A Surfeit of SSH Cipher Suites

Similar documents
Advanced security notions for the SSH secure channel: theory and practice

Authenticated Encryption and Secure Channels. Kenny Paterson Information Security ;

On Symmetric Encryption with Distinguishable Decryption Failures

1 Achieving IND-CPA security

Message authentication codes

TLS Security Where Do We Stand? Kenny Paterson

Authenticated Encryption in TLS

CSE 127: Computer Security Cryptography. Kirill Levchenko

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Information Security CS526

Plaintext-Recovery Attacks Against Datagram TLS

Introduction to Cryptography. Lecture 3

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Data Integrity & Authentication. Message Authentication Codes (MACs)

Cryptology complementary. Symmetric modes of operation

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Marc Fischlin, Giorgia Azzurra Marson, and Kenneth G.

Double-DES, Triple-DES & Modes of Operation

Authenticated Encryption

Introduction to Cryptography. Lecture 3

Feedback Week 4 - Problem Set

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Computer Security CS 526

Chapter 6 Contemporary Symmetric Ciphers

Findings for

Data Integrity & Authentication. Message Authentication Codes (MACs)

Scanned by CamScanner

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 9 Authenticated Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

: Practical Cryptographic Systems March 25, Midterm

History of message integrity techniques

Block Cipher Operation. CS 6313 Fall ASU

Permutation-based Authenticated Encryption

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Authenticated Encryption

Misuse-resistant crypto for JOSE/JWT

1 Defining Message authentication

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

symmetric cryptography s642 computer security adam everspaugh

Lecture 4: Authentication and Hashing

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

ISA 562: Information Security, Theory and Practice. Lecture 1

Secure Internet Communication

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Lecture 1 Applied Cryptography (Part 1)

Randomness Extractors. Secure Communication in Practice. Lecture 17

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Authenticated encryption

Storage encryption... what about data integrity?

Symmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Internet Protocol and Transmission Control Protocol

symmetric cryptography s642 computer security adam everspaugh

SSH Algorithms for Common Criteria Certification

(2½ hours) Total Marks: 75

Lecture 13 Page 1. Lecture 13 Page 3

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

CSCE 715: Network Systems Security

Block Cipher Modes of Operation

Block Cipher Modes of Operation

Cache Timing Attacks on estream Finalists

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

05 - WLAN Encryption and Data Integrity Protocols

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Symmetric Cryptography

Stream Ciphers. Stream Ciphers 1

Symmetric-Key Cryptography

Lecture 12 Page 1. Lecture 12 Page 3

Symmetric Encryption Algorithms

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Pipelineable On-Line Encryption (POE)

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Network Security Essentials Chapter 2

P2_L6 Symmetric Encryption Page 1

The IPsec protocols. Overview

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Storage Encryption: A Cryptographer s View. Shai Halevi IBM Research

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Multiple forgery attacks against Message Authentication Codes

CS155. Cryptography Overview

EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread

Summary on Crypto Primitives and Protocols

Content of this part

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Block ciphers, stream ciphers

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Recent Advances in IPv6 Security. Fernando Gont

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Chapter 3 Block Ciphers and the Data Encryption Standard

CPSC 467b: Cryptography and Computer Security

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Transcription:

A Surfeit of SSH Cipher Suites Jean Paul Degabriele Information Security Group www.isg.rhul.ac.uk/~psai074 Based in part on slides by Kenny Paterson

Outline of this talk Overview of SSH and related work The state of AE in SSH today A new attack on CBC-mode in OpenSSH Security analysis of new OpenSSH modes ChaChaPoly1305, getm, AES-GCM. 2

Overview of SSH and Related Work

SSH Binary Packet Protocol (RFC 4253) Sequence Number 4 Packet Length 4 Pad Len 1 Payload Padding 4 Encrypt PRF-MAC Ciphertext MAC tag Encode-then-E&M construction, stateful because of inclusion of 4-byte sequence number. 4 Packet length field measures the size of the packet: PadLen + Payload + Padding. Encrypted, so sequence of encrypted packets looks like a long string of random bytes. Encryption options in RFC 4253: CBC mode; RC4. AES-CTR defined in RFC 4344.

