SSH - San Jose State University

advertisement
Secure Shell
Tam Ngo
Steve Licking
Secure Shell (SSH)
Tam Ngo
Steve Licking
San Jose State University
March 25, 2005
CS265 - Cryptography and Computer Security
Section 1
Page 1 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
Table of Contents
Abstract
3
Acronyms
3
1.0 Introduction to Secure Shell (SSH)
4
1.1 The History of Secure Shell
4
1.2 SSH-1 and SSH-2
4
1.3 What does Secure Shell Protect Against?
5
2.0 SSH Encryption Technique
5
2.1 How does Secure Shell Work?
5
3.0 SSH-2 Architecture
7
4.0 Possible Attacks on SSH
8
5.0 Conclusion – Future Development
9
References
Section 1
10
Page 2 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
Abstract
Secure Shell (SSH) is one of the most popular protocols in the market today that
allows users to connect from a local computer to a remote computer securely.
Secure Shell is able to provide users with such security by using the most
modern and secure cryptographic available. In this paper, we will discuss the
history of SSH, how SSH establishes connection between client and server, what
encryption technology it uses, what kind of attacks SSH protect against, and
what attacks SSH cannot prevent.
Acronyms
3DES – Triple Data Encryption Standard
AES – Advanced Encryption Standard
CAST – Carlisle Adams and Stafford Tavares
CRC-32 – Cyclic Redundancy Check
DES – Data Encryption Standard
DSA – Digital Signature Algorithm
IDEA – International Data Encryption Algorithm
MD5 – Message Digest algorithm number 5
RSA – Rivest-Shamir-Adleman
SCS – SSH Communications Security
SHA-1 – Secure Hash Algorithm
SSH-AUTH – SSH Authentication Protocol
SSH-CONN – SSH Connection Protocol
SSH-TRANS – SSH Transport Layer Protocol
SSH – Secure Shell
Section 1
Page 3 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
1.0 Introduction to Secure Shell (SSH)
Currently, millions of people around the world are using computers to interact
with other users. Unfortunately, many of those users are unaware of the security
behind the technology they use. Instead, many simply rely on the software and
hardware within their computer to provide the security without understanding
what level of security is being provided and where they may still be vulnerable.
There are many different free, as well as commercial, software applications on
the market today which provide a secure means to perform many common tasks
on remote machines. A popular protocol, used by many applications to ensure a
secure connection between two machines, is Secure Shell (SSH). After its
introduction, SSH became the preferred method to access other computers over
existing protocols such as telnet, rlogin, rsh, rdist, and rcp. SSH gained
popularity over these other protocols by providing security the security other
protocols lacked via authentication and encryption.
1.1 The History of Secure Shell
The story behind the development of Secure Shell started in 1995 when a school
network at Helsinki University in Finland was attacked with a password-sniffer. In
response to the incident, a researcher by the name of Tatu Ylönen developed the
protocol SSH-1, which is the first version of Secure Shell. During the same year,
SSH-1 gain rapid attention with an estimated 20,000 users in 50 countries
around the world. Due to its popularity, Ylönen created SSH Communications
Security Ltd. (SCS), a company in which he is the chairman and chief officer, to
manage the research and development of SSH (Barrett, 2002).
1.2 SSH-1 and SSH-2
Like many new protocols, after a year of usage, users found some problems and
limitations with SSH-1. SSH-1 was shown to be insecure after several flaws were
discovered with the protocol. These include SSH-1 being vulnerable to a man-inthe-middle-attack and using CRC-32 as an integrity check, which can allow
intruder to change the supposedly secure data and still pass the CRC-32 check.
In addition to security vulnerabilities, SSH-1 does not provide password change
or public-key certificate authentication. Due to SSH-1’s weak points, SCS
developed SSH-2. Unfortunately, in order to fix the problems with SSH-1, SSH-2
was unable to remain backwards compatibility with SSH-1. In 1998, the program
“SSH Secure Shell” based on the SSH-2 protocol was released. Later, other
SSH-2 implementations such as OpenSSH followed. Currently, the development
of SSH-1 is inactive while SSH-2 is actively being developed and researched
(Barrett, 2002). Since most projects regarding SSH-1 have stopped, this paper
will focus on SSH-2.
