## Server Bug Fix: Why does Encrypt-Then-Sign not yield a CCA-secure public-key encryption scheme?

In symmetric cryptography, combining an IND-CPA secure symmetric encryption scheme with a secure MAC with the encrypt-then-MAC method yields a IND-CCA secure symmetric encryption scheme.

I am trying to understand why this does not hold in the asymmetric case. Suppose you have an IND-CPA secure public-key encryption scheme and a EUF-CMA (or sEUF-CMA) secure signature scheme. When you combine them via encrypt-then-sign the resulting scheme is not CCA-secure.

I know that there are some related questions on this site (e.g. this one or this one). So I understand that the problem is that, when Alice sends a message to Bob, Mallory can intercept it, remove the signatue, sign it again with her own signature and forward it to Bob. Bob then successfully verifies and decrypts the ciphertext and gets the message, thinking that it came from Mallory (since it has a valid signature from Mallory).

But why does this imply that it is not IND-CCA secure? How can an adversary use this property to win the IND-CCA security experiment?

My own thoughts up to now: I am not sure how the IND-CCA experiment in this case works. I would assume that all keys are fixed by the challenger and the adversary only gets the public encryption key and the public verifikation key. Is this assumption correct? Because in this case I do not see how the above attack by Mallory helps the adversary – since all the keys are fixed.

Appendix: How encrypt-then-sign works (or at least how I understood it works):

1. Suppose everyone has an encryption key pair and a signing key pair
2. To encrypt a message, you first take the public encryption key of the recipient and encrypt your message with it. Then you use your own secret signing key and sign the ciphertext.
3. Then you send the final ciphertext (consisting of the signature and the actual ciphertext) to a recipient.
4. The recipient decrypts the ciphertext, using his secret decryption key and the senders public verification key. First the signature is verified and then the ciphertext is decrypted.

I am not sure how the IND-CCA experiment in this case works.

Well, it doesn’t really. There are no verification keys designated as such in the CCA experiment and there is no designated sender in the definition of a public key encryption scheme at all.

So, the only way to communicate to the receiver who supposedly encrypted a ciphertext would be to put it in the ciphertext itself. However, the encryption process takes as input only the encryption key and the message. So where is the signing key going to come from?

The answer is: Either it needs to be an input, in which case what you have is no longer even syntactically an encryption scheme, or you could generate a fresh keypair every time you encrypt. But since those would not be bound to anything this would be useless.

How can an adversary use this property to win the IND-CCA security experiment?

Choose two arbitrary messages $$m_0neq m_1$$ and output them as a challenge. Receive the challenge ciphertext $$C^* = (c^*,sigma)$$ where $$sigma$$ is a signature on $$c^*$$ under some key which we will have to assume that the receipient magically knows.
Generate a new keypair, sign $$c^*$$ again, resulting in $$sigma’$$ and ask the challenger to decrypt $$C’=(c^*,sigma’)$$. Since $$sigma’$$ is valid, and therefore $$C’ neq C^*$$ is distributed identically to a ciphertext honestly generated by the attacker we will receive back $$m_b$$, thus breaking CCA security.

After doing some digging, I think it may just be a matter of IND-CCA3 (see the end of this answer and this paper) being meant instead of the, perhaps usually implied, IND-CCA2. In particular, the specific use of asymmetric cryptography for authentication of the sender may be the sticking point.

When talking about encrypt-then-MAC, the mechanism by which the symmetric key(s) have been exchanged may be assumed to inherently authenticate the sender as a part of the encrypt and MAC operations. This may be the case if a pre-shared key is used, or if a key is generated as a part of an authenticated Diffie-Hellman key exchange as in TLS.

However, inherent in your description of encrypt-then-sign is the expectation that hybrid encryption is being used, and that the authenticity is coming from the signature, not the use of the expected key. As such, the stakes have changed and a new notion of IND-CCA is relevant, one which specifically considers the authentication of the encrypted data. In turn, this re-signing by an adversary is effectively the creation of a new, valid ciphertext as far as IND-CCA3 is concerned.

I haven’t had much time to really digest the IND-CCA3 schema and try to break down how your second question (How can an adversary use this property to win the IND-CCA security experiment?) translates, since what I’ve described is in no way a proof, but hopefully this will at least lead you down the right path.