CBC mode in SSH P i-1 e K C i-1 C i-1 d K P i e K C i C i d K RFC 4253 mandates 3DES- CBC and recommends AES- CBC. SSH uses a chained IV in CBC mode: IV for current packet is the last ciphertext block from the previous packet. Effectively creates a single stream of data from multiple SSH packets. 5 P i-1 P i

SSH BPP Security Analysis [BKN02] Sequence Number 4 Packet Length 4 Pad Len 1 Payload Padding 4 Encrypt PRF-MAC Ciphertext MAC tag IV chaining attack: Chosen plaintext, distinguishing attack due to Rogaway, applied to SSH in [BKN02]. Not fully realistic for SSH because of format requirements on the first block of plaintext and because of chosen plaintext requirement. Construction with random IVs is IND-sfCCA+INT-sfCTXT secure [BKN02]. 6

SSH BPP Security Analysis [APW09] Sequence Number 4 Packet Length 4 Pad Len 1 Payload Padding 4 Encrypt PRF-MAC Ciphertext MAC tag How does decryption work? Recall: receiver gets a stream of bytes, and a single ciphertext can be fragmented over several TCP messages. 7

Breaking CBC mode in SSH [APW09] IV C i * Target ciphertext block from stream d K P 0 8 The receiver will treat the first 32 bits of the calculated plaintext block as the packet length field for the new packet. Here: P 0 = IV d K (C i *) where IV is known. Length field

Breaking CBC mode in SSH [APW09] IV C i * R R d K d K d K P 0 P 1 P 2 The attacker then feeds random blocks to the receiver One block at a time, waiting to see what happens at the server when each new block is processed This is possible because SSH runs over TCP and tries to do online processing of incoming blocks 9

Breaking CBC mode in SSH [APW09] IV C i * R R MAC tag d K d K d K P 0 P 1 P 2 10 Once enough data has arrived, the receiver will receive what it thinks is the MAC tag The MAC check will fail with overwhelming probability Consequently the connection is terminated (with an error message) How much data is enough so that the receiver decides to check the MAC? Answer: whatever is specified in the length field:

Breaking CBC mode in SSH [APW09] IV C i * C i-1 * C i * d K d K P 0 P i * Knowing IV and 32 bits of P 0, the attacker can now recover 32 bits of the target plaintext block P i* : P i * = C i-1 * d K (C i* ) = C i-1 * IV P 0 11

Further details Length checking RFC 4253 requires implementations to check that length field is reasonable. Details are implementation-specific. Back in 2009, the leading implementation was OpenSSH, then at version 5.1. According to SSH webpage, 80% of servers on the Internet were using OpenSSH around that time. 12

Further details Length checking in OpenSSH OpenSSH5.1 performs two length checks on the length field (LF) when decrypting the first ciphertext block: Check 1: 5 LF 2 18. Check 2: total length (4+LF) is a multiple of the block size: LF +4 mod BL = 0. Each check produces a different error message on the network, distinguishable by attacker. If both checks pass, then OpenSSH waits for more bytes, then performs MAC check, resulting in a third kind of error message. 13

Further details Length checking in OpenSSH Check 1 (5 LF 2 18 ) passes with probability approx. 2-14. If it passes, then with high probability, 14 MSBs of LF are 0. Pass/fail detectable via error message. Hence attack with success prob. 2-14 recovering 14 bits of confirmed plaintext. Check 2 (LF +4 mod BL = 0) passes with probability 1/BL, typically 2-3 or 2-4. If it passes, then some (3 or 4) LSBs of LF are revealed. Pass/fail detectable via error message/connection entering wait state. If wait state is entered, then the attack proceeds as before. Overall, the attack on OpenSSH5.1 recovers 32 bits of plaintext with prob. 2-18 (for BL= 16) and requires injection of at most 2 18 bytes of data. 14

