Abstract
Boldyreva et al. (Eurocrypt 2012) defined a fine-grained security model capturing ciphertext fragmentation attacks against symmetric encryption schemes. The model was extended by Albrecht et al. (CCS 2016) to include an integrity notion. The extended security model encompasses important security goals of SSH that go beyond confidentiality and integrity to include length hiding and denial-of-service resistance properties. Boldyreva et al. also defined and analysed the InterMAC scheme, while Albrecht et al. showed that InterMAC satisfies stronger security notions than all currently available SSH encryption schemes. In this work, we take the InterMAC scheme and make it fully ready for use in practice. This involves several steps. First, we modify the InterMAC scheme to support encryption of arbitrary length plaintexts and we replace the use of Encrypt-then-MAC in InterMAC with modern noncebased authenticated encryption. Second, we describe a reference implementation of the modified InterMAC scheme in the form of the library libInterMAC. We give a performance analysis of libInterMAC. Third, to test the practical performance of libInterMAC, we implement several InterMAC-based encryption schemes in OpenSSH and carry out a performance analysis for the use-case of file transfer using SCP. We measure the data throughput and the data overhead of using InterMAC-based schemes compared to existing schemes in OpenSSH. Our analysis shows that, for some network set-ups, using InterMAC-based schemes in OpenSSH only moderately affects performance whilst providing stronger security guarantees compared to existing schemes.
Highlights
Authenticated Encryption (AE) security has emerged as the standard security notion that a symmetric encryption scheme should satisfy to be considered for practical use
Our performance analysis shows that our InterMAC schemes do suffer from a nonnegligible ciphertext expansion, up to 30% for the measured InterMAC schemes, compared to native schemes, see Figures 3 and 4
Our definition of a nonce-based authenticated encryption scheme is inspired by Namprempre et al [NRS14]
Summary
Authenticated Encryption (AE) security has emerged as the standard security notion that a symmetric encryption scheme should satisfy to be considered for practical use. The setting of symmetric encryption schemes supporting ciphertext fragmentation was formulated and thoroughly analysed by Boldyreva et al [BDPS12], with the aim of formalising exactly what the security goals for the SSH BPP should be. They introduced confidentiality notions for this setting, IND-sfCFA, as well as two more advanced notions capturing the idea that an adversary should not be able to tell where the boundaries between distinct packets lie (“boundary hiding”, BH-CPA and BH-sfCFA for the passive and active settings, respectively) and the idea that an adversary should not be able to make a receiver “hang” in the middle of a decryption operation, consuming large amounts of data without outputting anything (“Denial-of-Service” security, DOS-sfCFA). We interpret this statement to mean that InterMAC demonstrates that all four security properties can be met in practice with low overhead and so would enhance security with no significant decrease in performance compared to existing schemes
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.