## Server Bug Fix: How do I make ssh fail rather than prompt for a password if the public-key authentication fails?

I’ve got a script that SSHes several servers using public key authentication. One of the servers has stopped letting the script log in due to a configuration issue, which means that the script gets stuck with a “Password:” prompt, which it obviously cannot answer, so it doesn’t even try the rest of the servers in the list.

Is there a way to tell the ssh client not to prompt for a password if key authentication fails, but instead to just report an error connecting and let my script carry on?

For OpenSSH there is BatchMode, which in addition to disabling password prompting, should disable querying for passphrase(s) for keys.

BatchMode

If set to “yes”, passphrase/password querying will be disabled.
This option is useful in scripts and other batch jobs where no
user is present to supply the password. The argument must be
“yes” or “no”. The default is “no”.

Sample usage:

``````ssh -oBatchMode=yes -l <user> <host> <dostuff>
``````

• To disable password authentication for the current ssh connection attempt, pass this option on the command line:

``````-o PasswordAuthentication=no
``````
• To disable password authentication for all future connections to any host add the following to your `~/.ssh/config`:

``````PasswordAuthentication no
``````
• To disable it for just some hosts, add the following to ~/.ssh/config:

``````Host host1 host2 host3...
``````

The options above apply to out-going ssh connections, i.e. where you’re trying to connect to a remote ssh server.

To disable password authentication on an ssh server (i.e. applies to all incoming ssh connections), add `PasswordAuthentication no` to `/etc/ssh/sshd_config` and restart `sshd`.

If you are using dropbear, just add the “`-s`” option to disable password authentication.

On the command line (or `~/.ssh/config`) you can set `PreferredAuthentications`.

``````PreferredAuthentications=publickey
``````

Here is a sample sftp bash script snippet. I am using “-o BatchMode=Yes” to disable the password prompt in case of failure. And check the frp return code to check if the ftp connection failed.

``````sftp -o "IdentityFile=<YOUR_IDENTTIY_FILE>"  -o "BatchMode=Yes" [email protected] <<EOF

cd /\$remotepath

quit
EOF
exit_code=\$?
if [[ \$exit_code != 0 ]]; then
echo "sftp error, failed to connect to ftp server" >&2
exit 1
fi
``````

Tagged : / /

## Making Game: Error ‘Permission denied (publickey,password)’

I am trying to connect to a local IP address via SSH from the terminal. The command is

``````ssh -v [email protected]
``````

But it is not connecting. It keeps giving me the error

I have been searching for ages and just can’t find what the issue is. I can connect using the same method via PuTTY on windows and can connect via FileZilla

Full output:

``````OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22.
debug1: Connection established.
debug1: identity file /Users/[UserName]/.ssh/id_rsa type 1
debug1: identity file /Users/UserName/.ssh/id_rsa-cert type -1
debug1: identity file /Users/UserName/.ssh/id_dsa type -1
debug1: identity file /Users/UserName/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: Server host key: [Server Host Key]
debug1: Host '192.168.0.2' is known and matches the RSA host key.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/[UserName]/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
``````

Try to add the key again.

First set `PasswordAuthentication yes` in file sshd_config at the destination machine, and then do `ssh-copy-id [email protected]`, log in, and then it will copy the key over.

Now you can set `PasswordAuthentication no` (if you want, for extra security), and you should be able to log in automatically.

You could also use your curiosity and check if id_rsa.pub from the source machine is in the authorized_keys file on the destination machine.

It might be different because it looks like you are connecting to `localhost` or something (`192.168.0.2` or is that just for the question?).

What often solves things like this is to edit the `~/.ssh/known_hosts` file and delete the entry for the domain you are connecting to, it will re-prompt you for ssh credentials and avoid problems caused by incorrect “expectations”.

First run `cat \$HOME/.ssh/id_rsa.pub` on your computer. That will get you a key. Save this key somewhere.

Then open this file by running `vim \$HOME/.ssh/authorized_keys` on the computer that you’re are ssh’ing to. Then copy the key in a new line of this file and close it by typing `:wq`.

You are all set.

