The second type of trust model structure is via the use of Trent as a CA (see

Section 6.2). Alice only knows Trent's root key, 9.6 but can verify the validity

of all certified host keys. This trust model eliminates the storage problem of

the first model since only Trent's key needs to be stored at that client machine.

However, each host key must be certified by Trent before authorization is possi-

ble. Moreover, as noted in the discussion of the first trust model, there currently

does not exist a comprehensive PKI for the Internet.

SSH2 Advantage

SSH2 eliminates many of the above concerns by automatically maintaining,

checking, and updating public host keys. When Alice logs in to a host server for

the very first time, that host's public key is stored to a file in Alice's personal

directory. Even if that host's ID changes, SSH2 will warn Alice and disable pass-

word authentication to prevent attacks. In this fashion, transparency is added

to the session. Furthermore, attacks such as a Trojan horse 9.7 are thwarted

by the built-in alerts. As well, man-in-the-middle attacks are thwarted by this

automatic mechanism (see Footnote 3.7 on page 134).

In any case, once Alice is assured of the validity of e S , she may initiate a key

exchange connection as part of the transport layer construction of the secure

tunnel, as follows.

Key Exchange Protocol

It is mandated in [293] and [294] that the DiLe-Hellman key exchange pro-

tocol be used to arrive at key agreement. Here is how it is done.

We assume that p is a large safe prime; α is a primitive root modulo p ; h

is a hash cryptographic hash function; and that identification data has been

exchanged in advance such as both Alice's and the server's ID, I A and I S ,as

well as Alice's and the server's protocol versions V A and V S , respectively.

1. Alice generates a random number r with 1 <r<p

−

1, then she calculates

c A

≡

α r (mod p ), which she sends to the server.

2. The server generates a random number s with 1 <s<p

−

1, and computes

each of the following:

α s (mod p ).

(a) c S ≡

c s A (mod p ).

(c) H S = h ( V A ,V S ,I A ,I S ,e S ,c A ,c S ,K ).

(b) K

≡

9.6 A root key is a public key for which the matching private key is held by a root , which

means an end (ultimate) CA, such as Trent say, who signs the certificates of the CAs below

him. As root CA, Trent has a self-signed certificate that contains its own public key.

9.7 A Trojan Horse is a program that appears to have a useful purpose, but has a hidden

malicious function. Usually such a program exploits authentication mechanisms of a given

system. For instance, a disk defragger is a class of Trojan Horse that erases a diskrather

than (the intended purpose of) reorganizing it, if it were a legitimate defragmenting program.

Another class is that of fake login programs , which prompt the user for passwords in order

to gain access to accounts. A Trojan Horse differs from a virus in that it does not replicate

itself. We will learn in depth about about such mechanisms in Section 10.3.