Distributed SSH Key Management with Proactive RSA Threshold Signatures

  • Yotam HarcholEmail author
  • Ittai Abraham
  • Benny Pinkas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10892)


SSH is a security network protocol that uses public key cryptography for client authentication. SSH connections are designed to be run between a client and a server and therefore in enterprise networks there is no centralized monitoring of all SSH connections. An attractive method for enforcing such centralized control, audit or even revocation is to require all clients to access a centralized service in order to obtain their SSH keys. The benefits of centralized control come with new challenges in security and availability.

In this paper we present ESKM - a distributed enterprise SSH key manager. ESKM is a secure and fault-tolerant logically-centralized SSH key manager. ESKM leverages k-out-of-n threshold security to provide a high level of security. SSH private keys are never stored at any single node, not even when they are used for signing. On a technical level, the system uses k-out-of-n threshold RSA signatures, which are enforced with new methods that refresh the shares in order to achieve proactive security and prevent many side-channel attacks. In addition, we support password-based user authentication with security against offline dictionary attacks, that is achieved using threshold oblivious pseudo-random evaluation.

ESKM does not require modification in the server side or of the SSH protocol. We implemented the ESKM system, and a patch for OpenSSL libcrypto for client side services. We show that the system is scalable and that the overhead in the client connection setup time is marginal.


  1. 1.
  2. 2.
    Heartbleed bug.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J., Stebila, D.: Multi-ciphersuite security of the secure shell (SSH) protocol. In: Proceedings of the 2014 ACM Conference on Computer and Communications Security, pp. 369–381 (2014)Google Scholar
  8. 8.
    Boyd, C.: Digital multisignatures. In: Cryptography and Coding (1986)Google Scholar
  9. 9.
    Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). Scholar
  10. 10.
    Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). Scholar
  11. 11.
    Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: FOCS 1987, pp. 427–438 (1987)Google Scholar
  12. 12.
    Frankel, Y.: A practical protocol for large group oriented networks. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 56–61. Springer, Heidelberg (1990). Scholar
  13. 13.
    Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M.: Optimal resilience proactive public-key cryptosystems. In: FOCS 1997, pp. 384–393 (1997)Google Scholar
  14. 14.
    Gennaro, R., Halevi, S., Krawczyk, H., Rabin, T.: Threshold RSA for dynamic and Ad-Hoc groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 88–107. Springer, Heidelberg (2008). Scholar
  15. 15.
    Gennaro, R., Rabin, T., Jarecki, S., Krawczyk, H.: Robust and efficient sharing of RSA functions. J. Cryptol. 20(3), 393 (2007)CrossRefGoogle Scholar
  16. 16.
    Harchol, Y., Abraham, I., Pinkas, B.: Distributed SSH key management with proactive RSA threshold signature. Cryptology ePrint Archive (2018)Google Scholar
  17. 17.
    Hazay, C., Mikkelsen, G.L., Rabin, T., Toft, T.: Efficient RSA key generation and threshold paillier in the two-party setting. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 313–331. Springer, Heidelberg (2012). Scholar
  18. 18.
    Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 339–352. Springer, Heidelberg (1995). Scholar
  19. 19.
    Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: TOPPSS: cost-minimal password-protected secret sharing based on threshold OPRF. Cryptology ePrint Archive, Report 2017/363 (2017). Scholar
  20. 20.
    Jarecki, S., Saxena, N.: Further simplifications in proactive RSA signatures. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 510–528. Springer, Heidelberg (2005). Scholar
  21. 21.
    Jarecki, S., Saxena, N., Yi, J.H.: An attack on the proactive RSA signature scheme in the URSA ad hoc network access control protocol. In: Proceedings of the 2nd ACM Workshop on Security of ad hoc and Sensor Networks, SASN, pp. 1–9 (2004)Google Scholar
  22. 22.
    Kong, J., Zerfos, P., Luo, H., Lu, S., Zhang, L.: Providing robust and ubiquitous security support for MANET. In: ICNP (2001)Google Scholar
  23. 23.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 605–622. IEEE Computer Society (2015)Google Scholar
  24. 24.
    Ostrovsky, R., Yung, M.: How to withstand mobile virus attacks (extended abstract). In: PODC 1991, pp. 51–59. ACM, New York (1991)Google Scholar
  25. 25.
    Rabin, T.: A simplified approach to threshold and proactive RSA. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 89–104. Springer, Heidelberg (1998). Scholar
  26. 26.
    Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). Scholar
  28. 28.
    Williams, S.C.: Analysis of the SSH key exchange protocol. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 356–374. Springer, Heidelberg (2011). Scholar
  29. 29.
    Wu, T.D., Malkin, M., Boneh, D.: Building intrusion-tolerant applications. In: USENIX Security (1999)Google Scholar
  30. 30.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 719–732. USENIX Association, Berkeley (2014)Google Scholar
  31. 31.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Authentication Protocol. Internet Requests for Comments, RFC 4252 (2004)Google Scholar
  32. 32.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Transport Layer Protocol. Internet Requests for Comments, RFC 4253 (2004)Google Scholar
  33. 33.
    Ylonen, T.: Bothanspy & Gyrfalcon - analysis of CIA hacking tools for SSH, August 2017.
  34. 34.
    Zhou, L., Schneider, F.B., Van Renesse, R.: COCA: a secure distributed online certification authority. ACM Trans. Comput. Syst. 20(4), 329–368 (2002)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.UC BerkeleyBerkeleyUSA
  2. 2.VMware ResearchPalo AltoUSA
  3. 3.Bar-Ilan UniversityRamat GanIsrael

Personalised recommendations