SSHSecure Login Connections

over the Internet

Tatu Yloenen

SSH Communications Security

MOTIVATION

• Connecting through the Internet– Cheap and convenient– Risky

• Internet does not protect transmitted data

Threats from the Internet

• Network monitoring• Connection hijacking:

connections can be hijacked without either party noticing

• Routing spoofing• DNS (domain name server) spoofing• Denial of service attacks

How to protect ourselves

• An acceptable solution must guarantee – Authentication of both ends of the connection– Secrecy of transmitted information– Integrity of transmitted data

• Secrecy of transmitted information is crucial

SSH

• Allows– Secure login connections– Secure file transferover the Internet or other untrusted networks

SSH

• Uses cryptographic algorithms to– Authenticate both ends of the connection– Encrypt all transmitted data– Protect data integrity– Validate values returned by services such as

DNS or network protocols (such as TCP)

Transport-level encryption

• Every transmitted packet starts with random padding, followed by (optionally compressed) header and data

• The entire packet is encrypted using a suitable algorithm– Packet type and data fields can be

compressed with gzip before encryption • 1/3 of original size

Integrity protection

• Originally provided by including CRC32 of the packet under encryption– Found to be insufficient– Was replaced by HMAC-SHA

What is HMAC-SHA? (I)

• HMAC:– Hash-based Message Authentication Code– Uses a cryptographic hash function

• Any change to the hashed data will (with very high probability) change the hash value

What is HMAC-SHA? (II)

• SHA:– Secure Hash Algorithm– Four different algorithms:

SHA-0, SHA-1, SHA-2, and SHA-3

• SHA-1– Most widely used– Fixes a flaw in SHA-0– Produces a 160-bit "digest"

SSH login protocol

• Works on top of the packet-level protocol• Step 1:

The client opens a connection to the server

SSH login protocol

• Step 2:Server sends– Its public RSA host key – Another public RSA key (``server key'') that

changes every hour

SSH login protocol

The client compares the received host key against its own database of known host keys,Can decide to– Reject keys coming from unknown hosts – Accept them and store them in its database

SSH login protocol

• Step 3:The client– Generates a 256 bit random number using a

cryptographically strong RNG (session key)– Picks an encryption algorithm among those

supported by the server– Encrypts the session key with RSA using both the

host key and the server key– Sends the encrypted key to the server

The server key

– Changed every hour– Used to make decrypting recorded historic

traffic impossible after the server key has been changed when the host key becomes compromised

– Normally a 768 bit RSA key• Host key is 1024 bits

SSH login protocol

• Step 4:Server – Recovers the session key– Sends an encrypted confirmation to the client

• Shows client that it holds the proper private keys

Client and server can start using transport-level encryption and integrity protection

SSH login protocol

• Step 5:User starts authentication procedure– First request includes the user login name– Server replies with either

• successno further authentication is needed

• failurefurther authentication is required

Authentication methods

1. Traditional password authentication

2. Combination of .rhosts or hosts.equiv authentication and RSA-based host authentication

3. Pure RSA authentication:– Server maintains a list of users' public keys.– User requests authentication for a given key– Server responds with a challenge

X11 and TCP/IP Forwarding

• SSH can automatically forward the connection to the user's X server over the secure channel

• SSH also automatically stores Xauthority data on the server

• TCP/IP forwarding works similarly

(Not covered in detail)

Authentication Agent

• SSH supports using an authentication agent– Program that runs in the user's local machine (or

on a smartcard connected to it)– Agent holds the user's private RSA keys– In the Unix environment, the agent

• Starts as a parent of the user's shell• Communicates with SSH using a file descriptor

it shares with its children

1996 Changes

1. New transport layer protocol:• Better integrity checks

• HMAC-MD5 and HMAC-SHA• More complete encryption of packet

contents2. New authentication protocol

(Not covered)

CONCLUSION

• Strong cryptography– Solves Internet security issues– At negligible cost

OPEN DISCUSSION

• How does SSH compares with Kerberos?

Performance

• Startup time:– a few seconds

• Data encryption rate:– Quite good on 1995 Pentium computers