Tagged : / / / /

## Linux HowTo: Error ‘Permission denied (publickey,password)’

I am trying to connect to a local IP address via SSH from the terminal. The command is

``````ssh -v [email protected]
``````

But it is not connecting. It keeps giving me the error

I have been searching for ages and just can’t find what the issue is. I can connect using the same method via PuTTY on windows and can connect via FileZilla

Full output:

``````OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22.
debug1: Connection established.
debug1: identity file /Users/[UserName]/.ssh/id_rsa type 1
debug1: identity file /Users/UserName/.ssh/id_rsa-cert type -1
debug1: identity file /Users/UserName/.ssh/id_dsa type -1
debug1: identity file /Users/UserName/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: Server host key: [Server Host Key]
debug1: Host '192.168.0.2' is known and matches the RSA host key.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/[UserName]/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
``````

Try to add the key again.

First set `PasswordAuthentication yes` in file sshd_config at the destination machine, and then do `ssh-copy-id [email protected]`, log in, and then it will copy the key over.

Now you can set `PasswordAuthentication no` (if you want, for extra security), and you should be able to log in automatically.

You could also use your curiosity and check if id_rsa.pub from the source machine is in the authorized_keys file on the destination machine.

It might be different because it looks like you are connecting to `localhost` or something (`192.168.0.2` or is that just for the question?).

What often solves things like this is to edit the `~/.ssh/known_hosts` file and delete the entry for the domain you are connecting to, it will re-prompt you for ssh credentials and avoid problems caused by incorrect “expectations”.

First run `cat \$HOME/.ssh/id_rsa.pub` on your computer. That will get you a key. Save this key somewhere.

Then open this file by running `vim \$HOME/.ssh/authorized_keys` on the computer that you’re are ssh’ing to. Then copy the key in a new line of this file and close it by typing `:wq`.

You are all set.

Tagged : / / / /

## Server Bug Fix: Can I still use insecure curves/ciphers for time relevant encryption?

Can Ciphers that are known to be insecure because their keysize is considered too small still be used in appliances that have a tight decryption timeframe?
In particular I am looking at ECC2K-130.

ecc-challenge.info states, that they need 2466 PlayStation 3’s to carry out the required 2^60.9 iterations per year.

Let’s assume I need to encrypt data only for one minute, after that time the data is useless.
Couldn’t I still use ECC2K-130 as it would require 525600 times more PlayStations to crack it in a single minute instead of a year?

Or do I have a misunderstanding in the way this works?

Let’s assume I need to encrypt data only for one minute, after that time the data is useless. Couldn’t I still use ECC2K-130 as it would require 525600 times more PlayStations to crack it in a single minute instead of a year?

## !!! NO !!!

Decryption by an unauthorized party could occur within a fraction of a second following the release of the ciphertext.

In ECC encryption (and more generally public-key encryption), the appropriate start time for the attack interval is

1. NOT the release of the ciphertext to adversaries
2. NOT the encryption time (even if there’s a side channel¹)
3. is the release of the public key used for encryption to adversaries²
4. could be the generation of the public/private key, if there’s a side channel¹.

At issue is that attackers can start working long before the encryption occurs or the data to encrypt even exists. They can start as soon as they get the public key (or, in 4, side channel data). That’s when time of attack starts ticking. It is reset only by a key change.

In the question, the entity making the encryption uses the public key, thus is not the one who generated the keypair. The question suggests that the time considered is from encryption to when knowing the data becomes dull, which would be 2 in the above.

¹ In side-channel attacks, adversaries get information beyond the ciphertext in often unexpected ways, like timing of encryption, electromagnetic or acoustic emissions, leakage from a CPU process to another.

² In symmetric cryptography, that would be when the first ciphertext is obtained by adversaries.

I would go further than fgrieu and say that in general you should not use (significantly) weakened cryptographic primitives for only time sensitive crypto, regardless of the time window.

Why?

Because there is nothing that guarantees hardness of any crypto. Mathematically the status quo is that we are generally have nothing more than ‘a bunch of smart and knowledgeable people have tried to break it using various methods and were unsuccessful’ to label something as ‘secure’.

That is, there is (almost entirely) no ‘well at least it’s this secure’ in crypto. It’s always ‘we’ve only broken it so far’. There is no floor of minimum security provided.

Knowing that, I would be really skeptical of any method where our very shallow guarantee of ‘we’ve tried to break it and failed’ has already degraded to ‘we’ve tried to break it and the cracks are showing’. A complete break could be around the corner tomorrow.

Tagged : / /

## Server Bug Fix: the same ssh rsa key does not work in Ubuntu(WSL) while from RHEL7 it works

I’m trying connect from Ubuntu(WLS) to RHEL7 server using ssh RSA key.
And it does not work, while the same key when used from another RHEL7 host works.

