsforsecurechannelsarestillevolving...

•  Thereismuchyettobedonehere,butcommunity’sfocusiscurrentlymostlyonAEAD.

•  Keytake-aways:

•  Takecryptographer’sabstractionswithapinchofsalt.

•  Thinktop-down,andonlybottom-up(fromAPItocrypto,notthereverse).

Closingremarks

Authenticated Encryption in SSH · Introduction to SSH 30 Secure Shell or SSH is a network protocol...

Documents