The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.
Keywords: Authenticated encryption, Secure Shell, SSH, stateful decryption, security proofs.
Proceedings version (titled "Authenticated encryption in SSH: Provably fixing the SSH Binary Packet Protocol"):
Full version: PDF.