• I checked all file permissions
• There is no “from clause” in authorized keys on the other side
• I explicitly use -i option for ssh

From Ubuntu:

``````Ubuntu\$ md5sum .ssh/id_rsa
986428c7e5882c26c9ba2b9ca403fbe3  .ssh/id_rsa

Ubuntu\$ ssh -l "ansible_install" -i ~/.ssh/id_rsa -vvv -p 6000 rhel7-target

sshd debug:
debug1: userauth-request for user ansible_install service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug1: temporarily_use_uid: 4001/4001 (e=0/0)
debug1: trying public key file /home/ansible_install/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x55cc1cfca760 is not allowed
Failed publickey for ansible_install from 2.252.221.223 port 53431 ssh2: RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo

ssh debug:
debug1: identity file /home/ivabrezi/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
... (this is non-sense, the file is there)
debug2: key: /home/ivabrezi/.ssh/id_rsa (0x7fffe1905f90), explicit
debug3: send packet: type 5
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug3: send packet: type 50
debug3: input_userauth_banner

WARNING:
...

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: authmethod_lookup gssapi-keyex
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
...
debug1: Next authentication method: gssapi-with-mic
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo /home/ivabrezi/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
``````

The same from RHEL:

``````# md5sum ~/.ssh/id_rsa
986428c7e5882c26c9ba2b9ca403fbe3  /root/.ssh/id_rsa

# ssh -l "ansible_install" -i ~/.ssh/id_rsa  rhel7-target

sshd debug
debug1: userauth-request for user ansible_install service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug1: temporarily_use_uid: 4001/4001 (e=0/0)
debug1: trying public key file /home/ansible_install/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/ansible_install/.ssh/authorized_keys, line 1 RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x5607a9495770 is allowed

ssh debug:
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s
debug3: sign_and_send_pubkey: RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s
debug3: send packet: type 50
debug1: Authentication succeeded (publickey).
``````

Is it possible Ubuntu does something secure with their ssh, so it no more can connect to RHEL?
Something like that I saw more than 20 years ago on AIX(but that was caused by a bug in gcc).

Your post says you are using the same key, but the logs indicate that you’ve used two different keys for each connection attempt.

The successful key from yuor RHEL client has, according to the logs, `RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s`. While the failing key from your Ubuntu WSL client has, according to the logs, `RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo`. As you can see, you are not actually using the same key.

Of course, you shouldn’t be sharing the same key between systems anyway, but using different keys, both of which are authorized in the server’s `authorized_keys` file.

## Linux HowTo: How can I export public key in PEM format with GnuPG?

I’m writing SW that uses opessl library for verifying DSA signatures. I have public keys from senders in gpg format. How can I convert those into .pem so that openssl can read them?

I found this from another thread:

``````gpgsm -o secret-key.p12 --export-secret-key-p12 0xXXXXXXXX
``````

To do the export I need to have the keys in gpgsm keyring don’t I? I just can’t figure out how to import my keys into the keyring gpgsm is using. I end up with errors:

``````gpgsm --import public.asc
gpgsm: total number processed: 0
gpgsm: error importing certificate: End of file
``````

Can `gpgsm` somehow use gpg:s keyring and do the export from there?

Your export command is correct but as you suppose, the `gpgsm`‘s keyring is empty. You can check that with:

``````gpgsm --list-keys
``````

The output will be nothing.

For your last question: Nope. `gpg` and `gpgsm` use different databases. More info is here. You have to create or obtain an OpenSSL key/cert pair and import it (in PKCS#12 format) into gpgsm keyring (usually `~/.gnupg/pubring.kbx`) so the import command must be:

``````gpgsm --import mycert.p12
``````

You can export the keys from one system, convert them and import to another one, but the so-called conversion just supplies the metainfo (in most cases) and a brand new cert/key is being created with that metainfo. You can look here for conversion examples.

Tagged : / /

## Making Game: How can I export public key in PEM format with GnuPG?

I’m writing SW that uses opessl library for verifying DSA signatures. I have public keys from senders in gpg format. How can I convert those into .pem so that openssl can read them?

