SSH paper and a possible transport layer extension [was: aside on formal methods]

To: ietf-ssh%netbsd.org@localhost
Subject: SSH paper and a possible transport layer extension [was: aside on formal methods]
From: Heikki Nousiainen <htn%sumu.org@localhost>
Date: Sat, 17 May 2003 01:48:30 +0300 (EEST)

I found one paper on discussing the security of SSH, weakness with the 
CBC encryption modes and proofs of security in with CTR modes:
Bellare, M., Kohno, T. adn Namprempre, C.
"Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet 
Protocol"

The attack presented in the paper against CBC mode encryption in SSH is, 
in my understanding, thwarted with inclusion of SSH_MSG_IGNORE packets as 
described in 11.1.1. An attacker has no knowledge of IV of the packets in 
which he can insert data, if the chapter is followed.

The paper raises a question about the length of the sequence number used
in conjunction with MACs and the possibilty of using encrypt-then-mac to 
check the authenticity of the ciphertext. Now, as far as I see, both of 
these limitations could be lifted by defining the size and the use of 
sequence number and the order in which the MAC is applied as properties 
of the selected MAC algorithm (similiar of the mode of operation for the 
ciphers). Backward compatibility with the current implementations could 
be maintained by careful selection of the initial counter values even 
when a MAC algorithm is changed during re-keying.

I don't want to delay the drafts for this, but if there's an interest on 
this in the WG, maybe we can come up with an extension draft.

Thoughts, anyone?

 - Heikki Nousiainen

Examples:

hmac-sha1

Initial sequence number is  number-of-sent-packets modulo 2^32. Sequence 
number, 32 bit unsigned integer, is incremented for each packet and wraps 
around to zero after reaching 2^32-1. MAC is calculated as 
MAC = HMACsha1_K(sequence_number || unencrypted_packet)

hmac-sha2-64_bit_sequence-encrypt_then_authenticate

Initial sequence number is  number-of-sent-packets modulo 2^32. Sequence 
number, 64 bit unsigned integer, is incremented for each packet and wraps 
around to zero after reaching 2^64-1. MAC is caclulated as
MAC = HMACsha2_K(sequence_number || encrypted_packet)

On Thu, 15 May 2003, RJ Atkinson wrote:
> 
> 	Putting the practical questions of document editing aside
> for the moment, the length of the discussion on Security
> Considerations and the informal nature of that discussion
> are a bit troubling to me.  It makes one wonder whether the SSH
> spec really did get all the pieces right -- and, if it did,
> whether it did so by accident.
> 
> 	It would be pleasant and helpful if there some more formal
> analysis of the SSH protocol performed -- and published.  The
> first step would probably to try to come up with a formal
> specification of the protocol in some appropriate logic.
> 
> 	If there are any academic folks on this list, please consider
> whether such formal methods work might be a reasonable research topic
> to undertake.
> 
> IMHO,
> 
> Ran
> rja%extremenetworks.com@localhost

Follow-Ups:
- Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
  - From: Nicolas Williams

Prev by Date: New Proposal for Section 11.3 Authentication Protocol
Next by Date: rekeying, host key verification, and gssapi
Previous by Thread: Re: sftp rename not good.
Next by Thread: Re: SSH paper and a possible transport layer extension [was: aside on formal methods]
Indexes:

Home | Main Index | Thread Index | Old Index