Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation (2312.12422v2)

Published 19 Dec 2023 in cs.CR

Abstract: The SSH protocol provides secure access to network services, particularly remote terminal login and file transfer within organizational networks and to over 15 million servers on the open internet. SSH uses an authenticated key exchange to establish a secure channel between a client and a server, which protects the confidentiality and integrity of messages sent in either direction. The secure channel prevents message manipulation, replay, insertion, deletion, and reordering. At the network level, SSH uses the Binary Packet Protocol over TCP. In this paper, we show that the SSH Binary Packet Protocol is no longer a secure channel: SSH channel integrity (INT-PST, aINT-PTXT, and INT-sfCTF) is broken for three widely used encryption modes. This allows prefix truncation attacks where encrypted packets at the beginning of the SSH channel can be deleted without the client or server noticing it. We demonstrate several real-world applications of this attack. We show that we can fully break SSH extension negotiation (RFC 8308), such that an attacker can downgrade the public key algorithms for user authentication or turn off a new countermeasure against keystroke timing attacks introduced in OpenSSH 9.5. Further, we identify an implementation flaw in AsyncSSH that, together with prefix truncation, allows an attacker to redirect the victim's login into a shell controlled by the attacker. We also performed an internet-wide scan and found that 71.6% of SSH servers support a vulnerable encryption mode, while 63.2% even list it as their preferred choice. We identify two root causes that enable these attacks: First, the SSH handshake supports optional messages that are not authenticated. Second, SSH does not reset message sequence numbers when activating encryption keys. Based on this analysis, we propose effective and backward-compatible changes to SSH that mitigate our attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (47)
  1. A surfeit of SSH cipher suites. In Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 2016, pages 1480–1491. ACM Press, October 2016.
  2. Plaintext recovery attacks against SSH. In 2009 IEEE Symposium on Security and Privacy, pages 16–26. IEEE Computer Society Press, May 2009.
  3. SoK: Computer-aided cryptography. In 2021 IEEE Symposium on Security and Privacy, pages 777–795. IEEE Computer Society Press, May 2021.
  4. Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol. In Vijayalakshmi Atluri, editor, ACM CCS 2002, pages 1–11. ACM Press, November 2002.
  5. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In Tatsuaki Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 531–545. Springer, Heidelberg, December 2000.
  6. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. Journal of Cryptology, 21(4):469–491, October 2008.
  7. Multi-ciphersuite security of the Secure Shell (SSH) protocol. In Gail-Joon Ahn, Moti Yung, and Ninghui Li, editors, ACM CCS 2014, pages 369–381. ACM Press, November 2014.
  8. Transcript collision attacks: Breaking authentication in TLS, IKE and SSH. In NDSS 2016. The Internet Society, February 2016.
  9. Denis Bider. Extension Negotiation in the Secure Shell (SSH) Protocol. RFC 8308, March 2018.
  10. Automated security proofs with sequences of games. In Cynthia Dwork, editor, CRYPTO 2006, volume 4117 of LNCS, pages 537–554. Springer, Heidelberg, August 2006.
  11. From computationally-proved protocol specifications to implementations. In 2012 Seventh International Conference on Availability, Reliability and Security, pages 65–74, 2012.
  12. Analysis of key-exchange protocols and their use for building secure channels. In Birgit Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 453–474. Springer, Heidelberg, May 2001.
  13. SAPIC+: protocol verifiers of the world, unite! In 31st USENIX Security Symposium (USENIX Security 22), pages 3935–3952, Boston, MA, August 2022. USENIX Association.
  14. Wei Dai. email to IETF mailing list. https://www.ietf.org/ietf-ftp/ietf-mail-archive/secsh/2002-02.mail, 2002. Accessed: 2023-10-11.
  15. A search engine backed by internet-wide scanning. In Indrajit Ray, Ninghui Li, and Christopher Kruegel, editors, ACM CCS 2015, pages 542–553. ACM Press, October 2015.
  16. ZMap: Fast internet-wide scanning and its security applications. In Samuel T. King, editor, USENIX Security 2013, pages 605–620. USENIX Association, August 2013.
  17. Data is a stream: Security of stream-based channels. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pages 545–564. Springer, Heidelberg, August 2015.
