SSH Secure Shell. What is SSH?



Similar documents
Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Chapter 7 Transport-Level Security

Network Security Essentials Chapter 5

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)

Chapter 17. Transport-Level Security

Transport Level Security

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer)

Secure network protocols: how SSL/TLS, SSH, SFTP and FTPS work

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Communication Security for Applications

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Security vulnerabilities in the Internet and possible solutions

Secure Sockets Layer

Secure Shell (SSH) Protocol

IPsec Details 1 / 43. IPsec Details

The Secure Sockets Layer (SSL)

IP Security. Ola Flygt Växjö University, Sweden

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Cleaning Encrypted Traffic

Introduction to Security and PIX Firewall

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Web Security Considerations

4.1: Securing Applications Remote Login: Secure Shell (SSH) PEM/PGP. Chapter 5: Security Concepts for Networks

Network Security. Lecture 3

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

SSL Secure Socket Layer

Computer Networks. Secure Systems

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Communication Systems SSL

Einführung in SSL mit Wireshark

Chapter 10. Network Security

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Centers for Medicare and Medicaid Services. Connect: Enterprise Secure Client (SFTP) Gentran. Internet Option Manual

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

, ) I Transport Layer Security

Network Security Part II: Standards

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Client Server Registration Protocol

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

TELE 301 Network Management. Lecture 16: Remote Terminal Services

Transport Layer Security Protocols

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

[SMO-SFO-ICO-PE-046-GU-

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

CSC Network Security

Bit Chat: A Peer-to-Peer Instant Messenger

For the protocol access paths listed in the following table, the Sentry firmware actively listens on server ports to provide security for the CDU.

SSL A discussion of the Secure Socket Layer

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

CSC 474 Information Systems Security

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Configuring and Tuning SSH/SFTP on z/os

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Protocol Security Where?

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Wireless LAN Security Mechanisms

Contents. Part 1 SSH Basics 1. Acknowledgments About the Author Introduction

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Secure Data Transfer

Configuring CSS Remote Access Methods

CCNA Security 1.1 Instructional Resource

FIPS SECURITY POLICY FOR

Virtual Private Networks

BeamYourScreen Security

Chapter 6 CDMA/802.11i

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

Network Access Security. Lesson 10

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

MIKOGO SECURITY DOCUMENT

Wireless Networks. Welcome to Wireless

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Guideline for setting up a functional VPN

As enterprises conduct more and more

Introduction to Computer Security

File Transfer Protocol (FTP) & SSH

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Online Banking for Business Secure FTP with SSH (Secure Shell) USER GUIDE

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Lecture 9: Application of Cryptography

SBClient SSL. Ehab AbuShmais

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Network Authentication X Secure the Edge of the Network - Technical White Paper

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Authenticity of Public Keys

SECURE SOCKETS LAYER (SSL)

SSL Secure Socket Layer

Using IPSec in Windows 2000 and XP, Part 2

Transcription:

Security, like correctness, is not an add-on feature. -- Andrew S. Tanenbaum SSH Secure Shell - - Binary Packet Protocol - key exchange - server authentication - - SSH Connection Protocol What is SSH? SSH Secure Shell SSH is a protocol for secure remote login and other secure network services over an insecure network developed by SSH Communications Security Corp., Finland two distributions are available: commercial version freeware (www.openssh.com) specified in a set of Internet drafts 2 1

Major SSH components provides server authentication, confidentiality, and integrity services (may provide compression too) runs on top of any reliable transport layer (e.g., TCP) provides client-side user authentication runs on top of the SSH Connection Protocol multiplexes the secure tunnel provided by the SSH Transport Layer and User Authentication Protocols into several logical channels these logical channels can be used for a wide range of purposes secure interactive shell sessions TCP port forwarding carrying X11 connections 3 SSH security features strong algorithms uses well established strong algorithms for encryption, integrity, key exchange, and public key management large key size requires encryption to be used with at least 128 bit keys supports larger keys too algorithm negotiation encryption, integrity, key exchange, and public key algorithms are negotiated it is easy to switch to some other algorithm without modifying the base protocol 4 2