Resolving an Apparent Contradiction The [APW09] attack works with random IVs too, breaking the scheme that was proven secure in [BKN02]! Model used for security proof in [BKN02] was inadequate. In particular it did not reflect the fragmented delivery of ciphertexts inherent in TCP/IP. IP Fragmentation was also exploited to attack MAC-then- Encrypt configurations of IPsec [DP10]. Fragmentation is troublesome for security it cannot be abstracted out during formal security analyses. 15

Modelling Ciphertext Fragmentation [PW10, BDPS12] A firsrt step was made in [PW10] to prove the security of SSH-CTR in OpenSSH. However their security definition is intertwined with the scheme (OpenSSH), which renders it inapplicable to other settings. In subsequent work [BDPS12], we provided a simpler and more general definition, IND-sfCFA, which extends the [BKN02] definition (IND-sfCCA). Note: ciphertext fragmentation is quite different from online encryption and is surprisingly subtle to formalise! 16

There s more to Ciphertext Fragmentation [BDPS12] Supporting ciphertext fragmentation can open up new security concerns. The SSH designers were concerned about traffic analysis hence their motivation to encrypt the length field. By itself it does not serve to hide the length of a packet but it is does hide ciphertext boundaries BH-sfCFA In combination with fragmentation boundary hiding can aid in mitigating traffic analysis. 17

There s more to Ciphertext Fragmentation [BDPS12] Some encoding is usually needed to reconstruct ciphertext fragments at the receiver end. This can be abused by an attacker to mount a certain type of Denial of Service attack (RFC). In fact this is the reason for limiting the value of the length field to 2 18 in OpenSSH, but in fact one can do better. We provided a formal definition, n-dos-sfcfa, and proposed a scheme, InterMAC, that meets all three notions. 18

The State of AE in SSH Today

Countermeasures to the [APW09] attack Abandon CBC-mode? Alternatives available at that time: CTR, RC4. Dropbear implemented CTR and relegated CBC mode in version 0.53. Develop new modes? Modes based on Generic EtM, AES-GCM, ChaCha20-Poly1305 were subsequently added to OpenSSH. Patch CBC-mode? OpenSSH5.2 also introduced a patch to stop the specific attack on CBC mode. 20

The OpenSSH 5.2 patch Basic idea: hide the errors from the adversary. If the length checks fail, do not send an error message, but wait until 2 18 bytes have arrived, then check the MAC. If the length checks pass, but the MAC check eventually fails, then wait until 2 18 bytes have arrived, then check the MAC. No error message is ever sent until 2 18 bytes of ciphertext have arrived. Can no longer count bytes to see how many are required to trigger MAC failure. 21

The state of AE in SSH today [ADHP16] We performed a measurement study of SSH deployment. We conducted two IPv4 address space scans in Nov/Dec 2015 and Jan 2016 using ZGrab/ZMap. Grabbing banners and SSH servers preferred ciphers. Actual cipher used in a given SSH connection depends on client and server preferences. Roughly 2 24 servers found in each scan. Nmap fingerprinting suggests mostly embedded routers, firewalls. 22

The state of AE in SSH today: SSH versions 23 Mostly OpenSSH and dropbear; others less than 5%.

The state of AEAD in SSH today: SSH versions 24 Dropbear at 56-58%. 886k older than version 0.53, so vulnerable to variant of 2009 CBCmode attack!

The state of AEAD in SSH today: SSH versions 25 OpenSSH at 37-39%. 130-166k older than version 5.2 and prefer CBC mode, so vulnerable to 2009 attack!

The state of AE in SSH today: preferred algorithms OpenSSH preferred algorithms 26 Lots of diversity, surprising amount of generic EtM (getm). CTR dominates, followed by CBC. ChaCha20-Poly1305 on the rise? (became default in OpenSSH 6.9). Small amount of GCM.