  18. Cédric Fournet. email to IETF mailing list. https://mailarchive.ietf.org/arch/msg/tls/extoO9ETJLnEm3MRDTO23x70DFM, 2015. Accessed: 2023-10-16.
  19. Torben Brandt Hansen. Cryptographic Security of SSH Encryption Schemes. Phd thesis, University of London, 2020.
  20. Mining your ps and qs: Detection of widespread weak keys in network devices. In Tadayoshi Kohno, editor, USENIX Security 2012, pages 205–220. USENIX Association, August 2012.
  21. Kevin Igoe. Suite B Cryptographic Suites for Secure Shell (SSH). RFC 6239, May 2011.
  22. AES Galois Counter Mode for the Secure Shell Transport Layer Protocol. RFC 5647, August 2009.
  23. On the security of TLS-DHE in the standard model. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 273–293. Springer, Heidelberg, August 2012.
  24. On the security of the TLS protocol: A systematic analysis. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 429–448. Springer, Heidelberg, August 2013.
  25. Performance evaluations of cryptographic protocols verification tools dealing with algebraic properties. In Joaquin Garcia-Alfaro, Evangelos Kranakis, and Guillaume Bonfante, editors, Foundations and Practice of Security, pages 137–155, Cham, 2016. Springer International Publishing.
  26. ChaCha20 and Poly1305 based Cipher Suites for TLS. Internet-Draft draft-agl-tls-chacha20poly1305-04, Internet Engineering Task Force, November 2013. Work in Progress.
  27. ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS). RFC 7905, June 2016.
  28. Slime: State learning in the middle of everything for tool-assisted vulnerability detection. In Computer Security. ESORICS 2022 International Workshops, pages 686–704, Cham, 2023. Springer International Publishing.
  29. The Secure Shell (SSH) Protocol Assigned Numbers. RFC 4250, January 2006.
  30. The Secure Shell (SSH) Authentication Protocol. RFC 4252, January 2006.
  31. The Secure Shell (SSH) Connection Protocol. RFC 4254, January 2006.
  32. The Secure Shell (SSH) Protocol Architecture. RFC 4251, January 2006.
  33. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253, January 2006.
  34. Damien Miller. This document describes the [email protected] authenticated encryption cipher supported by openssh. https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?rev=1.5. Accessed: 2023-10-18.
  35. Damien Miller. SSH agent restriction. https://www.openssh.com/agent-restrict.html, 2022. Accessed: 2023-10-17.
  36. This documents openssh’s deviations and extensions to the published ssh protocol. https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=1.55. Accessed: 2024-02-18.
  37. The Secure Shell (SSH) Transport Layer Encryption Modes. RFC 4344, January 2006.
  38. Richard Ogier. OSPF Database Exchange Summary List Optimization. RFC 5243, May 2008.
  39. Tag size does matter: Attacks and proofs for the TLS record protocol. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT 2011, volume 7073 of LNCS, pages 372–389. Springer, Heidelberg, December 2011.
  40. Plaintext-dependent decryption: A formal security treatment of SSH-CTR. In Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 345–361. Springer, Heidelberg, May / June 2010.
  41. Kenny Paterson. Advanced security notions for the SSH secure channel: theory and practice. https://summerschool-croatia.cs.ru.nl/2017/slides/Advanced%20security%20notions%20for%20the%20SSH%20secure%20channel.pdf, 2017. Accessed: 2024-02-16.
  42. Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018.
  43. Phillip Rogaway. Authenticated-encryption with associated-data. In Vijayalakshmi Atluri, editor, ACM CCS 2002, pages 98–107. ACM Press, November 2002.
  44. Truncating TLS connections to violate beliefs in web applications. In 7th USENIX Workshop on Offensive Technologies (WOOT 13), Washington, D.C., August 2013. USENIX Association.
  45. Timing analysis of keystrokes and timing attacks on SSH. In Dan S. Wallach, editor, USENIX Security 2001. USENIX Association, August 2001.
  46. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. RFC 6520, February 2012.
  47. Stephen C. Williams. Analysis of the SSH key exchange protocol. In Liqun Chen, editor, 13th IMA International Conference on Cryptography and Coding, volume 7089 of LNCS, pages 356–374. Springer, Heidelberg, December 2011.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now