SSH TLP Overview client server TCP connection setup SSH version string exchange SSH key exchange (includes algorithm negotiation) SSH data exchange termination of the TCP connection 5 Connection setup and version string exchange TCP connection setup the server listens on port 22 the client initiates the connection SSH version string exchange both side must send a version string of the following form: SSH-protoversion-softwareversion comments \CR \LF used to indicate the capabilities of an implementation triggers compatibility extensions current protocol version is 2.0 all packets that follow the version string exchange is sent using the Binary Packet Protocol 6 3

Binary Packet Protocol packet length (4) padding length (1) payload (may be compressed) random padding MAC packet length: length of the packet not including the MAC and the packet length field padding length: length of padding payload: useful contents might be compressed max payload size is 32768 random padding: 4 255 bytes total length of packet not including the MAC must be multiple of max(8, cipher block size) even if a stream cipher is used MAC: message authentication code computed over the clear packet and an implicit sequence number encryption compression 7 Encryption the encryption algorithm is negotiated during the key exchange supported algorithms 3des-cbc (required) (168 bit key) blowfish-cbc (recommended) twofish256-cbc (opt) / twofish192-cbc (opt) / twofish128-cbc (recomm) aes256-cbc (opt) / aes192-cbc (opt) / aes128-cbc (recomm) serpent256-cbc (opt) / serpent192-cbc (opt) / serpent128-cbc (opt) arcfour (opt) (RC4) idea-cbc (opt) / cast128-cbc (opt) key and IV are also established during the key exchange all packets sent in one direction is considered a single data stream IV is passed from the end of one packet to the beginning of the next one encryption algorithm can be different in each direction 8 4

MAC MAC algorithm and key are negotiated during the key exchange supported algorithms hmac-sha1 (required) [MAC length = key length = 160 bits] hmac-sha1-96 (recomm) [MAC length = 96, key length = 160 bits] hmac-md5 (opt) [MAC length = key length = 128 bits] hmac-md5-96 (opt) [MAC length = 96, key length = 128 bits] MAC algorithms used in each direction can be different MAC = mac( key, seq. number clear packet ) sequence number is implicit, not sent with the packet sequence number is represented on 4 bytes sequence number initialized to 0 and incremented after each packet it is never reset (even if keys and algs are renegotiated later) 9 Key exchange - Overview client server SSH_MSG_KEXINIT uses new keys and algorithms for sending uses new keys and algorithms for receiving execution of the selected key exchange protocol SSH_MSG_NEWKEYS 10 5

Algorithm negotiation SSH_MSG_KEXINIT kex_algorithms (comma separated list of names) server_host_key_algorithms encryption_algorithms_client_to_server encryption_algorithms_server_to_client mac_algorithms_client_to_server mac_algorithms_server_to_client compression_algorithms_client_to_server compression_algorithms_server_to_client first_kex_packet_follows (boolean) random cookie (16 bytes) algorithm lists the server lists the algorithms it supports the client lists the algorithms that it is willing to accept algorithms are listed in order of preference selection: first algorithm on the client s list that is also on the server s list 11 Deriving keys and IVs any key exchange algorithm produces two values a shared secret K an exchange hash H H from the first key exchange is used as the session ID keys and IVs are derived from K and H as follows: IV client to server = HASH( K H A session ID ) IV server to client = HASH( K H B session ID ) encryption key client to server = HASH( K H C session ID ) encryption key server to client = HASH( K H D session ID ) MAC key client to server = HASH( K H E session ID ) MAC key server to client = HASH( K H F session ID ) where HASH is the hash function specified by the key exchange method (e.g., diffie-hellman-group1-sha1) if the key length is longer than the output of HASH K1 = HASH( K H X session ID ) K2 = HASH( K H K1 ) K3 = HASH( K H K1 K2 ) key = K1 K2 K3 12 6