The state of AE in SSH today: preferred algorithms Dropbear preferred algorithms 27 Less diversity than OpenSSH. CTR dominates, followed at a long distance by CBC. No exotic options.

A New Attack on CBC mode in OpenSSH

The OpenSSH patch Version 5.2 + CBC mode preferred by roughly 20k OpenSSH servers. Recall the OpenSSH patch, in version 5.2 and up: If the length checks fail, do not send an error message, but wait until 2 18 bytes have arrived, then check the MAC. If the length checks pass, but the MAC check eventually fails, then wait until 2 18 bytes have arrived, then check the MAC. One MAC check is done if length checks fail: on 2 18 bytes. Two MAC checks are done if length checks pass: one on roughly LF bytes, the other on 2 18 bytes. 29

Attacking the OpenSSH patch [ADHP16] This leads to a timing attack on CBC mode in OpenSSH5.2 and up: 1. Inject target ciphertext block C i*. 2.Then send 2 18 bytes as quickly as possible to server. 3. Time the arrival of the MAC failure message. Fast arrival indicates that length checks failed and one MAC computation. Slow arrival indicates that the length checks passed and two MAC computations. This leaks 18 bits of information about the length field, and hence 18 bits about the target block. 30

Attacking the OpenSSH patch [ADHP16] Size of timing difference: A MAC computation on roughly 2 17 bytes (the expected value of LF). For HMAC-SHA1, this requires 2 11 hash compression function evaluations. cf. Lucky 13 timing difference: a single hash compression function! Remote attacker can easily detect difference. Success probability of the attack: Need to pass both length checks, so 2-18. Can increase success rate given partial plaintext knowledge in target block. 31 (Idea: wait for the right IV before mounting the attack; more severe attack for random, explicit IV version.)

Attacking the OpenSSH patch [ADHP16] Increase number of plaintext bits recovered by using finergrained timing information. Because the timing delay is proportional to the value of LF. If timing granularity = 1 compression function evaluation, then we can recover up to 30 bits of plaintext from target block. Challenging, but not impossible in co-resident attacker scenario. Countermeasure (7.3) to the attack: if MAC fails, then compute second MAC on 2 18 LF bytes instead of on all 2 18 bytes. Still leaves residual timing difference because of fine details of HMAC. Really need constant time implementation of decryption algorithm to eliminate this class of attack. 32

Security analysis of new OpenSSH modes getm, AES-GCM, ChaCha20Poly1305

Security analysis of other OpenSSH encryption modes We use and extend the framework of [BDPS12] to study getm, AES- GCM, and ChaCha20-Poly1305 in OpenSSH. getm and AES-GCM: Derived from AEAD schemes with AD = length field, now unencrypted. Hence sanity checking of length field cannot reveal anything useful to adversary. Issue in OpenSSH code for getm: because of shared path with legacy E&M code, the MAC is computed once the ciphertext has arrived but is not compared to received MAC until after decryption. Hence any errors arising during decryption step will be signalled to attacker but we found no direct way of exploiting it. Both (fixed) getm and AES-GCM are provably secure, IND-sfCFA+INTsfCTF 34

ChaCha20-Poly1305@OpenSSH.com SQN 4 Packet Length 4 Pad Len 1 Payload Padding 4 K 1 IV = SQN 0 64 ChaCha20 ChaCha20 K 2 IV = SQN 0 63 1 0 256 C 1 C 2 K 2 IV = SQN 0 63 0 ChaCha20 K poly Poly1305 MAC tag 35

Security analysis of ChaCha20-Poly1305 in OpenSSH ChaCha20-Poly1305 in OpenSSH: OpenSSH designers like the length field to be encrypted! A similar idea was already used in one of the constructions in [BDPS12] to achieve BH-CPA. Also IND-sfCFA +INT-sfCTF, ( but more complex analysis). Can be shown BH-CPA secure, but none of these are either BH-sfCFA or n-dos-sfcfa for n < 2 18. 36

The End Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback