Scribd
Upload
52 views37 pages

Security / DNSSEC Workshop: Cryptography Application SSH

The document discusses Secure Shell (SSH) and how it provides authenticated and encrypted access to remote hosts. It describes how SSH uses public-key cryptography for authentication. SSH authentication works by having the client prove possession of the private key without transmitting it. The server generates a random challenge that is encrypted with the user's public key and sent to the client. The client decrypts it with the private key and returns a response that is validated by the server to authenticate the user.

Uploaded by

sharmasunil6325
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views37 pages

Security / DNSSEC Workshop: Cryptography Application SSH

The document discusses Secure Shell (SSH) and how it provides authenticated and encrypted access to remote hosts. It describes how SSH uses public-key cryptography for authentication. SSH authentication works by having the client prove possession of the private key without transmitting it. The server generates a random challenge that is encrypted with the user's public key and sent to the client. The client decrypts it with the private key and returns a response that is validated by the server to authenticate the user.

Uploaded by

sharmasunil6325
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Security / DNSSEC Workshop

SANOG 26: 03 - 11 August, 2015, Mumbai, India

Cryptography Application
SSH

Mohammad Fakrul Alam


bdHUB Limited
[email protected]
What is “Safely”
• Authentication – I am Assured of Which Host I am Talking With

• Authentication - The Host Knows Who I Am

• The Traffic is Encrypted

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 2


Traditional (Telnet)

Servers

Terminal

Routers
Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 3
Encrypted (SSH)

Servers

Terminal

Routers
Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 4
Secure Shell (SSH)
• Provides authenticated and encrypted shell access to a remote host

• It’s not only a secure shell; it is much more


– Transport protocol (eg. SCP, SFTP, SVN)

– Connection forwarder. You can use it to build custom tunnels

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 5


SSH (Ordinary Password Authentication)
1. The user makes an initial TCP connection and sends a username.

username
ssh sshd

Terminal ý Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 6


SSH (Ordinary Password Authentication)
2. The ssh daemon on the server responds with a demand for a
password, and access to the system has not yet been granted in any
way.

password?
ssh sshd

Terminal ý Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 7


SSH (Ordinary Password Authentication)
3. The ssh client prompts the user for a password, which is relayed
through the encrypted connection to the server where it is compared
against the local user base.

password
ssh sshd

Terminal ý Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 8


SSH (Ordinary Password Authentication)
4. If the user's password matches the local credential, access to the
system is granted and a two-way communications path is established,
usually to a login shell.

access granted
ssh sshd

Terminal þ Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 9


Password Authentication
• Password Authentication is that it's simple to set up - usually the
default - and is easy to understand.

• Allows brute-force password guessing.

• Passwords must be remembered and entered separately upon


every login.

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 10


Public Key Access
• User creates a pair of public and private keys.
• The public key - nonsensitive information.
• The private key - is protected on the local machine by a strong
passphrase.
• Installs the public key in his $HOME/.ssh/authorized_keys file
on the target server.
• This key must be installed on the target system - one time.

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 11


Public Key Access
1. The user makes an initial connection and sends a username along
with a request to use a key.

username+ key req


ssh sshd

Terminal ý Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 12


Public Key Access
2. The ssh daemon on the server looks in the user's authorized_keys
file, constructs a challenge based on the public key found there, and
sends this challenge back to the user's ssh client.
key challenge
ssh sshd

Terminal ý Server

authorized_keys
Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 13
Public Key Access
3. The ssh client receives the key challenge. It finds the user's private
key on the local system, but it's protected by an encrypting passphrase.

ssh sshd

Terminal
key.priv
ý Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 14


Public Key Access
4. The user is prompted for the passphrase to unlock the private key.

ssh sshd

Terminal ý Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 15


Public Key Access
5. ssh uses the private key to construct a key response, and sends it to
the waiting sshd on the other end of the connection. It does not send
the private key itself!
key response
ssh sshd

Terminal ý Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 16


Public Key Access
6. sshd validates the key response, and if valid, grants access to the
system.

access granted
ssh sshd

Terminal þ Server

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 17


How key challenge work (Under the hood)
1. User ssh to server, he presents his
username to the server with a request to set Key Challenge Creation
user’s public
up a key session. random number
key

2. The server creates a "challenge". It


encrypt
creates and remembers a large random
number, then encrypts it with the user's
key challenge
public key.

