Douglas Stebila
Multi-ciphersuite security of the Secure Shell (SSH) protocol
Abstract
The Secure Shell (SSH) protocol is widely used to provide secure remote access to servers, making it among the most important security protocols on the Internet. We show that the signed-Diffie–Hellman SSH ciphersuites of the SSH protocol are secure: each is a secure authenticated and confidential channel establishment (ACCE) protocol, the same security definition now used to describe the security of Transport Layer Security (TLS) ciphersuites. While the ACCE definition suffices to describe the security of individual ciphersuites, it does not cover the case where parties use the same long-term key with many different ciphersuites: it is common in practice for the server to use the same signing key with both finite field and elliptic curve Diffie–Hellman, for example. While TLS is vulnerable to attack in this case, we show that SSH is secure even when the same signing key is used across multiple ciphersuites. We introduce a new generic multi-ciphersuite composition framework to achieve this result in a black-box way.
Keywords: Secure Shell (SSH), key agility, cross-protocol security, multi-ciphersuite, authenticated and confidential channel establishment
Winner of the best student paper award.
Reference
Florian Bergsma, Benjamin Dowling, Florian Kohlar, Jörg Schwenk, Douglas Stebila. Multi-ciphersuite security of the Secure Shell (SSH) protocol. In Moti Yung, Ninghui Li, editors, Proc. 21st ACM Conference on Computer and Communications Security (CCS) 2014, pp. 369-381. ACM, November 2014. © ACM.
Download
Presentations
- 2014-09-22: University of Waterloo Centre for Applied Cryptographic Research. (PDF slides)
- 2014-09-09: Gjøvik University College, Norway.
- 2014-07-18: Microsoft Research Redmond. (PDF slides)
- 2014-06-03: Secure Key Exchange and Channels Workshop 2014, Bertinoro, Italy. More technical version of January 2014 talk below (PDF slides)
- 2014-01-14: Real World Cryptography 2014. Less technical version of June 2014 talk above (PDF slides)
BibTeX
Funding
This research was supported by:- Australian Research Council (ARC) Discovery Project grant DP130104304
- the Australian Technology Network–German Academic Exchange Service (ATN-DAAD) Joint Research Co-operation Scheme
- the European Community (FP7/2007-2013) under grant agreement number ICT-2007-216646 - European Network of Excellence in Cryptology II (ECRYPT II)