SSH

SSH (Secure Shell) is a protocol for safety administering remote servers.

SSH can be used with different encryption technologies primarily for

  • encrypting connection between two parties
  • authenticating each side to the other
  • sending commands back and forth in the connection.

Encryption overview

Symmetrical Encryption

Idea: Same key (Shared key) used to encrypt and decrypt the data.

Client and server use this type of encryption for:

  • encrypting connection
  • authenticating client/server.

Shared key is created through key exchange algorithm and each party arrives to the same key independently by sharing information in plain text.

Each session has its own shared key.

Client/Server decide on their list of supported ciphers (ordered by preference). Client's cipher algorithm preference list is given the highest preference.

Symmetrical cipher systems include AES, Blowfish, 3DES, CAST128, Arcfour.

Data/Packet integrity is checked by exchanging a common message authentication code (MAC) algorithm.

  • This is a must have to any communication between client/server after an encryption algorithm is decided.
  • MAC = symmetrical shared secret PLUS packet sequence # PLUS message content
  • MAC is unencrypted and is appended to the packet.

Asymmetrical Encryption

Idea: One pair of keys (namely private and public key) used to encrypt and decrypt the data.

Client and server use this type of encryption for:

  • authenticating client/server. (SSH public key authentication)

SSH uses this encryption to setup symmetrical encryption.

After symmetric encryption is established to secure communication, the client must authenticate to be allowed access. For this SSH public key authentication, we use Asymmetrical encryption. The server encrypts a challenge message to the client which the client must decrypt (to show that it has the corresponding private key).

How SSH work?1

Server is responsible for

  • listening on a designated port for connections
  • negotiating the secure connection
  • authenticating the client
  • spawning the correct environment

Client is responsible for

  • initiating TCP handshake
  • verifying server identity
  • negotiating the secure connection
  • providing credentials to authenticate to the server

Negotiating the secure connection

TCP connection is made by the client.

Both client/server negotiate

Authenticating client

OpenSSL vs GPG vs OpenSSH vs Keybase

Notes

1. Digital Ocean's notes on SSH
2. Security basics

results matching ""

    No results matching ""