I found this from another thread:

``````gpgsm -o secret-key.p12 --export-secret-key-p12 0xXXXXXXXX
``````

To do the export I need to have the keys in gpgsm keyring don’t I? I just can’t figure out how to import my keys into the keyring gpgsm is using. I end up with errors:

``````gpgsm --import public.asc
gpgsm: total number processed: 0
gpgsm: error importing certificate: End of file
``````

Can `gpgsm` somehow use gpg:s keyring and do the export from there?

Your export command is correct but as you suppose, the `gpgsm`‘s keyring is empty. You can check that with:

``````gpgsm --list-keys
``````

The output will be nothing.

For your last question: Nope. `gpg` and `gpgsm` use different databases. More info is here. You have to create or obtain an OpenSSL key/cert pair and import it (in PKCS#12 format) into gpgsm keyring (usually `~/.gnupg/pubring.kbx`) so the import command must be:

``````gpgsm --import mycert.p12
``````

You can export the keys from one system, convert them and import to another one, but the so-called conversion just supplies the metainfo (in most cases) and a brand new cert/key is being created with that metainfo. You can look here for conversion examples.

Tagged : / /

## Server Bug Fix: SSH configuration, publickeys, Permission denied (publickey,password). error

Commands:

``````client\$ mkdir ~/.ssh
client\$ chmod 700 ~/.ssh
client\$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase): [empty]
client\$ chmod go-w ~/
client\$ chmod 700 ~/.ssh
client\$ chmod go-rwx ~/.ssh/*
client\$ scp ~/.ssh/id_rsa.pub [email protected]:~
server\$ mkdir ~/.ssh
server\$ chmod 700 ~/.ssh
server\$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
server\$ chmod 600 ~/.ssh/authorized_keys
server\$ rm ~/id_rsa.pub
client\$ ssh -o PreferredAuthentications=publickey server.domain.ltd
``````

and…

`Permission denied (publickey,password)`.

Debug output(with -v):

``````XX-XX-XXX-XXX:~ lorddaedra\$ ssh -o PreferredAuthentications=publickey server.domain.ltd -v
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Connecting to server.domain.ltd [XXX.XX.XX.XX] port 22.
debug1: Connection established.
debug1: identity file /Users/lorddaedra/.ssh/identity type -1
debug1: identity file /Users/lorddaedra/.ssh/id_rsa type 1
debug1: identity file /Users/lorddaedra/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu5
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: Host 'server.domain.ltd' is known and matches the RSA host key.
debug1: Found key in /Users/lorddaedra/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/lorddaedra/.ssh/identity
debug1: Offering public key: /Users/lorddaedra/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/lorddaedra/.ssh/id_dsa
debug1: No more authentication methods to try.
``````

So my question is where is my error and how to fix it? Thank you!

P.S.

``````server\$ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PAM authentication via ChallengeResponseAuthentication may bypass
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no
AllowUsers lorddaedra
``````

P.P.S.

``````server\$ cat /var/log/auth.log

Feb  3 19:15:38 electra sudo: lorddaedra : TTY=pts/0 ; PWD=/home/lorddaedra ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
Feb  3 19:16:01 electra CRON[19081]: pam_unix(cron:session): session opened for user lorddaedra by (uid=0)
Feb  3 19:16:01 electra CRON[19080]: pam_unix(cron:session): session opened for user lorddaedra by (uid=0)
Feb  3 19:16:02 electra CRON[19080]: pam_unix(cron:session): session closed for user lorddaedra
Feb  3 19:16:02 electra sshd[19088]: Authentication refused: bad ownership or modes for directory /home/lorddaedra
Feb  3 19:16:02 electra sshd[19088]: Authentication refused: bad ownership or modes for directory /home/lorddaedra
Feb  3 19:16:06 electra CRON[19081]: pam_unix(cron:session): session closed for user lorddaedra
Feb  3 19:16:07 electra sudo: lorddaedra : TTY=pts/0 ; PWD=/home/lorddaedra ; USER=root ; COMMAND=/bin/cat /var/log/auth.log

client\$ ls -al /Users/lorddaedra/.ssh
total 40
drwx------    6 lorddaedra  staff   204  3 фев 01:54 .
drwxr-xr-x+ 183 lorddaedra  staff  6222 31 янв 11:37 ..
[email protected]   1 lorddaedra  staff  6148 21 ноя  2008 .DS_Store
-rw-------    1 lorddaedra  staff  1675  3 фев 01:53 id_rsa
-rw-------    1 lorddaedra  staff   427  3 фев 01:53 id_rsa.pub
-rw-r--r--    1 lorddaedra  staff   414  3 фев 01:54 known_hosts

server\$ ls -al /home/lorddaedra/.ssh
итого 12
drwx------  2 lorddaedra lorddaedra 4096 2011-02-03 01:55 .
drwxrwxr-x 13 lorddaedra lorddaedra 4096 2011-02-03 01:55 ..
-rw-------  1 lorddaedra lorddaedra  427 2011-02-03 01:55 authorized_keys
``````

Command

``````sudo chmod -c g-w /home/lorddaedra
``````

fixed my problem. So need change 775 to 755 on user home directory. If anyone know reason why 775 is bad please comment..

In my case, I found that SELinux is the problem.

``````\$ less /var/log/messages
Apr 20 00:16:12 vb-fc14-0 setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages. run sealert -l 174e87e8-bec5-4ae6-840c-44994ad5e2b3

SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.
``````

Plugin sshd_root (91.4 confidence) suggests:

If you want to allow sshd to have read access on the authorized_keys file
Then you must fix the labels. Do: `/sbin/restorecon -Rv /root/.ssh`

Plugin catchall (9.59 confidence) suggests:

If you believe that sshd should be allowed read access on the authorized_keys file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:

`\$ grep sshd /var/log/audit/audit.log | audit2allow -M mypol`
`\$ semodule -i mypol.pp`

The `.ssh` directory shouldn’t be group writable. The command

``````chmod g-w \$HOME/.ssh
``````

solved my problem.

I just go to `/etc/ssh/sshd_config` file and edited `PasswordAuthentication` value to be `yes`, in my case it was set to be `no`

That solved the problem for me.

Tagged : / / /

## Server Bug Fix: Does Cramer-Shoup allow re-randomization?

Is it possible to re-randomize a ciphertext with the Cramer-Shoup System? I have some Cramer-Shoup ciphertexts and i want to re-randomize them, so they look different and are unlinkable to there previous form, but still can be decrypted with the original secret-key. Is this possible?

And if it is, would it still be possible using the Camenisch-Shoup System, which calculates a Proof, so someone knows that the “real original value” is encrypted, without decrypting the ciphertext?
I hope this is written clear enough
Thank you.

Answering only your first question: no, that’s not possible. Essentially, if it was possible to randomize the ciphertext of Cramer-Shoup, then it wouldn’t be IND-CCA2 secure. However it is IND-CCA2 secure, so it cannot be re-randomizable.

@hakoja correctly points out that what you are asking for is not compatible with CCA security (the security property that Cramer-Shoup satisfies). More specifically, you seem to be looking for a rerandomizable, RCCA-secure encryption scheme. These two properties mean:

• Rerandomizable: Given an encryption of an unknown $$m$$, there is a way to generate fresh samples from $$textsf{Enc}(k,m)$$.

• Replayable CCA (RCCA): The scheme is non-malleable except for the possibility of modifying a ciphertext $$c$$ into another ciphertext $$c’$$ where $$textsf{Dec}(k,c) = textsf{Dec}(k,c’)$$. Basically, the scheme is malleable only in ways that preserve the plaintext; otherwise it is non-malleable.

Rerandomizable RCCA means that the randomization feature is the “only malleability” of the scheme. These are not too hard to achieve together, but they become non-trivial when you include another requirement:

• Unlinkability: Given $$c = textsf{Enc}(k,m)$$ for an unknown $$m$$, it is hard to tell whether some other $$c’$$ is an independent encryption of $$m$$ or a rerandomization of $$c$$. In order to make sense, this property should hold even in the presence of chosen-ciphertext attacks (i.e., against attackers that have access to the decryption function), which makes it difficult. It often means that the rerandomization procedure must refresh all the randomness in a ciphertext.

In the paper below, we were the first to construct a rerandomizable RCCA scheme:

Prabhakaran & Rosulek: Rerandomizable RCCA Encryption, CRYPTO 2007

The scheme is about 5-6x more expensive than Cramer-Shoup, and it relies on DDH holding in some groups with related order. There is a later followup work that gives different constructions of rerandomizable RCCA from pairing-based groups:

Chase, Kohlweis, Lysyanskaya, Meikeljohn: Malleable Proof Systems and Applications. Eurocrypt 2012.

Tagged : /