SSH / SSL - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

SSH / SSL

Description:

SSH / SSL Supplementary material cs490ns-cotter * SSH Communications Using Public Key Problems with Password Authentication Passwords can be guessed. – PowerPoint PPT presentation

Number of Views:390
Avg rating:3.0/5.0
Slides: 30
Provided by: Information182
Category:
Tags: ssh | ssl | exchange | server

less

Transcript and Presenter's Notes

Title: SSH / SSL


1
SSH / SSL
  • Supplementary material

2
Secure Shell (SSH)
  • One of the primary goals of the ARPANET was
    remote access
  • Several different connections allowed
  • rlogin
  • rcp
  • rsh
  • All data was unencrypted
  • This was a different world than exists today.

3
SSH
  • SSH is a UNIX-based command interface and
    protocol for securely accessing a remote computer
  • Suite of four utilitiesslogin, ssh, sftp, and
    scp
  • Can protect against
  • IP spoofing
  • DNS spoofing
  • Intercepting information

4
SSH Objectives
  • Protect data sent over the network
  • Negotiate an encryption algorithm between sender
    and receiver
  • Use that algorithm and a session key to encrypt /
    decrypt data sent
  • Provide site authentication
  • Use public key / fingerprint to ensure identity
    of remote host.
  • Relies on locally generated keys, so no
    certifying authority is generally available.

5
SSH Graphical Client
6
SSH Command Line Client (Linux)
cs490ns-cotter
6
7
SSH CommunicationsUsing password
SSH Client
SSH Server
SSH2?
SSH2
Diffie-Helman, etc?
Diffie-Helman
Send Serv_Pub_Key
Serv_Pub_key(S_key)
OK
S_key(Uname,pwd)
OK
S_key(data)
8
SSH Wire Shark Trace
9
SSH CommunicationsUsing Public Key
  • Problems with Password Authentication
  • Passwords can be guessed.
  • Default allows multiple attempts against account
  • Only 1 account / password needs to be guessed
  • Alternate approach is to use public / private
    keys to authenticate user
  • Public Key Authentication
  • Create public / private keypair
  • Ensure that private
  • Upload public key to server user account
    .ssh/authorized_keys
  • ssh o PreferredAuthenticationspublickey
    server.example.org

10
SSH CommunicationsUsing Public Key
SSH Client
SSH Server
SSH2?
SSH2
Diffie-Helman, etc?
Diffie-Helman
Send Serv_Pub_Key
Serv_Pub_key(S_key)
OK
S_key(Uname)
Client_Pub_key(Random)
Client_Pri_key(msg)
Hash(Random)
OK
S_key(data)
cs490ns-cotter
11
sFTP in Linux
cs490ns-cotter
11
12
SFTP
13
SFTP
14
SSH Tunneling
  • Use SSH to create an encrypted channel between
    remote host and server
  • Use that encrypted channel to carry other traffic.

LAN
www access
Internet
Web Server 192.168.1.10
Local port 12345
SSH Tunnel
15
SSH Tunneling
  • ssh L 12345192.168.1.1080 l root homenet.net

16
SSH Tunneling
17
Secure Copy (scp)
  • Allows encrypted transfer of files between
    machines
  • Download files from server
  • scp user_at_server.netmyfile1.txt myfile1.txt
  • user_at_server.nets password xxxxx
  • Upload files to server
  • Scp myfile.txt user_at_server.netmyfile.txt
  • user_at_server.nets password xxxxx

18
SSH Passwordless Login
  • On remote client
  • Create key pair. Store in .ssh subdirectory
  • On ssh server
  • Modify sshd_config to allow shosts based
    authentication
  • Create .shosts file in users subdirectory
  • Copy public key from remote client to .ssh
    subdirectory/authorized_keys

19
SSH Passwordless Login
SSH Client
SSH Server
SSH2?
SSH2
Diffie-Helman, etc?
Diffie-Helman
Send Serv_Pub_Key
Serv_Pub_key(S_key)
OK
S_key(Uname)
Client_Pub_key(Random)
Client_Pri_key(msg)
Hash(Random)
OK
S_key(data)
20
SecureSockets Layer (SSL)Transport Layer
Security (TLS)
  • Originally developed by Netscape to support
    encrypted access to web servers.
  • SSL v3 released 1996.
  • Served as the basis for IETF standard TLS (1999)
  • Used by major financial institutions for secure
    commerce over the Internet
  • Early problem with weak keys resolved with longer
    (128-bit) keys

