1

SSH / SSL

Supplementary material

2

Secure Shell (SSH)

• One of the primary goals of the ARPANET was remote access

• Several different connections allowed– rlogin– rcp– rsh

• All data was unencrypted– This was a different world than exists

today.

3

SSH

• SSH is a UNIX-based command interface and protocol for securely accessing a remote computer

• Suite of four utilities—slogin, ssh, sftp, and scp

• Can protect against:– IP spoofing– DNS spoofing– Intercepting information

4

SSH Objectives

• Protect data sent over the network– Negotiate an encryption algorithm between

sender and receiver– Use that algorithm and a session key to

encrypt / decrypt data sent

• Provide site authentication– Use public key / fingerprint to ensure identity

of remote host. – Relies on locally generated keys, so no

certifying authority is generally available.

5

SSH CommunicationsUsing password

SSH Client SSH Server

SSH2?

SSH2Diffie-Helman, etc?

Diffie-Helman

Serv_Pub_key(S_key)OK

S_key(Uname,pwd)

OK

S_key(data)

Send Serv_Pub_Key

6

SSH Wire Shark Trace

SSH CommunicationsSSH CommunicationsUsing Public KeyUsing Public Key

• Problems with Password Authentication– Passwords can be guessed. – Default allows multiple attempts against account– Only 1 account / password needs to be guessed– Alternate approach is to use public / private keys to authenticate

user

• Public Key Authentication– Create public / private keypair– Ensure that private– Upload public key to server user account: ~.ssh/authorized_keys– ssh –o PreferredAuthentications=publickey server.example.org

SSH CommunicationsSSH CommunicationsUsing Public KeyUsing Public Key

SSH Client SSH Server

SSH2?

SSH2Diffie-Helman, etc?

Diffie-Helman

Serv_Pub_key(S_key)

OK

S_key(Uname)

OK

S_key(data)

Send Serv_Pub_Key

Client_Pub_key(Random)Client_Pri_key(msg)

Hash(Random)

9

SSH Tunneling

• Use SSH to create an encrypted channel between remote host and server

• Use that encrypted channel to carry other traffic.

SSH Tunnel

www access

Web Server192.168.1.10

Local port12345

Internet

LAN

SSH TunnelingSSH Tunnelingssh –L 12345:192.168.1.10:80 –l root homenet.net

11

SSH Tunneling

12

Secure Copy (scp)

• Allows encrypted transfer of files between machines

• Download files from server:– scp user@server.net:myfile1.txt myfile1.txt– user@server.net’s password: xxxxx

• Upload files to server– Scp myfile.txt user@server.net:myfile.txt– user@server.net’s password: xxxxx

13

SSH Passwordless Login

• On remote client: – Create key pair. Store in .ssh subdirectory

• On ssh server:– Modify sshd_config to allow shosts based

authentication– Create .shosts file in user’s subdirectory– Copy public key from remote client to .ssh

subdirectory/authorized_keys

14

SSH Passwordless LoginSSH Client SSH Server

SSH2?

SSH2Diffie-Helman, etc?

Diffie-Helman

Serv_Pub_key(S_key)

OK

S_key(Uname)

OK

S_key(data)

Send Serv_Pub_Key

Client_Pub_key(Random)Client_Pri_key(msg)

Hash(Random)

15

SecureSockets Layer (SSL)Transport Layer Security (TLS)• Originally developed by Netscape to support

encrypted access to web servers.• SSL v3 released 1996.• Served as the basis for IETF standard TLS

(1999)• Used by major financial institutions for secure

commerce over the Internet• Early problem with weak keys resolved with

longer (128-bit) keys

16

SSL / TLS

Application (www)

SSL / TLS

TCP

IP

17

SSL/TLS Handshake SSL Client SSL Server

Client helloCiphers I have

Server HelloCipher I choose

Server certificate(S_Pub)

OK

OK

S_Pub(Session_key)

Session_key(data)

18

SSL/TLS Security

• Depends on integrity of public key certificate

• Public Key Infrastructure (PKI)– Components necessary to securely distribute

public keys– Certificate Authorities: Organizations that

certify the relationship between a public key and its owner.

