The Secure Shell (SSH) Protocol

Similar documents
Secure Remote Access: SSH & HTTPS

Transport Level Security

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

Transport Layer Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

SSH Algorithms for Common Criteria Certification

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Chapter 12 Security Protocols of the Transport Layer

CPSC 467: Cryptography and Computer Security

Contents. Configuring SSH 1

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

The OpenSSH Protocol under the Hood

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

CSCE 715: Network Systems Security

IP Security IK2218/EP2120

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 6575: Internet Security Fall 2017

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Virtual Private Networks

Cryptographic Mechanisms: Recommendations and Key Lengths

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

David Wetherall, with some slides from Radia Perlman s security lectures.

CSCE 715: Network Systems Security

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Transport Layer Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CIS 4360 Secure Computer Systems Applied Cryptography

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Internet security and privacy

Virtual Private Network

Information Security CS 526

The IPsec protocols. Overview

IPSec. Overview. Overview. Levente Buttyán

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

IPSec Transform Set Configuration Mode Commands

Real-time protocol. Chapter 16: Real-Time Communication Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

COMPUTER SECURITY. Computer Security Secure Communication Channels (2)

Computer Networks. Wenzhong Li. Nanjing University

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Extended Package for Secure Shell (SSH) Version: National Information Assurance Partnership

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

CS 494/594 Computer and Network Security

Chapter 6: Security of higher layers. (network security)

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

SSH - Secure SHell. Lecture 23 CSIT571. Slides prepared by Joseph Zhaojun Wu Revised by Cunsheng Ding

(2½ hours) Total Marks: 75

E-commerce security: SSL/TLS, SET and others. 4.1

IPSec Transform Set Configuration Mode Commands

BCA III Network security and Cryptography Examination-2016 Model Paper 1

CSE484 Final Study Guide

Lecture 9: Network Level Security IPSec

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Cryptography MIS

Table of Contents 1 IKE 1-1

CPSC 467b: Cryptography and Computer Security

Authenticated Encryption in TLS

8. Network Layer Contents

Message authentication codes

Lecture 12 Page 1. Lecture 12 Page 3

Authenticated Encryption

Table of Contents 1 SSH Configuration 1-1

NCP Secure Client Juniper Edition Release Notes

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

Lecture 13 Page 1. Lecture 13 Page 3

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

CS Computer Networks 1: Authentication

UH, FB Inf, SVS, 18-Okt covers all traffic on that link, independent of protocols above. application has no visibility of Internet layer.

Lecture 10: Communications Security

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

PROTECTING CONVERSATIONS

Configuration of an IPSec VPN Server on RV130 and RV130W

Cryptography and Network Security

Introduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

VPN Ports and LAN-to-LAN Tunnels

NCP Secure Client Juniper Edition (Win32/64) Release Notes

UNIT - IV Cryptographic Hash Function 31.1

The EN-4000 in Virtual Private Networks

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

MTAT Applied Cryptography

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

CSE543 Computer and Network Security Module: Network Security

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Cryptography (Overview)

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CIS 6930/4930 Computer and Network Security. Final exam review

NCP Secure Enterprise macos Client Release Notes

Protocol Comparisons: OpenSSH, SSL/TLS (AT-TLS), IPSec

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

FIPS SECURITY POLICY FOR

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Transcription:

The Secure Shell (SSH) Protocol Mario Čagalj University of Split, FESB

Introduction

What is SSH? SSH is a protocol for secure remote login and other secure network services over an insecure network (RFC 4251). Developed by Tatu Ylönen (Helsinki University of Finland), later on commercialized by SSH Communications Security Corp., Finland. Two distributions are available: commercial version freeware (www.openssh.com) SSH2 is specified in a set of Internet drafts (RFC 4250-4256). 1

The Secure Shell (SSH) Protocol Architecture The SSH protocol consists of three major components: SSH Transport Layer Protocol - provides server authentication, confidentiality, and integrity with perfect forward secrecy SSH User Authentication Protocol - authenticates the client to the server SSH Connection Protocol - multiplexes the encrypted tunnel into several logical channels (enables secure shell session, TCP port forwarding/tunneling, etc.) 2

The Secure Shell (SSH) Protocol Architecture Figure 1: SSH Protocol Stack (source: cisco.com). 3

SSH Transport Layer Protocol

SSH Transport Layer Protocol - Overview SSH TLP typically runs on TCP/IP; when used over TCP the server normally listens for connections on port 22. Provides: encryption of user data server authentication (based on asymmetric host key/s) integrity protection (origin and data) compression of data prior to encryption (optionally) Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated (source: RFC 4253). 4

SSH Transport Layer Protocol (TLP) - Packet Exchanges Figure 2: SSH TLP Packet Exchanges (source: cisco.com). 5

SSH TLP Binary Packet Protocol Figure 3: SSH TLP Packet Formation (source: cisco.com). Implements encrypt and MAC/authenticate paradigm; attacks exists when used with CBC mode (prefer CTR mode). 6

SSH TLP Binary Packet Protocol Encryption and authentication algorithms, encryption keys, IVs are all negotiated during the key exchange. Algorithms and modes (AES, 3DES, CBC, CTR, etc.) can be different in each direction. Before encrypting, the packet is random padded: encoded packet = (packet length padding length payload random padding) MAC (HMAC) is computed over the encoded plaintext packet and an implicit 32-bit sequence number (not transmitted); prevents replay attacks. MAC is not encrypted. mac = MAC(key, sequence number encoded packet) 7

SSH TLP Key Exchange The key exchange method specifies how one-time session keys are generated for encryption and for authentication, and how the server authentication is done (source: RFC 4253). The SSH specification allows for alternative methods of key exchange, but it specifies only two versions of DiffieHellman key exchange. Figure 4: SSH TLP Packet Exchanges (source: cisco.com). 8

SSH TLP Diffie-Hellman Key Exchange (source: RFC 4253) V S and V C are S s and C s id strings; K S is S s public host key; I S and I S are S s and C s SSH MSG KEXINIT msgs exchanged before this part begins; these messages include a 128-bit random cookie to ensure session freshness. 1. C picks random x, computes e = g x mod p. C sends e to S. 2. S picks random y, computes f = g y mod p. S receives e, computes: - K = e y mod p - H = hash(v C V S I C I S K S e f K) - signature s on H with its private host key S sends (K S f s) to C. 3. C verifies that K S really is the host key for S (e.g., using certificates or a local database, or accepts the key without verification). C computes: - K = f x mod p - H = hash(v C V S I C I S K S e f K) C verifies the signature s on H. 9

SSH Session Key Derivation As a result of the key exchange steps: C and S now share a master key K S has been authenticated to C (S has signed C s random DH public key) The hash value H servers as a session id for this connection Subsequent communication protected using the derived session keys Session init vectors, encryption and authentication keys: IV CS = hash(k H A session id) IV SC = hash(k H B session id) EK CS = hash(k H C session id) EK SC = hash(k H D session id) AK CS = hash(k H E session id) AK SS = hash(k H F session id) Key data is taken from the beginning of the hash output. 10

SSH User Authentication Protocol - Overview After the key exchange, the client requests a service by sending SSH MSG SERVICE REQUEST packet to request either the User Authentication or the Connection Protocol. Figure 5: SSH TLP Packet Exchanges (source: cisco.com). 11

SSH User Authentication Protocol

SSH User Authentication Protocol - Overview The SSH Authentication Protocol runs over the SSH Transport Layer Protocol; it assumes that the underlying protocol provides integrity and confidentiality protection. The protocol has access to the session id (source: RFC 4252). Supports three user authentication methods: Public key (required) Password (optional) Host-based (optional) The server controls which authentication methods can be used. 12

SSH User Authentication Protocol - Authentication Methods Public key The client sends to the server a signed message comprising the session id, the user name, the user s public key, and some other info. The signature is generated using the user s private key. Upon message reception, the server checks whether the supplied public key is acceptable for authentication, and if so, check whether the signature is correct. Password The client essentially sends the user name and the password in clear; they are however protected by the SSH Transport Security Protocol. Host-based Analogous to the above public key method but with per-host (not per-user) public key; authentication is based on the host that the user is coming from and the user name on the remote host. 13

SSH Connection Protocol

SSH Connection Protocol - Overview Provides: interactive login sessions remote execution of commands forwarded TCP/IP connections (port forwarding) forwarded X11 connections These apps implemented as channels multiplexed into an encrypted tunnel; the tunnel is provided by the SSH Transport Layer Protocol. Figure 6: SSH Connection Protocol Message Exchange (source: cisco.com). 14

SSH Connection Protocol - TCP/IP Port Forwarding Port forwarding or SSH tunneling is one of the most useful features of SSH. Using port forwarding one can convert any insecure TCP connection into a secure SSH connection. Figure 7: SSH Tunneling (source: cisco.com). 15

SSH Port Forwarding - Local Port Forwarding Connections from the SSH client are forwarded via the SSH server, to a destination server. ssh -L sourceport:dest-host:destport SSH-HOST Connect with SSH to the SSH-HOST, forward all TCP connection attempts to the sourceport (on the local machine) to the destport on the DEST-HOST, which can be reached from the SSH-HOST. Examples: ssh -L 8080:localhost:80 fesb.hr ssh -L 8080:google.com:80 fesb.hr 16

SSH Port Forwarding - Local Port Forwarding Figure 8: Local port forwarding (from: unix.stackexchange.com). 17

SSH Port Forwarding - Remote Port Forwarding Connections from the SSH server are forwarded via the SSH client, then to a destination server. ssh -R sourceport:dest-host:destport SSH-HOST Connect with SSH to the SSH-HOST, forward all TCP connection attempts to the sourceport (on the SSH-HOST) to the destport on the DEST-HOST, which can be reached from the local host. Examples: ssh -R 80:localhost:80 fesb.hr ssh -R 80:google.com:80 fesb.hr 18

SSH Port Forwarding - Remote Port Forwarding Figure 9: Remote port forwarding (from: unix.stackexchange.com). 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback