Commit a3dfee4e authored by Chris James's avatar Chris James

initial commit

parents
File added
from http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-4/124_ssh.html#reference1
Three protocols over TCP:
Transport Layer Protocol
Provides server auth, data confidentiality, data integrity, forward secrecy, optionally compression
User Authentication Protocol
Authenticates the user to the server
Connection Protocol
Multiplexes multiple logical communications channels over a single underlying SSH connection.
||--*---*---*---*||-*---*---*---*--||
|| SSH USER AUTH || SSH CONNECTION ||
||--*---*---*---*||-*---*---*---*--||
|| SSH TRANSPORT LAYER PROTOCOL ||
||--*---*---*---*---*---*---*---*--||
|| TCP ||
||--*---*---*---*---*---*---*---*--||
|| IP ||
||--*---*---*---*---*---*---*---*--||
fig. 1: Protocol Stack
Server auth occurs at transport layer, based on server possessing a public-private key pair. Server can have multiple host keys using multiple different asymmetric encryption algos.
Host key used during key exch to auth identity of host. For this to be possible, client must have presumptive knowledge of the server public host key. RFC4251 dictates two alternative trust models:
1) Client's known_hosts: Associates host names with public keys.
2) Host-to-key association is certified by a CA.
Communication outline:
Client Server
| |
|----Establish TCP Connection----|
| |
|----SSH-proto/soft-version----->|
Identification String |<---SSH-proto/soft-version------|
Exchange | |
|--------SSH_MSG_KEXINIT-------->|
Algorithm Negotiation |<-------SSH_MSG_KEXINIT---------|
| |
|----------Key Exchange----------|
| |
|--------SSH_MSG_NEWKEYS-------->|
End of KeyExch |<-------SSH_MSG_NEWKEYS---------|
| |
Service Request |----SSH_MSG_SERVICE_REQUEST---->|
SSH Transport Layer Protocol:
client establishes TCP connection with server.
Packet format:
####################################################
|--PKTL--|-PDL-|-------PAYLOAD-------|---Padding---|
####################################################
where
PKTL == packet length in bytes not including packet length and Message Auth Code (MAC fields)
PDL == Padding length of random byte padding field
payload == actual data packet is being used to send. Can be compressed.
Random Padding == contains random bytes so length of packet (excluding MAC field) is a multiple of the cipher block size, or 8 bytes for a stream cipher.
Message Authentication Code == if message authentication is negotiated, this field contains the MAC value, which is computed over entire packet plus sequence number, excluding the MAC field.
After the MAC is computed, if an encryption algorithm has been specified, then entire packet (excluding MAC) is encrypted.
SSH-TRANSPORT LAYER:
First step is the "identification string exchange", which starts with client sending identification string packet of the form:
SSH-protoversion-softwareversion [SP] comments [CRLF]
Example: SSH-2.0-billsSSH_3.6.3q3<CR><LF>
The server then responds with its own string. These strings are used in the Diffie-hellman key exchange.
Then comes the "Algorithm Negotiation". Each side sends an SSH_MSG_KEXINIT containing lists of supported algorithms in the order of preference to the sender. Algorithms are sent in their own lists, by type. Types include: key exchange, encryption, MAC algorithm, compression algorithm.
Example taken from client-to-server negotiation:
ssh.kex_algorithms:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
ssh.server_host_key_algorithms:
ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa
ssh.encryption_algorithms_client_to_server:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
ssh.encryption_algorithms_server_to_client:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
ssh.mac_algorithms_client_to_server:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
ssh.mac_algorithms_server_to_client:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
ssh.compression_algorithms_client_to_server:
none,zlib@openssh.com,zlib
ssh.compression_algorithms_server_to_client:
none,zlib@openssh.com,zlib
Example response (from jmitm2!):
b'\x86\x93\xe1\xce}$%\x98\xb7\x81\xa3\xf9\x9c\x14?\x95\x00\x00\x00\x1adiffie-hellman-group1-sha1\x00\x00\x00\x07ssh-dss\x00\x00\x00\x15blowfish-cbc,3des-cbc\x00\x00\x00\x15blowfish-cbc,3des-cbc\x00\x00\x00+hmac-md5,hmac-md5-96,hmac-sha1-96,hmac-sha1\x00\x00\x00+hmac-md5,hmac-md5-96,hmac-sha1-96,hmac-sha1\x00\x00\x00\x04none\x00\x00\x00\x04none\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Next is the actual key exchange itself. Specification allows for alternate methods, but right now two versions of Diffie-Hellman are specified. Both methods defined in RFC 2409 and require only 1 packet in each direction. The following steps are involved in the exchange.