21
SSL / TLS
Application (www)
SSL / TLS
TCP
IP
22
SSL/TLS Handshake
SSL Client
SSL Server
Client hello Ciphers I have
Server Hello Cipher I choose
Server certificate (S_Pub)
S_Pub(Session_key)
OK
Session_key(data)
OK
23
SSL/TLS Security
  • Depends on integrity of public key certificate
  • Public Key Infrastructure (PKI)
  • Components necessary to securely distribute
    public keys
  • Certificate Authorities Organizations that
    certify the relationship between a public key and
    its owner.
  • Verisign,Thawte

24
SSL/TLS Implementations
  • SSL v2 Still in use
  • SSL v3 Most widely deployed
  • TLS v1 Starting Deployment
  • OpenSSL Linux/UNIX toolkit that supports all 3
    protocols listed above.
  • Private Communication Technology (PCT)
  • Developed by Microsoft
  • Compatible with SSL v2
  • Versions are not completely compatible

25
SSL/TLS Vulnerability
  • SSL/TLS supports the concept of session
    renegotiation due to errors, requests, etc.
  • This feature assumes that the renegotiation is
    with the original party, and any requests or
    messages transmitted before the renegotiation are
    combined (pre-pended) with the requests after
    renegotiation
  • This behavior can be abused to allow
    man-in-the-middle attacks
  • Demonstrated with https, but the vulnerability
    exists with any application that uses SSL/TLS

26
SSL/TLS Vulnerability
Client
MITM
Server
TLS handshake session 1
TLS handshake session 2
GET /ebanking/paymemoney.cgi? AccLU00000000?amoun
t1000 Ignore-what-comes-now
Trigger renegotiation
X
TLS handshake session 1 continued within the
encrypted session 2
Server receives GET /ebanking/paymemoney.cgi? Ac
cLU00000000?amount1000 Ignore-what-comes-now GE
T /ebanking/ Cookie AS2398648756083745
Client has authenticated session At app layer
(with cookie) GET /ebanking/ Cookie
AS2398648756083745
27
References
  • SSH
  • SSH Tutorial (http//www.suso.org/docs/shell/ssh.s
    df)
  • www.openssh.org
  • UNIX Secure Shell Carasik McGraw-Hill, 1999
  • SSH Agent Forwarding (unixwiz.net/techtips/ssh-ag
    ent-forwarding.html)
  • SSL
  • www.openSSL.org
  • RFCs 2246, 3546
  • SSL Authentication Gap (SSL Gap)
    (http//www.phonefactor.com/sslgap )
  • TLS/SSL renegotiation vulnerability explained
    (http//www.g-sec.lu/practicaltls.pdf )

cs490ns-cotter
27
28
SSH RFCs
  • 4250 The Secure Shell (SSH) Protocol Assigned
    Numbers.
  • S. Lehtinen, C. Lonvick, Ed.. January 2006.
    (Format TXT44010 bytes)
  • (Status PROPOSED STANDARD)
  • 4251 The Secure Shell (SSH) Protocol
    Architecture.
  • T. Ylonen, C. Lonvick, Ed.. January 2006.
    (Format TXT71750 bytes)
  • (Status PROPOSED STANDARD)
  • 4252 The Secure Shell (SSH) Authentication
    Protocol.
  • T. Ylonen, C. Lonvick, Ed.. January 2006.
    (Format TXT34268 bytes)
  • (Status PROPOSED STANDARD)
  • 4253 The Secure Shell (SSH) Transport Layer
    Protocol.
  • T. Ylonen, C. Lonvick, Ed.. January 2006.
    (Format TXT68263 bytes)
  • (Status PROPOSED STANDARD)
  • 4254 The Secure Shell (SSH) Connection Protocol.
  • T. Ylonen, C. Lonvick, Ed.. January 2006.
    (Format TXT50338 bytes)
  • (Status PROPOSED STANDARD)
  • 4255 Using DNS to Securely Publish Secure Shell
    (SSH) Key Fingerprints.
  • J. Schlyter, W. Griffin. January 2006. (Format
    TXT18399 bytes)
  • (Status PROPOSED STANDARD)
  • 4256 Generic Message Exchange Authentication for
    the Secure Shell Protocol (SSH).

29
Summary
  • SSH
  • Supports secure remote access to hosts
  • SSH secure shell
  • SCP secure copy
  • SFTP secure file transfer
  • SSL
  • Provides a framework for incorporating secure
    communications into applications
  • Uses strong cryptography
  • Can rely on PKI for reliable sharing of public
    keys
Write a Comment
User Comments (0)
About PowerShow.com