a surfeit of ssh cipher suites
play

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul - PowerPoint PPT Presentation

Nov 16, 2023 •97 likes •356 views

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and Kenneth G. Paterson ACM CCS - 27/10/2016 Outline of this talk Overview of SSH and related work. SSH deployment statistics. A new attack on

  1. A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and Kenneth G. Paterson ACM CCS - 27/10/2016

  2. Outline of this talk • Overview of SSH and related work. • SSH deployment statistics. • A new attack on CBC-mode in OpenSSH. • Security analysis of ‘new’ OpenSSH AE modes. 2

  3. Overview of SSH and Related Work

  4. The SSH Binary Packet Protocol (RFC 4253) Sequence Packet Pad Payload Padding ≥4 Number Length Len 1 4 4 Encrypt PRF-MAC Ciphertext MAC tag • Encode-then-Encrypt&MAC construction, stateful because of inclusion of 4-byte sequence number. • Packet length field measures the size of the packet : |PadLen|+ |Payload| + |Padding| . • RFC 4253 (2006): various block ciphers in CBC mode (with chained IV) and RC4 . • RFC 4344 (2006): added Counter mode for the corresponding block ciphers. 4

  5. Timeline of related work on SSH-BPP 2002. • Formal security analysis of SSH-BPP by Bellare, Kohno and Namprempre [BKN02]. They introduced an extended security model and proved SSH-CTR and SSH-CBC variants (w/o IV chaining) secure. 2009. • Albrecht, Paterson and Watson [APW09] found a plaintext-recovery attack against SSH in CBC mode . • The leading implementation was OpenSSH (reported 80% of servers), and they released a patch in version 5.2 to stop this specific attack on CBC mode. • The attack exploited fragmented delivery in TCP/IP , and worked on all CBC variants considered in [BKN02]. 5

  6. Timeline of related work on SSH-BPP 2010. • The [APW09] attack highlighted a deficiency in the [BKN02] security model. • Paterson and Watson [PW10] prove SSH-CTR secure in an extended model that captures fragmented delivery of ciphertexts. 2012. • Boldyreva, Degabriele, Paterson and Stam [BDPS12] study ciphertext fragmentation more generally, addressing limitations in the [PW10] model. • Furthermore they consider boundary hiding and resistance to a special type of denial of service attack as additional security requirements. • Both aspects are inherently related to ciphertext fragmentation and correspond to the SSH design choices of encrypting the length field and validating its contents. 6

  7. SSH Deployment Today

  8. SSH deployment today • We performed a measurement study of SSH deployment. • We conducted two IPv4 address space scans in Nov/Dec 2015 and Jan 2016 using ZGrab/ZMap. • Grabbing banners and SSH servers’ preferred algorithms. • Actual cipher used in a given SSH connection depends on client and server preferences. • Roughly 2 24 servers found in each scan. • Nmap fingerprinting suggests mostly embedded routers and firewalls. 8

  9. The state of SSH today: SSH versions Mostly OpenSSH and dropbear; others 9 less than 5%.

  10. The state of SSH today: SSH versions Dropbear at 56-58%. 886k older than version 0.52, so vulnerable to variant of 2009 CBC- mode attack! 10

  11. The state of SSH today: SSH versions OpenSSH at 37-39%. 130-166k older than version 5.2 and prefer CBC mode, so vulnerable to 2009 attack! 11

  12. The state of SSH today: preferred algorithms OpenSSH preferred algorithms (@ stands for @openssh.com) • Lots of diversity (155 combinations). • CTR dominates, followed by CBC, surprising amount of EtM. • ChaCha20-Poly1305 on the rise? (became default in OpenSSH 6.9). • Small amount of GCM. 12

  13. The state of SSH today: preferred algorithms Dropbear preferred algorithms • Less diversity than OpenSSH. • CTR also dominates, followed by CBC. • No “exotic” options. 13

  14. An Attack on Patched OpenSSH with CBC

  15. The [APW09] Attack (simplified) • Decryption in OpenSSH: • The first block of a packet to be received is decrypted and the length field LF is extracted. • It is then checked that 5 ≤ LF ≤ 2 18 , and if not an error is sent. • If the test passes, it waits until LF bytes are received and then verifies the MAC. • The number of bytes sent until a “MAC invalid” error is observed leaks the value of LF. • Any intercepted ciphertext block can be sent as the first block, if successful the attack will recover its first 4 bytes. 15

  16. The OpenSSH 5.2 patch • Basic idea: make errors independent of LF. • If the length check fails, do not send an error message, but wait until 2 18 bytes have arrived, then check the MAC. • If the length checks pass, but the MAC check eventually fails, then wait until 2 18 bytes have arrived, then check the MAC. • No error message is ever sent until 2 18 bytes of ciphertext have arrived. • Can no longer count bytes to see how many are required to trigger MAC failure. 16