In this,
C is the client;
S is the server;
p is a large safe prime;
g is a generator for a subgroup of GF(p);
q is the order of the subgroup;
V_S is the S identification string;
V_C is the C identification string;
K_S is the S public host key;
I_C is the C SSH_MSG_KEXINIT message; and
I_S is the S SSH_MSG_KEXINIT message that was exchanged before this part began.
The values of p, g, and q are known to both client and server as a result of the algorithm selection negotiation. The hash function hash() is also decided during algorithm negotiation.
{{can a mitm know these values?}}
1. C generates a random number x: (1 < x < q) and computes e = g^x mod p. C sends e to S.
2. S generates a random number y: (0 < y < q) and computes f = g^y mod p. S receives e, computes K = e^y mod p, H = hash(V_C || V_X || I_C || I_S || K_S || e || f || K), and and signature s on H with its private host key. S sends (K_S || f || s) to C. the sigining operation may involve a second hashing operation.
3. C verifies that K-S really is the host key for S (known_hosts). C is also allowed to accept the key without verification. C then computes K = f^x mod p, H = hash(V_C || V_S || I_C || I_S || K_S || e || f ||K), and verifies the signature s on H.
As a result of this, the two sides now share a master key K. In addition the server has been authenticated to the client, because the server has used its private key to sign its half of the diffie-hellman exchange. Finally the hash value H serves as a session identifier for this connection. When computed, the session identifier is not changed, even if the key exchange is performed again for this connetion to obtain fresh keys.
The "end of key exchange" is signaled by the exchange of SSH_MSG_NEWKEYS packets. At this point, both sides may start using the keys generated from K as discussed subsequently.
The final step is "service request". The client sends an SSH_MSG_SERVICE_REQUEST packet to request either the User Authentication or the Connection protocol. After this, all data is exchanged as the payload of an SSH Transport Layer packet, protected by encryption and MAC.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/7QBBtAeH6lZN1Vpak6IA8UHLDBstaXejnR+zpfAfMsZG+WPWYjE9VKkpg+QQbjItRzRgONisH8yF83PIJhGbC6BjhVcGeyUv+ZRs68B5yJKQYDq3/spaZd8l80z4WaZgAobnBkNzIHej7tzdjxNNd8uo9n91c1TOvnPkmfLQcbNogmb2Soe1bhVG66/ep2ba1TPLpFG1r5Pt0BgpZRZJxyiJjcAqX6y/QIqPPhnjHPN4sBx1jFlQxvJlkZoZMnjSjKIuOM7bsu1VgktNfQ4lHZLqTqN32UaBxLOrmedYfgDGgxK/kTPIwzfLkyqNI2CRjvc2cgQIuFZZrdUeTIdx0Y1c5Z1dsMgDPKtIwKT2qtdp6mPaSSGbobSvgqwE59y9chQJTB+ufrVELR+NdrXlYX+ULVHXo3GkU7kVAuHwGSTGL3zCsANcVz3V8ZnTIbnE1VWBiEmUO88g05Hn5gM7Yo0rgxJQI/9O8oeX6a1s08DP2J249LwV8CVwku9ggYzXyW3OhrTIVMoyE0NwgYLZa9BKDt1tT3fD+nseZH8XACDRz/ScYCaEEdmgGMW6pNkZiBxmGDpdBnrVXkIm3TfnK1tzQCJdiqGBht/3zpqd3E5yOmYieS5pYLNH3P1CVCryIuszULfymJjbumASqlOxylJcvsw5ZhG/AeV79IAZ6Q==
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAv+0AQbQHh+pWTdVaWpOiAPFBywwbLWl3o50fs6XwHzLGRvlj
1mIxPVSpKYPkEG4yLUc0YDjYrB/MhfNzyCYRmwugY4VXBnslL/mUbOvAeciSkGA6
t/7KWmXfJfNM+FmmYAKG5wZDcyB3o+7c3Y8TTXfLqPZ/dXNUzr5z5Jny0HGzaIJm
9kqHtW4VRuuv3qdm2tUzy6RRta+T7dAYKWUWSccoiY3AKl+sv0CKjz4Z4xzzeLAc
dYxZUMbyZZGaGTJ40oyiLjjO27LtVYJLTX0OJR2S6k6jd9lGgcSzq5nnWH4AxoMS
v5EzyMM3y5MqjSNgkY73NnIECLhWWa3VHkyHcdGNXOWdXbDIAzyrSMCk9qrXaepj
2kkhm6G0r4KsBOfcvXIUCUwfrn61RC0fjXa15WF/lC1R16NxpFO5FQLh8Bkkxi98
wrADXFc91fGZ0yG5xNVVgYhJlDvPINOR5+YDO2KNK4MSUCP/TvKHl+mtbNPAz9id
uPS8FfAlcJLvYIGM18ltzoa0yFTKMhNDcIGC2WvQSg7dbU93w/p7HmR/FwAg0c/0
nGAmhBHZoBjFuqTZGYgcZhg6XQZ61V5CJt035ytbc0AiXYqhgYbf986andxOcjpm
InkuaWCzR9z9QlQq8iLrM1C38piY27pgEqpTscpSXL7MOWYRvwHle/SAGekCAwEA
AQKCAgAZxJk3OROVxPmnY5DI/m9OzxV1TH/Nng5pEixyc0IE/k0utEcaPn677ET2
BPY22oS0HY5DqP42ReKwzVnrMmlEts/m7L0daqU4hrrN0O07rJk49yKLF5NVhb3r
G3pnEapL06sHE4k0yNQnV2eh+5as3PukCMxeGYj2ZQ2sUJsQL2PWEUP/p0wHKOuE
ZRpsu28MzHkyyzIJQbSLxleoHyFZ8HpZ1YVKayQHXYP87WqOWpG5z3NSuPA47y0W
Q/E7ltIv+p+/svLa/m/s/hxcIAEpLIpQGRTLf4l+3Mj+riAoempiPLDktXsNZmB0
XaLl5i0N/fLlBXPTM+SsD7HAaqf4fZGa6kxkmjxh6/3QqotDKdh71zJ5iCLpgHiH
30Uqd3S9dQx07SVQfiV4yeCqai3cpuXBvlSrEUprAX3JWisGD6/TODFYRv05oKZF
Gd6+3mgKt76O/s+x6JCQ7ymAMTTYBOLSfsm2No8iqQNKYsPInYN5NOZo0WF9TAhU
gl72DMueMdv1IvJGA82Y+luaIh04thRJv/DXOX2oGKNb97ndarPjiylnL9dI5Zaq
wOdfPBfvwnNCJdYmAU43/hWQFEluxfi5Rbd1SrdFemAlO+WKVg4fWXfIZyIcrpge
eQcqpkDICxShviRYJpAwIFXzmi3VGknuD7DF0DzERq9CrJYWgQKCAQEA4Vi32sE2
PlTo+GZthbPCPK9pgx++9mn4HsXr6Y4AzvRmuKmxgeKm2bGVK9Fwgvu6C7Qe3iKA
NDY2WUCrKnVgelB4RV725i2QqX1tATAjshmTwpzLLyrmAda2Peb0NkUtzPWRIYkL
Xxp19LEPCSjKOzBpXJBhiEFVZCXkS5ycg4yc/sfl1EHk360VVM64uZiDaxm9A6MC
57IDRCVcn0E3SbDP5M41fXJoOsVYyCLoL+B5qhy148rnUr5bCQV+/2pBBoo42g2v
zVD8iGXLnMYrvR3pl6c56oFlK4EcyUQrlJZWt4M8BqdP8lrLE0XBZ9l12fqhwqrc
No0AA/wXyEr92QKCAQEA2gh3MVe4WNjenNbj486ey6ziTNbdp5nxrS0wtQvtU9iw
SEyyV77jSuGso2emORvfYIw3xcLO+9wFYyhK4/aqIjjbT9eqUgKy+zuDyfvcuzcS
GBEbrCnrSaNq6Z773thKG7EqcBPJQZxWpSkIxgmVq2KsIBE/kpV/xJjquiT89ztK
i/mGn44BZKhdEpRbrUiqGvw1HU6/aLT6ORI2LIfxj1roMqLT5Pz/VN2+/fJVInR7
msLzhq0V/322hSOSXsNZD70We9JuTx5MGJXwm8S6Z1R0DIdIt1Wm4dFXPN9qUuas
Wz07UXPPG6gmzqst6Ao+B7RTvZUk8jqvtEmnU5uikQKCAQAbZ5CkV87i8ayLWNmE
4wGCI8rvGVM94FE+XM99zbknce10E570rr2fx8reU1AdfcN4XOVMGmIA937Qh97J
ARFEjrixpwTbpTrsgcZZ2KLeq+GeTzcee1cRbi0nhgi4+NzDCjImI+ZwIGWr5kRv
1rgRTqfhi+VwjpF15m3HDDq0fMsy6Nh4YbMVyJTJhYJNf9Crm6uy34Yg6zMefHSx
IVs56Pi/WJyErv8h9pH/dM9L0z64g1lTZH+RPnkPtc1l/mP+CZ00V2nDzE+Jvudu
H2N+Uj7wJHQUorvM+JyplVK/dTECjEEmhf5g+M2tgFQu7vE4GxTE+cZiE++mjGfQ
Ad6xAoIBAQC0vf/Q757qSB2CdsFDv6zzusV+XUAyB/PIU4XlD5YVw7Oeu7W794oE
MUAj1XB+NxTdvF8fmXZsYuA0atpqT7iJ1gg4D9gpVAN7MML3VcqNiAF/4e7GsZlS
2h1uvVSeTz5f5mX/sudLdIZ/M50KTje8c3esvZ+trDDWkM1EshTh/ky17IwlCFsv
TkKZfFLjOzGIXTrKqNUTv7MOTIKMN8WPyRRjpYdydChV+dyyN4lLnrQ4fxPRuPpb
aaM8i1hzJg1WdrGEw9Sd0cfTObjT6Cl+LwxktmEZWe+Vkyx2Ud6aCo8ms4PQ6efu
TV6eRFkx2gvB50LkDhcqlmvBUK1dKc+BAoIBAFk/6mT0uG2xRZXPd/EHvLM6DDLj
1C0F4bYGQHFk2uhrhuuk12WPb3VT0HTf7xImA5jDn4xzIe4lQGG8KAuCl7rIFXf7
qGhxxvN355/efhyQHrwpetNqSNxBKEvYgGnYDTFG6nOpEtSnL1FkBMPAtkK3OLTX
JkyrJsmOlCSDe92+TCrZ2hukEsEdqk2N8A3qiRP/Ib22L865+rlGk9LY5p906sAl
ZQUR95aIwA183z42waq7Bx97eyXuEKRm5avqv9qiF4noe3RCR7PfXJ65Vtb5A34Q
idIn2EzgnvOVafHvKOZq9FNUKd/efcBykzMFFZs2ZssUrObDawtHIDaGiy0=
-----END RSA PRIVATE KEY-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/7QBBtAeH6lZN1Vpak6IA8UHLDBstaXejnR+zpfAfMsZG+WPWYjE9VKkpg+QQbjItRzRgONisH8yF83PIJhGbC6BjhVcGeyUv+ZRs68B5yJKQYDq3/spaZd8l80z4WaZgAobnBkNzIHej7tzdjxNNd8uo9n91c1TOvnPkmfLQcbNogmb2Soe1bhVG66/ep2ba1TPLpFG1r5Pt0BgpZRZJxyiJjcAqX6y/QIqPPhnjHPN4sBx1jFlQxvJlkZoZMnjSjKIuOM7bsu1VgktNfQ4lHZLqTqN32UaBxLOrmedYfgDGgxK/kTPIwzfLkyqNI2CRjvc2cgQIuFZZrdUeTIdx0Y1c5Z1dsMgDPKtIwKT2qtdp6mPaSSGbobSvgqwE59y9chQJTB+ufrVELR+NdrXlYX+ULVHXo3GkU7kVAuHwGSTGL3zCsANcVz3V8ZnTIbnE1VWBiEmUO88g05Hn5gM7Yo0rgxJQI/9O8oeX6a1s08DP2J249LwV8CVwku9ggYzXyW3OhrTIVMoyE0NwgYLZa9BKDt1tT3fD+nseZH8XACDRz/ScYCaEEdmgGMW6pNkZiBxmGDpdBnrVXkIm3TfnK1tzQCJdiqGBht/3zpqd3E5yOmYieS5pYLNH3P1CVCryIuszULfymJjbumASqlOxylJcvsw5ZhG/AeV79IAZ6Q== tobaljackson@b14ckb0x
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment