Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Practical Privacy-Preserving Authentication for SSH

August 24, 2022


Mike Rosulek - Oregon State University



Public-key authentication in SSH reveals more information about the participants' keys than is necessary. (1) The server can learn a client's entire set of public keys, even keys generated for other servers. (2) The server learns exactly which key the client uses to authenticate, and can further prove this fact to a third party. (3) A client can learn whether the server recognizes public keys belonging to other users. Each of these problems lead to tangible privacy violations for SSH users.

In this talk I will describe a new public-key authentication method for SSH that reveals essentially the minimum possible amount of information to both the client and server. It supports existing SSH keypairs of all standard flavors. This is joint work with Lawrence Roy, Stanislav Lyakhov, and Yeongjin Jang, which appeared at USENIX Security 2022.

Suggested reading:

Presented at

Crypto Reading Club talk on 2022-Aug-24

Parent Project

See: Crypto Reading Club

Related Topics

Security and Privacy: cryptography

Created August 18, 2022, Updated March 22, 2023