Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR

  • Kenneth G. Paterson
  • Gaven J. Watson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6110)


This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Under reasonable assumptions on the block cipher and MAC algorithms used to construct the SSH Binary Packet Protocol (BPP), we are able to show that the SSH BPP meets a strong and appropriate notion of security: indistinguishability under buffered, stateful chosen-ciphertext attacks. This result helps to bridge the gap between the existing security analysis of the SSH BPP by Bellare et al. and the recently discovered attacks against the SSH BPP by Albrecht et al. which partially invalidate that analysis.


SSH counter mode security proof 


  1. 1.
    Albrecht, M.R., Paterson, K.G., Watson, G.J.: Plaintext recovery attacks against SSH. In: IEEE Symposium on Security and Privacy, pp. 16–26. IEEE Computer Society, Los Alamitos (2009)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 394–403. IEEE, Los Alamitos (1997)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the encode-then-encrypt-and-MAC paradigm. ACM Transactions on Information and Systems Security 7(2), 206–241 (2004)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Kohno, T., Namprempre, C.: The Secure Shell (SSH) Transport Layer Encryption Modes. RFC 4344 (January 2006),
  5. 5.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)Google Scholar
  7. 7.
    CPNI Vulnerability Advisory. Plaintext recovery attack against SSH (November 14, 2008), (revised November 17, 2008)
  8. 8.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Paterson, K.G., Watson, G.J.: Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR. Cryptology ePrint Archive, Report 2010/095 (2010),
  10. 10.
  11. 11.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Protocol Architecture. RFC 4251 (January 2006),
  12. 12.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Authentication Protocol. RFC 4252 (January 2006),
  13. 13.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (January 2006),
  14. 14.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Connection Protocol. RFC 4254 (January 2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Kenneth G. Paterson
    • 1
  • Gaven J. Watson
    • 1
  1. 1.Information Security Group, Royal HollowayUniversity of London, EghamSurreyU.K.

Personalised recommendations