(d) D S ( H S ), the server's digital signature.

Then the server sends D S ( H S ) to Alice.

3. Alice certifies e S as described in the above discussion precedingthe key

exchange protocol. Once done, she computes

c S (mod p )

K

≡

and

H S = h ( V A ,V S ,I A ,I S ,e S ,c A ,c S ,K ) .

She may then verify the server's signature D S ( H S ). If this is valid, then

she accepts the key K as the shared secret session key, which may now be

used for encryptingcommunication between Alice and the server.

Upon completingconstruction of the secure tunnel via the transport mode

described above, it is Alice's turn to authenticate herself to the server.

Authentication

First, the server informs Alice of the various authentication mechanisms

supported. She may choose any of these methods. For instance, the server

might send Alice a challenge that she signs with her private PKC key, allowing

the server to use her public PKC key to authenticate her.

Once the authentication of Alice has occurred, the server will typically log

her into the remote computer and provide her with a shell. Thereafter all

communications with her remote shell will be automatically encrypted. It should

be noted, however, that the SSH shell forbids login to an insecure FTP server,

for instance. The remote host is required to posses SSH-enabled software. There

is a mechanism, called SFTP, which is an FTP replacement that runs over an

SSH tunnel. However, since OpenSSH supports the SSH SFTP protocol, there

is no need to use SFTP. 9.8 In other words, simply use SFTP under the SSH

shell supported by OpenSSH.

The server can decide which encryption methods it will support, which may

be any of 3DES (see page 131), Blowfish (see page 138), Twofish (see page 142),

RC4 (see Section 3.7), or CAST128-CBC (see [223]). Alice may choose the order

of authentication from the options given by the server.

Given the secure tunnel provided by the transport layer, the authentication

methods do not require the level of security that would be required without

9.8 OpenSSH is a version of SSH available over the Internet, supported by the Open BSD

Project ; see http://www.openbsd.org/ . It contains not only the SSH program, which replaces

rlogin (remote login) and telnet , but also other features such as SFTP . Rlogin is a UNIX

command allowing a user to login to other UNIX hosts on a network, and interact as if

physically present at the remote host. Rlogin is similar to the better known telnet command.

However, both are insecure. The OpenSSH suite replaces not only these two UNIX utilities,

but also others such as ssh-add , ssh-keygen and so on, as well as the sftp-server. Sftp is an

interactive file transfer program, which operates over an encrypted SSH tunnel, capable of

using many features of SSH.