Choosing key sizes for cryptography
Information Security Tech. Report
On hiding a plaintext length by preencryption
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Cryptographic verification by typing for a sample protocol implementation
Foundations of security analysis and design VI
Composition theorems without pre-established session identifiers
Proceedings of the 18th ACM conference on Computer and communications security
Plaintext-Dependent decryption: a formal security treatment of SSH-CTR
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Authenticated-Encryption with padding: a formal security treatment
Cryptography and Security
Analysis of the initial and modified versions of the candidate 3GPP integrity algorithm 128-EIA3
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Analysis of the SSH key exchange protocol
IMACC'11 Proceedings of the 13th IMA international conference on Cryptography and Coding
Security of symmetric encryption in the presence of ciphertext fragmentation
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Proceedings of the 5th ACM workshop on Security and artificial intelligence
StegoTorus: a camouflage proxy for the Tor anonymity system
Proceedings of the 2012 ACM conference on Computer and communications security
The security impact of a new cryptographic library
LATINCRYPT'12 Proceedings of the 2nd international conference on Cryptology and Information Security in Latin America
Protocol misidentification made easy with format-transforming encryption
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
This paper presents a variety of plaintext-recovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-14}$ and 32 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-18}$. These attacks assume the default configuration of a 128-bit block cipher operating in CBC mode. The paper explains why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, why current provable security results for SSH do not cover our attacks, and how the attacks can be prevented in practice.