Mul­ti-Ciph­er­sui­te Se­cu­ri­ty of the Se­cu­re Shell (SSH) Pro­to­col

Flo­ri­an Berg­s­ma, Ben­ja­min Dow­ling, Flo­ri­an Kohlar, Jörg Schwenk, Doug­las Ste­bi­la

ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty - Best Stu­dent Paper Award -

Ab­stract

The Se­cu­re Shell (SSH) pro­to­col is wi­de­ly used to pro­vi­de se­cu­re re­mo­te ac­cess to ser­vers, ma­king it among the most im­portant se­cu­ri­ty pro­to­cols on the In­ter­net. We show that the si­gned-Dif­fie--Hell­man SSH ciph­er­sui­tes of the SSH pro­to­col are se­cu­re: each is a se­cu­re au­then­ti­ca­ted and con­fi­den­ti­al chan­nel es­ta­blish­ment (ACCE) pro­to­col, the same se­cu­ri­ty de­fi­ni­ti­on now used to de­scri­be the se­cu­ri­ty of Trans­port Layer Se­cu­ri­ty (TLS) ciph­er­sui­tes.

While the ACCE de­fi­ni­ti­on suf­fices to de­scri­be the se­cu­ri­ty of in­di­vi­du­al ciph­er­sui­tes, it does not cover the case where par­ties use the same long-term key with many dif­fe­rent ciph­er­sui­tes: it is com­mon in prac­tice for the ser­ver to use the same si­gning key with both fi­ni­te field and el­lip­tic curve Dif­fie--Hell­man, for ex­amp­le. While TLS is vul­nerable to at­tack in this case, we show that SSH is se­cu­re even when the same si­gning key is used across mul­ti­ple ciph­er­sui­tes. We in­tro­du­ce a new ge­ne­ric mul­ti-ciph­er­sui­te com­po­si­ti­on frame­work to achie­ve this re­sult in a black-box way.

Tags: (SSH);, agi­li­ty;, and, Au­then­ti­ca­ted, Chan­nel, con­fi­den­ti­al, cross-pro­to­col, es­ta­blish­ment, key, mul­ti-ciph­er­sui­te;, se­cu­re, se­cu­ri­ty;, Shell