Diffie-Hellman key exchange 1. 2. 3. the client generates a random number x and computes e = g x mod p the client sends e to the server the server generates a random number y and computes f = g y mod p the server receives e from the client it computes K = e y mod p = g xy mod p and H = HASH( client version string server version string client kex init msg server kex init msg server host key K srv e f K ) it generates a signature σ on H using the private part of the server host key (may involve additional hash computation on H) it sends ( K srv f σ ) to the client the client verifies that K srv is really the host key of the server the client computes K = f x mod p = g xy mod p and the exchange hash H the client verifies the signature σ on H 13 Server authentication based on the server s host key K srv the client must check that K srv is really the host key of the server models the client has a local database that associates each host name with the corresponding public host key the host name to key association is certified by a trusted CA and the server provides the necessary certificates or the client obtains them from elsewhere check fingerprint of the key over an external channel (e.g., phone) best effort: accept host key without check when connecting the first time to the server save the host key in a local database, and check against the saved key on all future connections to the same server 14 7

Key re-exchange either party may initiate a key re-exchange sending an SSH_MSG_KEXINIT packet when not already doing a key exchange key re-exchange is processed identically to the initial key exchange except for the session ID, which will remain unchanged algorithms may be changed keys and IVs are recomputed encryption contexts are reset it is recommended to change keys after each gigabyte of transmitted data or after each hour of connection time 15 SSH User Authentication Protocol the protocol assumes that the underlying transport protocol provides integrity and confidentiality (e.g., ) the protocol has access to the session ID the server should have a timeout for authentication and disconnect if the authentication has not been accepted within the timeout period recommended value is 10 minutes the server should limit the number of failed authentication attempts a client may perform in a single session recommended value is 20 attempts three authentication methods are supported publickey password hostbased 16 8

User authentication overview client SSH_MSG_USERAUTH_REQUEST SSH_MSG_USERAUTH_FAILURE (further authentication needed) SSH_MSG_USERAUTH_REQUEST SSH_MSG_USERAUTH_FAILURE (further authentication needed) SSH_MSG_USERAUTH_REQUEST SSH_MSG_USERAUTH_SUCCESS server USERAUTH_REQUEST user name service name method name method specific fields USERAUTH_FAILURE list of authentication methods that can continue partial success flag TRUE: previous request was successful, but further authentication is needed FALSE: previous request was not successful USERAUTH_SUCCESS (authentication is complete, the server starts the requested service) 17 The publickey method all implementations must support this method however, most local policies will not require authentication with this method in the near future, as users don t have public keys authentication is based on demonstration of the knowledge of the private key (the client signs with the private key) the server verifies that the public key really belongs to the user specified in the authentication request the signature is correct 18 9

The publickey method cont d SSH_MSG_USERAUTH_REQUEST user name service name publickey TRUE (a flag set to TRUE) public key algorithm name (e.g., ssh-dss) public key signature (computed over the session ID and the data in the request) the server responds with SSH_MSG_USERAUTH_FAILURE if the request failed or more authentication is needed, or SSH_MSG_USERAUTH_SUCCESS otherwise 19 The publickey method cont d using the private key involves expensive computations may require the user to type a password if the private key is stored in encrypted form on the client machine in order to avoid unnecessary processing, the client may check whether authentication using the public key would be acceptable SSH_MSG_USERAUTH_REQUEST user name service name publickey FALSE public key algorithm name public key if OK then the server responds with SSH_MSG_USERAUTH_PK_OK 20 10

The password method all implementations should support this method this method is likely the most widely used SSH_MSG_USERAUTH_REQUEST user name service name password FALSE (a flag set to FALSE) password (plaintext) the server may respond with SSH_MSG_USERAUTH_FAILURE, SSH_MSG_USERAUTH_SUCCESS, or SSH_MSG_USERAUTH_PASSWD_CHANGEREQ 21 The password method cont d changing the password SSH_MSG_USERAUTH_REQUEST user name service name password TRUE old password (plaintext) new password (plaintext) 22 11

The hostbased method authentication is based on the host where the user is coming from this method is optional the client sends a signature that has been generated with the private host key of the client the server verifies that the public key really belongs to the host specified in the authentication request the signature is correct 23 The hostbased method cont d SSH_MSG_USERAUTH_REQUEST user name service name hostbased public key algorithm name public key and certificates for client host client host name user name on client host signature (computed over the session ID and the data in the request) 24 12

Recommended readings Internet drafts available at http://www.ietf.org/html.charters/secsh-charter.html SSH Protocol Architecture SSH Connection Protocol 25 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information