a surfeit of ssh cipher suites
play

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul - PowerPoint PPT Presentation

Nov 16, 2023 •97 likes •356 views

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and Kenneth G. Paterson ACM CCS - 27/10/2016 Outline of this talk Overview of SSH and related work. SSH deployment statistics. A new attack on

  1. A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and Kenneth G. Paterson ACM CCS - 27/10/2016

  2. Outline of this talk • Overview of SSH and related work. • SSH deployment statistics. • A new attack on CBC-mode in OpenSSH. • Security analysis of ‘new’ OpenSSH AE modes. 2

  3. Overview of SSH and Related Work

  4. The SSH Binary Packet Protocol (RFC 4253) Sequence Packet Pad Payload Padding ≥4 Number Length Len 1 4 4 Encrypt PRF-MAC Ciphertext MAC tag • Encode-then-Encrypt&MAC construction, stateful because of inclusion of 4-byte sequence number. • Packet length field measures the size of the packet : |PadLen|+ |Payload| + |Padding| . • RFC 4253 (2006): various block ciphers in CBC mode (with chained IV) and RC4 . • RFC 4344 (2006): added Counter mode for the corresponding block ciphers. 4

  5. Timeline of related work on SSH-BPP 2002. • Formal security analysis of SSH-BPP by Bellare, Kohno and Namprempre [BKN02]. They introduced an extended security model and proved SSH-CTR and SSH-CBC variants (w/o IV chaining) secure. 2009. • Albrecht, Paterson and Watson [APW09] found a plaintext-recovery attack against SSH in CBC mode . • The leading implementation was OpenSSH (reported 80% of servers), and they released a patch in version 5.2 to stop this specific attack on CBC mode. • The attack exploited fragmented delivery in TCP/IP , and worked on all CBC variants considered in [BKN02]. 5

  6. Timeline of related work on SSH-BPP 2010. • The [APW09] attack highlighted a deficiency in the [BKN02] security model. • Paterson and Watson [PW10] prove SSH-CTR secure in an extended model that captures fragmented delivery of ciphertexts. 2012. • Boldyreva, Degabriele, Paterson and Stam [BDPS12] study ciphertext fragmentation more generally, addressing limitations in the [PW10] model. • Furthermore they consider boundary hiding and resistance to a special type of denial of service attack as additional security requirements. • Both aspects are inherently related to ciphertext fragmentation and correspond to the SSH design choices of encrypting the length field and validating its contents. 6

  7. SSH Deployment Today

  8. SSH deployment today • We performed a measurement study of SSH deployment. • We conducted two IPv4 address space scans in Nov/Dec 2015 and Jan 2016 using ZGrab/ZMap. • Grabbing banners and SSH servers’ preferred algorithms. • Actual cipher used in a given SSH connection depends on client and server preferences. • Roughly 2 24 servers found in each scan. • Nmap fingerprinting suggests mostly embedded routers and firewalls. 8

  9. The state of SSH today: SSH versions Mostly OpenSSH and dropbear; others 9 less than 5%.

  10. The state of SSH today: SSH versions Dropbear at 56-58%. 886k older than version 0.52, so vulnerable to variant of 2009 CBC- mode attack! 10

  11. The state of SSH today: SSH versions OpenSSH at 37-39%. 130-166k older than version 5.2 and prefer CBC mode, so vulnerable to 2009 attack! 11

  12. The state of SSH today: preferred algorithms OpenSSH preferred algorithms (@ stands for @openssh.com) • Lots of diversity (155 combinations). • CTR dominates, followed by CBC, surprising amount of EtM. • ChaCha20-Poly1305 on the rise? (became default in OpenSSH 6.9). • Small amount of GCM. 12

  13. The state of SSH today: preferred algorithms Dropbear preferred algorithms • Less diversity than OpenSSH. • CTR also dominates, followed by CBC. • No “exotic” options. 13

  14. An Attack on Patched OpenSSH with CBC

  15. The [APW09] Attack (simplified) • Decryption in OpenSSH: • The first block of a packet to be received is decrypted and the length field LF is extracted. • It is then checked that 5 ≤ LF ≤ 2 18 , and if not an error is sent. • If the test passes, it waits until LF bytes are received and then verifies the MAC. • The number of bytes sent until a “MAC invalid” error is observed leaks the value of LF. • Any intercepted ciphertext block can be sent as the first block, if successful the attack will recover its first 4 bytes. 15

  16. The OpenSSH 5.2 patch • Basic idea: make errors independent of LF. • If the length check fails, do not send an error message, but wait until 2 18 bytes have arrived, then check the MAC. • If the length checks pass, but the MAC check eventually fails, then wait until 2 18 bytes have arrived, then check the MAC. • No error message is ever sent until 2 18 bytes of ciphertext have arrived. • Can no longer count bytes to see how many are required to trigger MAC failure. 16

  17. However an attack is still possible… • One MAC check is done if length check fails: on 2 18 bytes. • Two MAC checks are done if length checks pass: one on roughly LF bytes, the other on 2 18 bytes. • This leads to a timing attack which verifiably recovers 18 bits with success probability 2 -18 . • Up to 30 bits may be recovered with more fine- grained timing information. • Version 5.2 + CBC mode preferred by roughly 20k OpenSSH servers. 17

