Chapter 9. SSH Protocol
131
Both SSH protocol versions 1 and 2 add layers of security with each of these layers providing its own
type of protection.
9.3.1. Transport Layer
The primary role of the transport layer is to facilitate safe and secure communication between the
two hosts at the time of and after authentication. Usually running over TCP/IP, the transport layer
accomplishes this by handling the encryption and decryption of data and providing integrity protection
of data packets as they are sent and received. In addition, the transport layer provides compression,
speeding the transfer of information.
Once an SSH client contacts a server, key information is exchanged so that the two systems can
correctly construct the transport layer. The following steps occur during this exchange:
Key exchange
The public key algorithm to be used
The symmetric encryption algorithm to be used
The message authentication algorithm to be used
The hash algorithm to be used
During the key exchange, the server identifies itself to the client with a host key. If the client has never
communicated with this particular server before, the server's key will be unknown to the client and it
will not connect. OpenSSH gets around this problem by accepting the server's host key after the user
is notified and verifies that he will accept the new host key. In subsequent connections, the server's
host key is checked against the saved version on the client, providing confidence that the client is
indeed communicating with the intended server. If, in the future, the host key no longer matches, the
user must remove the client's saved version before a connection can occur.
Caution
It is possible for an attacker to masquerade as the SSH server during the initial contact since the
local system does not know the difference between the intended server and a false one set up by an
attacker. To help prevent this you should verify the integrity of a new SSH server by contacting the
server administrator before connecting for the first time or after a host key has changed.
SSH is designed to work with almost any kind of public key algorithm or encoding format. After
an initial key exchange creates a hash value used for exchanges and a shared secret value, the two
systems immediately begin calculating new keys and algorithms to protect authentication and future
data sent over the connection.
After a certain amount of data has been transmitted using a given key and algorithm (the exact amount
depends on the SSH implementation), another key exchange occurs, which generates another set of
hash values and a new shared secret value. Even if an attack is able to determine the hash and shared
secret value, he would have to determine this information each time a new key exchange is made in
order to monitor the communication.
9.3.2. Authentication
Once the transport layer has constructed a secure tunnel to pass information between the two systems,
the server tells the client the different authentication methods supported, such as using a private key 
encoded signature or typing a password. The client will then try to authenticate itself to the server
using any of the supported methods.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

tomcat hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved