Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm
Mihir Bellare, Tadayoshi Kohno, and Chanathip Namprempre.
Journal version: ACM Transactions on Information and System Security, 7(2), May 2004.
Conference version: 9th ACM Conference on Computer and Communications Security, November 18-22, 2002.


The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Keywords: Authenticated encryption, Secure Shell, SSH, stateful decryption, security proofs.


Proceedings version (titled "Authenticated encryption in SSH: Provably fixing the SSH Binary Packet Protocol"): gzipped-PostScript and PDF.
Full version: PDF.

List of papers.