Abstract. We present a case study in the formal verification of an open source Java implementation of SSH. We discuss the security flaws we found and fixed by means of formal specification and verification – using the specification language JML and the program verification tool ESC/Java2 – and by more basic manual code inspection. Of more general interest is the methodology we propose to formalise security protocols such as SSH using finite state machines. This provides a precise but accessible formal specification, that is not only useful for formal verification, but also for development, testing, and for clarification of official specification in natural language. 1

The Internet’s architecture, designed in the days of large, stationary computers tended by technically savvy and accountable administrators, fails to meet the demands of the emerging ubiquitous computing era. Nontechnical users now routinely own multiple personal devices, many of them mobile, and need to share information securely among them using interactive, delay-sensitive applications. Unmanaged Internet Architecture (UIA) is a novel, incrementally deployable network architecture for modern personal devices, which reconsiders three architectural cornerstones: naming, routing, and transport. UIA augments the Internet’s global name system with a personal name system, enabling users to build personal administrative groups easily and intuitively, to establish secure bindings between his devices and with other users’ devices, and to name his devices and his friends

Abstract. This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Under reasonable assumptions on the block cipher and MAC algorithms used to construct the SSH Binary Packet Protocol (BPP), we are able to show that the SSH BPP meets a strong and appropriate notion of security: indistinguishability under buffered, stateful chosen-ciphertext attacks. This result helps to bridge the gap between the existing security analysis of the SSH BPP by Bellare et al. and the recently discovered attacks against the SSH BPP by Albrecht et al. which partially invalidate that analysis.

perspective

User authentication in most systems is done by the principle: registration with unique user name and authentication by presenting or using a secret, e. g., a password or a private cryptographic key, respectively. To obtain a trustworthy method, combinations of hardware token with user certificates and keys secured by a PIN, a fingerprint or other biometrical characteristics have to be applied. In order to further increase consumer acceptance with respect to hardware tokens which have to be carried hardware tokens have to be provided with added values. This paper describes an approach which allows different applications to use one single common hardware token for authentication. All these applications use the same interface for authentication of the user to the different service providers. It is shown that this approach works with widely used standard software and plugins. Furthermore the paper addresses single sign-on. We show how to extend our approach so that hardware tokens can be used for authentication in different applications after the PIN is put in once during the login to the operating system. Finally, we dwell on special methods to protect vital information in the computer’s main storage against attacks. 1

Abstract. This document presents (semi-)formal specifications of the security protocol SSH, more specifically the transport layer protocol, and describe a source code review of OpenSSH, the leading implementation of SSH, using these specifications. Our specifications, in the form of finite state machines, are at a different level of abstraction that the typical formal descriptions used to study security protocols. Our motivation is to understand actual implementations of SSH, so we try to capture some of the details from the official (informal) specification that are irrelevant to the security of the abstract protocol, but which do complicate the implementation. Our specifications should be useful to anyone trying to understand or implement SSH. First versions of our specifications were developed for the formal verification of a Java implementation of SSH [17]. 1

Submitted as part of the requirements for the award of the MSc in