  18. Security Analysis of OpenSSH AE Modes

  19. OpenSSH authenticated encryption modes • Since [APW09] a number of new schemes have been introduced in OpenSSH. • AES-GCM: since v6.2; length field is not encrypted but is instead treated as associated data. • generic Encrypt-then-MAC (gEtM): since v6.2; overrides native E&M processing; length field also not encrypted but covered by the MAC. • ChaCha20-Poly1305@openssh.com: since v6.5 and promoted to default in v6.9; reintroduces encryption of the length field . 19

  20. ChaCha20-Poly1305@openssh.com Packet Pad SQN Payload Padding ≥4 Length Len 1 4 4 K 1 K 2 ChaCha20 ChaCha20 [SQN] 64 ,Blk=[0] 64 [SQN] 64 ,Blk=[1] 64 C 1 C 2 0 256 K 2 ChaCha20 [SQN] 64 ,Blk=[0] 64 Poly1305 K poly MAC tag 20

  21. Security analysis in the presence of fragmentation • We used the framework of [BDPS12] to analyse the security of these schemes. • We identified and fixed a technical issue in the IND-sfCFA confidentiality definition. • Introduced a matching notion of ciphertext integrity , INT-sfCTXT, which was not considered in [BDPS12]. • We made an effort to reflect closely the OpenSSH code. • Issue in gEtM : retrofitted in legacy E&M code - the MAC is computed once the ciphertext has arrived but is not compared to received MAC until after decryption! 21

  22. Security analysis of ChaCha20-Poly1305 in OpenSSH Security comparison of SSH AE modes • BH-CPA (passive adversary), BH-sfCFA (active adversary). • n-DOS-sfCFA: inability to produce n-bit sequence of fragments that produces no output (w/o limiting max packet size to n). 22

  23. Concluding Remarks

  24. Concluding Remarks • We notified the OpenSSH team of our new attack on CBC and the problem in generic EtM. • Both issues were addressed in OpenSSH v7.3, released in August 2016. • None of the schemes in use possesses all security properties that one may consider desirable for SSH. • Yet such schemes do exist, e.g. InterMAC from [BDPS12]. 24

  25. The End –Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4 CONNECTING JUNIOR SUITES 4 PRIVATE JUNIOR SUITES 2 FAMILY SUITES 2 SELENI SUITES 1 PRIVATE SELENI SUITE 1 SUPERIOR SELENI SUITE 2 SMALL APARTMENTS

853 views • 74 slides
TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4

TOTAL NUMBER OF SUITES 26 7 JUNIOR SUITES 2 JUNIOR SUITES FOR PEOPLE WHO NEED SPECIAL CARE 4 CONNECTING JUNIOR SUITES 4 PRIVATE JUNIOR SUITES 2 FAMILY SUITES 2 SELENI SUITES 1 PRIVATE SELENI SUITE 1 SUPERIOR SELENI SUITE 2 SMALL APARTMENTS

1.15k views • 75 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I

SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I

PARK HYATT CHICAGO SUITES P A R K H Y A T T C H I C A G O the SUITES P A R K S U I T E E X E C U T I V E S U I T E G O L D C O A S T S U I T E L A K E S U I T E W A T E R T O W E R S U I T E *13 suites total PARK SUITE This suite

402 views • 15 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed

Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed

Introducing our new Deluxe Suites Deluxe Studio Suites Anemi DELUXE Studios Our Deluxe Studio suites have been carefully designed with the ultimate luxury, elegance and comfort in mind. They feature king size luxury beds, comfortable sofa

712 views • 14 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
Update on Diagnosis of Myelodysplastic Syndromes Jay L. Patel, MD Disclosure None

Update on Diagnosis of Myelodysplastic Syndromes Jay L. Patel, MD Disclosure None

Update on Diagnosis of Myelodysplastic Syndromes Jay L. Patel, MD Disclosure None Objectives Review current diagnostic criteria pertaining to myelodysplastic syndromes Understand the relevance of selected somatic gene mutations

737 views • 25 slides
Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting?

Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting?

Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting? Kenny Paterson Information Security Group Overview Introduction to TLS (and why YOU

1.25k views • 76 slides
CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization and country in the chat Function: Example: Peter Pan, Office of the Auditor General, Never Never Land Please use the chat function to communicate

373 views • 34 slides
Symmetric and Password-based encrypDon CS642: Computer

Symmetric and Password-based encrypDon CS642: Computer

Symmetric and Password-based encrypDon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University

330 views • 29 slides
https://xkcd.com/538/ Cryptocurrencies & Security on the Blockchain Cryptography Review

https://xkcd.com/538/ Cryptocurrencies & Security on the Blockchain Cryptography Review

https://xkcd.com/538/ Cryptocurrencies & Security on the Blockchain Cryptography Review Prof. Tom Austin San Jos State University Goals of Cryptography Confidentiality Protecting secrets Integrity Notice when something

980 views • 42 slides
Midterm 3 Review Slides Coordinate Systems on R n Recall: A set of n vectors { v 1 , v 2 , . . . ,

Midterm 3 Review Slides Coordinate Systems on R n Recall: A set of n vectors { v 1 , v 2 , . . . ,

Midterm 3 Review Slides Coordinate Systems on R n Recall: A set of n vectors { v 1 , v 2 , . . . , v n } form a basis for R n if and only if the matrix C with columns v 1 , v 2 , . . . , v n is invertible. If x = c 1 v 1 + c 2 v 2 + + c n

529 views • 16 slides
Overview of TLS v1.3 Whats new, whats removed and whats changed? About Me Andy

Overview of TLS v1.3 Whats new, whats removed and whats changed? About Me Andy

Overview of TLS v1.3 Whats new, whats removed and whats changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a mathematician!

773 views • 61 slides

More recommend