SSH and SSL

CIT304

University of Sunderland

Harry R. Erwin, PhD

Resources

• Daniel J. Barrett and Richard E. Silverman, 2001, SSH, the Secure Shell, O’Reilly, ISBN: 0-596-00011-1

• Eric Rescorla, 2001, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, ISBN: 0-201-61598-3

The Problem

• IPv4 is insecure. Most TCP/IP services are unencrypted. This allows anyone to monitor and reconstruct connection traffic on the internet.

• The following needs can be identified:– Encrypted connections between parties known to each

other.

– Third-party authentication and encrypted connection establishment when parties are not known to each other.

Solutions

• SSH to support encrypted sessions

• SSL to provide trusted third-party authentication and to support encrypted sessions.

SSH

• “Secure shell”

• Transparent encryption.

• Modern, secure encryption algorithms

• Reliable, fast, and effective

• Client/server interaction

• Eliminates .rhosts and hosts.equiv

Services Provided

• Replaces:– rsh and telnet with ssh– rlogin with slogin– rcp with scp– ftp with sftp

• Protocols– ssh-1– ssh-2

SSH1 Authentication Mechanisms

1. Kerberos

2. Rhosts (trusted host authentication, insecure)

3. RhostsRSA (trusted host authentication, insecure)

4. Public-key (RSA)

5. TIS

6. Password (various flavors, relatively insecure)

SSH2 Authentication Mechanisms

1. Public-key (DSA, RSA, OpenPGP)

2. Hostbased

3. Password

Ciphers

• SSH1– 3DES, IDEA, ARCFOUR (alleged RC4), DES

• SSH2– 3DES, Blowfish, Twofish, CAST-128, IDEA,

ARCFOUR

Port Forwarding

• SSH can forward or tunnel ports, allowing you to run insecure services securely.

ssh -L 3002:localhost:119 news.yoyo.com

A Simple Example

• ssh -l harry harry.sunderland.ac.uk

• This allows me to log into harry@harry.sunderland.ac.uk

• Another way of doing the same thing is

• ssh harry@harry.sunderland.ac.uk

Using scp

• scp harry@harry.sunderland.ac.uk:myfile afile• This transfers myfile from my home directory on

harry.sunderland.ac.uk to afile locally.• You can also use sftp similarly to ftp.

Threats Countered

• Eavesdropping

• DNS and IP Spoofing

• Connection Hijacking

• Man-in-the-Middle Attacks

• Insertion Attack

SSL

• Secure Sockets Layer• An authentication and encryption technique that

provides security services to TCP by a socket-style API.

• Relies on certificates issued by a trusted third party.

• Invented by Netscape.• Is slowly being replaced by TLS (Transport Layer

Security)

Services Provided• Secure http• pop• imap• smtp• ftp• rmi• corba• iiop• telnet• ldap

SSL Functions

• Confidential transmission

• Message integrity

• Endpoint authentication

How It Works

• An understanding of how SSL works is necessary to use it safely.

• Uses public key (asymmetric) cryptography.

• Trusted third parties (Certificate Authorities) provide the certificates that contain the public keys.

• Supports many encryption algorithms.

SSL-Enabled UNIX Clients

• curl, • ethereal, • ettercap, • lynx, • stunnel, • gabber, • links, • mutt,

• xchat,

• bitchx,

• lftp,

• neon,

• openldap,

• openslp,

• pine,

• various database managers.