Attacking nonatomic decryption Online Cryptography Course Dan Boneh SSH Binary Packet Protocol Decryption s tep 1 decrypt packet length field only s ID: 217063
Download Presentation The PPT/PDF document "Authenticated Encryption" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Authenticated Encryption
Attacking non-atomic decryption
Online Cryptography Course Dan BonehSlide2
SSH Binary Packet ProtocolDecryption:step 1: decrypt packet length field only (!)step 2: read as many packets as length specifiess
tep 3: decrypt remaining ciphertext blocksstep 4: check MAC tag and send error response if invalid
seq.num.
p
acketlen.
p
ad
l
en
.
payload
pad
MAC
tag
CBC encryption (chained IV)
MAC computed
over
plaintextSlide3
An attack on the enc. length field (simplified)Attacker has one
ciphertext block c = AES(k, m) and it wants
mk
seq.
n
um.
c
o
ne AES block
d
ecrypt
and obtain
“
len” field
len
s
end bytes one at a time
w
hen “
len
” bytes read:
server sends “MAC
e
rror”
a
ttacker learns 32 LSB bits of m !!Slide4
LessonThe problem: (1) non-atomic decrypt (2) len
field decrypted and used it before it is authenticatedHow would you redesign SSH to resist this attack?
Send the length field unencrypted (but MAC-ed) Replace encrypt-and-MAC by encrypt-then-MAC
Add a MAC of (seq-num
, length) right after the len fieldRemove the length field and identify packet boundary
by verifying the MAC after every received byteSlide5
Further readingThe Order of Encryption and Authentication for Protecting Communications, H. Krawczyk
, Crypto 2001.Authenticated-Encryption with Associated-Data, P. Rogaway, Proc. of CCS 2002.
Password Interception in a SSL/TLS Channel, B. Canvel, A. Hiltgen, S. Vaudenay, M. Vuagnoux, Crypto 2003.
Plaintext Recovery Attacks Against SSH, M. Albrecht,
K. Paterson and G. Watson, IEEE S&P 2009Problem areas for the IP security protocols,S. Bellovin
,
Usenix
Security 1996
.Slide6
End of Segment