– Verisign,Thawte

19

SSL/TLS Implementations

• SSL v2 – Still in use• SSL v3 – Most widely deployed• TLS v1 – Starting Deployment• OpenSSL – Linux/UNIX toolkit that supports all

3 protocols listed above.• Private Communication Technology (PCT)

– Developed by Microsoft– Compatible with SSL v2

• Versions are not completely compatible

SSL/TLS Vulnerability

• SSL/TLS supports the concept of session renegotiation due to errors, requests, etc.

• This feature assumes that the renegotiation is with the original party, and any requests or messages transmitted before the renegotiation are combined (pre-pended) with the requests after renegotiation

• This behavior can be abused to allow man-in-the-middle attacks

• Demonstrated with https, but the vulnerability exists with any application that uses SSL/TLS

SSL/TLS VulnerabilityClient MITM Server

TLS handshake session #1TLS handshake session #2

GET /ebanking/paymemoney.cgi?Acc=LU00000000?amount=1000

Ignore-what-comes-now;Trigger renegotiation

TLS handshake session #1 continuedwithin the encrypted session #2

Client has authenticated sessionAt app layer (with cookie)GET /ebanking/ Cookie: AS2398648756083745

X

Server receives:GET /ebanking/paymemoney.cgi?Acc=LU00000000?amount=1000Ignore-what-comes-now;GET /ebanking/ Cookie: AS2398648756083745

22

ReferencesReferences

• SSH– SSH Tutorial (http://www.suso.org/docs/shell/ssh.sdf)– www.openssh.org– UNIX Secure Shell – Carasik – McGraw-Hill, 1999– SSH Agent Forwarding

(unixwiz.net/techtips/ssh-agent-forwarding.html)

• SSL– www.openSSL.org– RFCs – 2246, 3546– SSL Authentication Gap (SSL Gap)

(http://www.phonefactor.com/sslgap )– TLS/SSL renegotiation vulnerability explained

(http://www.g-sec.lu/practicaltls.pdf )

SSH RFCs• 4250 The Secure Shell (SSH) Protocol Assigned Numbers.

– S. Lehtinen, C. Lonvick, Ed.. January 2006. (Format: TXT=44010 bytes) – (Status: PROPOSED STANDARD)

• 4251 The Secure Shell (SSH) Protocol Architecture. – T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=71750 bytes) – (Status: PROPOSED STANDARD)

• 4252 The Secure Shell (SSH) Authentication Protocol.– T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=34268 bytes) – (Status: PROPOSED STANDARD)

• 4253 The Secure Shell (SSH) Transport Layer Protocol.– T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=68263 bytes) – (Status: PROPOSED STANDARD)

• 4254 The Secure Shell (SSH) Connection Protocol.– T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=50338 bytes)– (Status: PROPOSED STANDARD)

• 4255 Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints.– J. Schlyter, W. Griffin. January 2006. (Format: TXT=18399 bytes) – (Status: PROPOSED STANDARD)

• 4256 Generic Message Exchange Authentication for the Secure Shell Protocol (SSH). – F. Cusack, M. Forssen. January 2006. (Format: TXT=24728 bytes) – (Status: PROPOSED STANDARD)

• 4344 The Secure Shell (SSH) Transport Layer Encryption Modes. – M. Bellare, T. Kohno, C. Namprempre. January 2006. (Format: TXT=27521 bytes) – (Status: PROPOSED STANDARD)

• 4419 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol.– M. Friedl, N. Provos, W. Simpson. March 2006. (Format: TXT=18356 bytes) – (Status: PROPOSED STANDARD)

• 4716 The Secure Shell (SSH) Public Key File Format– . J. Galbraith, R. Thayer. November 2006. (Format: TXT=18395 bytes)– (Status: INFORMATIONAL)

• 4819 Secure Shell Public Key Subsystem. – J. Galbraith, J. Van Dyke, J. Bright. March 2007. (Format: TXT=32794 bytes) – (Status: PROPOSED STANDARD)

24

Summary

• SSH– Supports secure remote access to hosts– SSH – secure shell– SCP – secure copy– SFTP – secure file transfer

• SSL– Provides a framework for incorporating secure

communications into applications– Uses strong cryptography– Can rely on PKI for reliable sharing of public keys