16 SSL Part2
16 SSL Part2
Professor
Center for Security, Theory and Algorithmic Research
International Institute of Information Technology, Hyderabad
E-mail: [email protected]
URL: https://www.iiit.ac.in/faculty/ashok-kumar-das/
https://sites.google.com/view/iitkgpakdas/
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 1 / 26
Transport-Level Security
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 2 / 26
Secure Shell (SSH)
Secure Shell (SSH) provides secure remote logon and other secure
client/server facilities.
Client
Server
Client Server
application application
x y
TCP Unsecure TCP connection TCP
entity entity
Client Server
application application
x y
Secure SSH Tunnel
SSH SSH
entity entity
a b
TCP Unsecure TCP connection TCP
entity entity
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 3 / 26
Secure Shell (SSH)
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 4 / 26
SSH Protocol Stack
TCP
Transmission control protocol provides reliable, connection-
oriented end-to-end delivery.
IP
Internet protocol provides datagram delivery across
multiple networks.
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 5 / 26
SSH Transport Layer Protocol Packet Exchanges
Client
Server
SSH-protoversion-softwareversion
Identification string
exchange SSH-protoversion-softwareversion
SSH_MSG_KEXINIT
Algorithm
negotiation SSH_MSG_KEXINIT
Key Exchange
SSH_MSG_NEWKEYS
End of
key exchange SSH_MSG_NEWKEYS
Service SSH_MSG_SERVICE_REQUEST
request
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 6 / 26
SSH Transport Layer Protocol Packet Formation
Payload
COMPRESS
ENCRYPT MAC
Ciphertext
SSH Packet
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 7 / 26
SSH Transport Layer Cryptographic Algorithms
Cipher MAC algorithm
3des-cbc* Three-key 3DES in hmac-sha1* HMAC-SHA1; digest length =
CBC mode key length = 20
aes128-cbc** AES with a 128-bit key zlib Defined in RFC 1950 and
RFC 1951
* = Required
** = Recommended
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 8 / 26