The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A Concrete Security Treatment of Symmetric Encryption
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
ACM Transactions on Information and System Security (TISSEC)
Plaintext Recovery Attacks against SSH
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Plaintext-Dependent decryption: a formal security treatment of SSH-CTR
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
On the (in)security of IPsec in MAC-then-encrypt configurations
Proceedings of the 17th ACM conference on Computer and communications security
On hiding a plaintext length by preencryption
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Authenticated and misuse-resistant encryption of key-dependent data
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Plaintext-Dependent decryption: a formal security treatment of SSH-CTR
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Authenticated-Encryption with padding: a formal security treatment
Cryptography and Security
Analysis of the SSH key exchange protocol
IMACC'11 Proceedings of the 13th IMA international conference on Cryptography and Coding
Security of symmetric encryption in the presence of ciphertext fragmentation
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Provable security of S-BGP and other path vector protocols: model, analysis and extensions
Proceedings of the 2012 ACM conference on Computer and communications security
McOE: a family of almost foolproof on-line authenticated encryption schemes
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Hi-index | 0.00 |
This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Under reasonable assumptions on the block cipher and MAC algorithms used to construct the SSH Binary Packet Protocol (BPP), we are able to show that the SSH BPP meets a strong and appropriate notion of security: indistinguishability under buffered, stateful chosen-ciphertext attacks. This result helps to bridge the gap between the existing security analysis of the SSH BPP by Bellare et al. and the recently discovered attacks against the SSH BPP by Albrecht et al. which partially invalidate that analysis.