Cryptography Reference
In-Depth Information
not match (for whatever reason), the user has a security warning saying that the public
key has changed and that some adversary may be trying to impersonate the server by
sending a wrong key. Typically, the user does not care and clicks “OK.” This is the
major problem of SSH, but remember that the purpose was just to increase the security,
not to have a perfect one.
The client and the server run a key agreement protocol such that the server is
authenticated, and devise a symmetric key to be used to set up a secure channel. Then,
the client is authenticated by a password which is sent through the secure channel.
12.2.2
SSH2 Key Exchange and Authentication
SSH2 uses DSS for server authentication and Diffie-Hellman key agreement for setting
up a symmetric session key (previous versions were entirely based on RSA). Both
are based on some generator
g
which generates a subgroup of
Z
p
of prime order
q
.
Concretely, the clients and the server exchange some “Initial Message”
I
C
and
I
S
, and
the protocol version
V
C
and
V
S
that they support. Then, as illustrated in Fig. 12.5, the
key agreement runs as follows.
g
x
1. The client picks a random
x
∈{
1
,...,
q
−
1
}
, computes
e
=
mod
p
, and
sends it to the server.
2. The
g
y
server
picks
a
random
y
∈{
1
,...,
q
−
1
}
,
computes
f
=
mod
e
y
p
and
K
=
mod
p
.
Then
he
computes
the
hashed
value
H
of
K
and signs it, where
K
S
is his public key, and sends
K
S
,
f
, and the signature
s
to the client.
3. The client can verify
K
S
at this time (e.g. using a certificate or his list of known
public keys). Then the client computes
K
V
C
||
V
S
||
I
C
||
I
S
||
K
S
||
e
||
f
||
f
x
=
mod
p
, the hashed value
H
of
V
C
||
V
S
||
I
C
||
I
S
||
K
S
||
||
||
e
f
K
, and checks if
s
is a valid signature for
H
.
Then the client and the server can use
K
as a symmetric key for symmetric en-
cryption and MAC. The choice of the algorithms is negotiated between the client and
the server. Several encryption schemes are proposed, including triple DES, AES, RC4,
Client
Server
I
C
−−−−−−−−−−−−−−→
V
S
,
V
C
,
version
V
C
, initial message
I
C
I
S
←−−−−−−−−−−−−−−
version
V
S
, initial message
I
S
e
−−−−−−−−−−−−−−→
pick
x
,
e
=
g
x
mod
p
pick
y
,
f
=
g
y
mod
p
,
K
=
e
y
mod
p
H
=
hash
(
V
C
||
V
S
||
I
C
||
I
S
||
K
S
||
e
||
f
||
K
)
K
S
,
f
,
s
←−−−−−−−−−−−−−−
s
=
Sig
(
H
)
f
x
K
=
mod
p
, check
K
S
H
=
hash
(
V
C
||
V
S
||
I
C
||
I
S
||
K
S
||
e
||
f
||
K
)
Ve r
K
S
(
s
,
H
)
Figure 12.5.
Semi-authenticated key exchange in SSH.
Search WWH ::
Custom Search