OpenSSH will (especially in older versions) use AES-CTR plus a MAC in encrypt-and-MAC. This is not secure in general (meaning that there exist secure ciphers and secure MACs such that using them in encrypt-and-MAC is insecure).
However, as I understand it AES-CTR + MAC as used in SSH is secure, at least for the MAC choices actually in use, because:
The MACs used (HMAC and UMAC/VMAC + encrypt the MAC tag) are privacy-preserving: the MAC tag does not leak any information about the plaintext, at least for one who does not know the MAC key. In the case of HMAC, I believe that this follows from HMAC being a strong PRF; in the case of UMAC/VMAC, the security of the MAC depends entirely on encrypting the MAC before transmission, and the encryption of the MAC also ensures that no information about the plaintext is leaked.
No encoding is done between encryption and authentication. The data that is encrypted and the data that is authenticated are one and the same.
The cipher in question uses CTR mode – in other words, it is a stream cipher. Thus, any change to the ciphertext will cause a 1-to-1 change in the plaintext – integrity of plaintext thus implies integrity of ciphertexts.
My conclusion is that these cipher suites are actually secure, due to the specifics of the protocol.
Is my reasoning correct? More importantly, is my conclusion correct? I am not a cryptographer and have zero trust that I did not make a foolish error.