  17. However an attack is still possible… • One MAC check is done if length check fails: on 2 18 bytes. • Two MAC checks are done if length checks pass: one on roughly LF bytes, the other on 2 18 bytes. • This leads to a timing attack which verifiably recovers 18 bits with success probability 2 -18 . • Up to 30 bits may be recovered with more fine- grained timing information. • Version 5.2 + CBC mode preferred by roughly 20k OpenSSH servers. 17

  18. Security Analysis of OpenSSH AE Modes

  19. OpenSSH authenticated encryption modes • Since [APW09] a number of new schemes have been introduced in OpenSSH. • AES-GCM: since v6.2; length field is not encrypted but is instead treated as associated data. • generic Encrypt-then-MAC (gEtM): since v6.2; overrides native E&M processing; length field also not encrypted but covered by the MAC. • ChaCha20-Poly1305@openssh.com: since v6.5 and promoted to default in v6.9; reintroduces encryption of the length field . 19

  20. ChaCha20-Poly1305@openssh.com Packet Pad SQN Payload Padding ≥4 Length Len 1 4 4 K 1 K 2 ChaCha20 ChaCha20 [SQN] 64 ,Blk=[0] 64 [SQN] 64 ,Blk=[1] 64 C 1 C 2 0 256 K 2 ChaCha20 [SQN] 64 ,Blk=[0] 64 Poly1305 K poly MAC tag 20

  21. Security analysis in the presence of fragmentation • We used the framework of [BDPS12] to analyse the security of these schemes. • We identified and fixed a technical issue in the IND-sfCFA confidentiality definition. • Introduced a matching notion of ciphertext integrity , INT-sfCTXT, which was not considered in [BDPS12]. • We made an effort to reflect closely the OpenSSH code. • Issue in gEtM : retrofitted in legacy E&M code - the MAC is computed once the ciphertext has arrived but is not compared to received MAC until after decryption! 21

  22. Security analysis of ChaCha20-Poly1305 in OpenSSH Security comparison of SSH AE modes • BH-CPA (passive adversary), BH-sfCFA (active adversary). • n-DOS-sfCFA: inability to produce n-bit sequence of fragments that produces no output (w/o limiting max packet size to n). 22

  23. Concluding Remarks

  24. Concluding Remarks • We notified the OpenSSH team of our new attack on CBC and the problem in generic EtM. • Both issues were addressed in OpenSSH v7.3, released in August 2016. • None of the schemes in use possesses all security properties that one may consider desirable for SSH. • Yet such schemes do exist, e.g. InterMAC from [BDPS12]. 24

  25. The End –Thank You

Recommend

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4 CONNECTING JUNIOR SUITES 4 PRIVATE JUNIOR SUITES 2 FAMILY SUITES 2 SELENI SUITES 1 PRIVATE SELENI SUITE 1 SUPERIOR SELENI SUITE 2 SMALL APARTMENTS

853 views • 74 slides
TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4 CONNECTING JUNIOR SUITES 4 PRIVATE JUNIOR SUITES 2 FAMILY SUITES 2 SELENI SUITES 1 PRIVATE SELENI SUITE 1 SUPERIOR SELENI SUITE 2 SMALL APARTMENTS

1.15k views • 75 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I

SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I

PARK HYATT CHICAGO SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I T E G O L D C O A S T S U I T E L A K E S U I T E W A T E R T O W E R S U I T E *13 suites total PARK SUITE This suite

402 views • 15 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed

Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed

Introducing our new Deluxe Suites Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed with the ultimate luxury, elegance and comfort in mind. They feature king size luxury beds, comfortable sofa

712 views • 14 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Osmocom TTCN-3 Test Suites Harald Welte <laforge@gnumonks.org> Osmocom TTCN-3 Test Suites

Osmocom TTCN-3 Test Suites Harald Welte <laforge@gnumonks.org> Osmocom TTCN-3 Test Suites

Osmocom TTCN-3 Test Suites Harald Welte <laforge@gnumonks.org> Osmocom TTCN-3 Test Suites developed in 2017+2018 compiled using Eclipse TITAN uses just a command-line compiler + Makefiles no IDE needed at all, dont let Eclipse fool you

805 views • 21 slides
Y O U R P L A C E Y O U R L I F E b r o u g h t t o y ou b y RESIDENCES SUITES 0 2

Y O U R P L A C E Y O U R L I F E b r o u g h t t o y ou b y RESIDENCES SUITES 0 2

Y O U R P L A C E Y O U R L I F E b r o u g h t t o y ou b y RESIDENCES SUITES 0 2 DISCLAIMER: The Illustration are artist impressions and serve only to give an approximate idea of the project. SEMANGGI Kuningan CBD Medistra Hospital

556 views • 26 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides

More recommend