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 18


How key challenge work (Under the hood)
Key Response Generation
3. Agent decrypts it with the private key and get
user’s private
key challenge
the random number generated by the server. key

decrypt
4. The agent takes this random number,
appends the previously negotiated SSH session Challenge session
(clear text) ID
ID and creates an MD5 hash value of the
resultant string: this result is sent back to the MD5 hash

server as the key response.


key response
Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 19
How key challenge work (Under the hood)

5. The server computes the same MD5 hash


(random number + session ID) and compares it
key challenge
with the key response from the agent.

6. If they match, the user must have been in


possession of the private key, and access is key response

granted.

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 20


Public Key Access
• Public keys cannot be easily brute-forced.

• The same private key (with passphrase) can be used to access


multiple systems: no need to remember many passwords.

• Requires one-time setup of public key on target system.


• Requires unlocking private key with secret passphrase upon each
connection.

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 21


Public Key Access
• Never store Private Key on a multi-user host.

• Store Private Key ONLY on your laptop and protect your laptop
(Encrypt Disk!).

• It is OK to use SSH_AGENT to remember your key ONLY if your


laptop/computer locks very quickly.

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 22


Private Key on Unix / MacOSX
• SSH is Built In
– UNIX

– Linux

– MacOS X

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 23


Generate Key (Unix / MacOSX)
$/usr/home/foo> ssh-keygen -t rsa -b 4096 -C [email protected]

Generating public/private rsa key pair.

Enter file in which to save the key (/usr/home/foo/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /usr/home/foo/.ssh/id_rsa.

Your public key has been saved in /usr/home/foo/.ssh/id_rsa.pub.

The key fingerprint is:

27:99:35:e4:ab:9b:d8:50:6a:8b:27:08:2f:44:d4:20 [email protected]

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 24


Generate Key (Unix / MacOSX)
~/.ssh/id_rsa: The private key. DO NOT SHARE THIS FILE!

~/.ssh/id_rsa.pub: The associated public key. This can be


shared freely without consequence.

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 25


Password vs Passphrase

source : http://xkcd.com/936/

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 26


Private Key on Windows
• http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
– PuTTY (the Telnet and SSH client itself)

– PuTTYgen (an RSA and DSA key generation utility).

– Pageant (an SSH authentication agent for PuTTY, PSCP, PSFTP, and
Plink)

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 27


Generate Key (Windows)
1. Run PuttyGen

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 28


Generate Key (Windows)
2. Generate Key

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 29


Generate Key (Windows)
3. Enter Passphrase & Save
Private Key

4. Right-click in the text field


labeled Public key for pasting
into OpenSSH
authorized_keys file and
choose Select All and copy
the key
Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 30
Putting the Key on the Target Host
• Create required file:
mkdir ~/.ssh
chmod 0700 ~/.ssh
ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys

• Paste the SSH public key into your ~/.ssh/authorized_keys file:


sudo vi ~/.ssh/authorized_keys

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 31


Generate Key (Windows)
4. Load Key in Putty

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 32


Generate Key (Windows)
5. SSH to host

username@ipaddress

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 33


Generate Key (Windows)
6. Accept Host’s Key

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 34


Generate Key (Windows)
7. passphrase for Key

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 35


PuTTY Agent: Pageant
• Select Add Key, browse to your key, select, enter passphrase

• Enter passphrase again. Eventually you'll get it right.

• SSH to your server

• PuTTY enable/disable agent: Connection -> SSH -> Auth,


"Attempt Authentication using Pageant" checkbox

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 36


Exercise
• Create your key

• Follow the lab manual ssh-lab.pdf

Security / DNSSEC Workshop | SANOG 26: 03 - 11 August, 2015 | Mumbai, India 37

You might also like