Chapter 9. SSH Protocol


131


Both SSH protocol versions 1 and 2 add layers of security with each of these layers providing its own


type of protection.


9.3.1. Transport Layer


The primary role of the transport layer is to facilitate safe and secure communication between the


two hosts at the time of and after authentication. Usually running over TCP/IP, the transport layer


accomplishes this by handling the encryption and decryption of data and providing integrity protection


of data packets as they are sent and received. In addition, the transport layer provides compression,


speeding the transfer of information.


Once an SSH client contacts a server, key information is exchanged so that the two systems can


correctly construct the transport layer. The following steps occur during this exchange:


Key exchange


The public key algorithm to be used


The symmetric encryption algorithm to be used


The message authentication algorithm to be used


The hash algorithm to be used


During the key exchange, the server identifies itself to the client with a host key. If the client has never


communicated with this particular server before, the server's key will be unknown to the client and it


will not connect. OpenSSH gets around this problem by accepting the server's host key after the user


is notified and verifies that he will accept the new host key. In subsequent connections, the server's


host key is checked against the saved version on the client, providing confidence that the client is


indeed communicating with the intended server. If, in the future, the host key no longer matches, the


user must remove the client's saved version before a connection can occur.


Caution


It is possible for an attacker to masquerade as the SSH server during the initial contact since the


local system does not know the difference between the intended server and a false one set up by an


attacker. To help prevent this you should verify the integrity of a new SSH server by contacting the


server administrator before connecting for the first time or after a host key has changed.


SSH is designed to work with almost any kind of public key algorithm or encoding format. After


an initial key exchange creates a hash value used for exchanges and a shared secret value, the two


systems immediately begin calculating new keys and algorithms to protect authentication and future


data sent over the connection.


After a certain amount of data has been transmitted using a given key and algorithm (the exact amount


depends on the SSH implementation), another key exchange occurs, which generates another set of


hash values and a new shared secret value. Even if an attack is able to determine the hash and shared


secret value, he would have to determine this information each time a new key exchange is made in


order to monitor the communication.


9.3.2. Authentication


Once the transport layer has constructed a secure tunnel to pass information between the two systems,


the server tells the client the different authentication methods supported, such as using a private key 


encoded signature or typing a password. The client will then try to authenticate itself to the server


using any of the supported methods.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved