Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Authors: M. Bellare, T. Kohno and C. Namprempre

Abstract: The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol or to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Ref: ACM Transactions on Information and System Security (TISSEC), Vol. 7, Iss. 2, May 2004, pp. 206--241. The preliminary version of this paper was entitled Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol, and appeared in the Proceedings of the 9th ACM conference on Computer and Communications Security (CCS), ACM, 2002. Full paper available below.

Full paper: Available as compressed postscript, postscript, or pdf. ( Help if this doesn't work).

Internet draft: SSH transport layer encryption modes. See also the secure shell working group web page.