Section 1
Page 4 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
1.3 What does Secure Shell Protect Against?
While on the topic of security, one may wonder, what kind of attacks can intruder
perform on an insecure network and more importantly, how does SSH protect
users from falling victim to these attacks. An intruder can view any information
sent when transferring over an insecure network. This information includes
usernames, passwords, messages, IP address, files, and many more. By using
SSH, users are authenticated by the server when a connection is set-up and any
information sent over that connection is encrypted, preventing eavesdropping.
SSH prevents many attacks such as DNS spoofing, IP spoofing, IP source
routing, and manipulating and intercepting data over the connection.
SSH is able to provide users with such security by using modern encryption
algorithms. According to the FAQ document online (Acheson, 2001), SSH uses
RSA (SSH-1) or DSA (SSH-2) for authentication and then for data encryption, it
can use a variety of ciphers including 3DES, Blowfish, Twofish, Arcfour, or
Cast128-cbc (SSH-2). By using these cipher schemes, SSH is able to provide
the user with privacy, integrity, and authentication.
2.0 SSH Encryption Technique
As of today, there are two widely used key encryption algorithms. These keys
are secret-key and public-key. Secret-key algorithm use symmetric keys,
meaning that the same key is used to encrypt and decrypt the data. The second
type is public-key (also known as public/private keys), which uses asymmetric
keys. In general, the public/private key scheme uses a user’s public key, in
which everyone has access to, to encrypt the data. The private key is then used
to decrypt the data; assuming only the intended parties know the private key, it is
possible to send them encrypted data that only they can decrypt. Private-key
can also be used to perform an electronic signature. SSH uses both the secretkey and public-key schemes. The public-key scheme can be used to
authenticate users instead of the traditional password approach while the secretkey scheme is used to encrypt the messages sent during the SSH session.
Since secret-key schemes require all involved parties to know the secret key,
SSH uses a version of the Diffie-Hellman key exchange protocol at the beginning
of the session to determine the shared key; this process will be discussed further
(Barrett, 2002).
2.1 How does Secure Shell Work?
From a high level, SSH is simply a program executed on top of the TCP layer.
Once a user has installed a SSH client, the user contacts the server by entering
its host name and port number (defaulted to 22). After getting a response from
the server, the client and the server send each other the version of their SSH
protocol. This is needed to ensure that both SSH versions are compatible. If the
Section 1
Page 5 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
client has SSH-1 protocol and the server does not support SSH-1, the connection
is terminated due to the incompatibility and an error message will appear
informing the client of the reason. Once compatibility is determined, the server
and client use a packet protocol to send their messages. Next, the server sends
the client its host key, server key, check bytes, and a list of compression,
encryption, and authentication methods for the user to choose from. After
sending the client the data, the client and the server use a hash algorithm to
compute those data, which become the 128-bit session identifier. The 128-bit
session identifier contains the host key, server key, and check bytes.
Once the client has the server’s host key, the client uses it to look up the server
in its own database to determine if the client has contact with the server prior to
this connection. If so, the client will concede that the server is trustworthy, and if
not, the client can reject the connection, accept the connect and store the host
key or prompt the user for how to proceed.
Up to this point, no encryption has been used on the data. The next step is for
the client to send the server a secret key used to encrypt and decrypt data
passed between the two computers. This secret key must be encrypted. In order
to send the secret key to the server securely, the client must use the server’s
public key and server key to encrypt the secret key. The reason for encrypting
the secret key again with a server key is to prevent any chance of a key lying
around that can be used to read information from past or future connection
(Barrett, 2002). By default, the server key is changed every hour. In SSH-2
however, the Diffie-Hellman key exchange protocol is used to determine the key
instead. By using Diffie-Hellman algorithm, it omits the need for a server key and
still provides the same security. At this time the client sends the check bytes and
tells the server which algorithm it wants to use for encryption. Now that an
encryption algorithm is agreed by the client and the server, both can send data
using the session, also known as the secret, key to encrypt and decrypt.
Once a secure connection is established, the client needs to authenticate itself to
the server by going through a public-key or password authentication. The
password authentication requires that the user enter the correct username and
password. During a public-key authentication, the client needs to prove to the
server that it has the private key matching the servers public-key for the desired
user name. Usually the server will send the client a random 256-bit string that is
encrypted with the user’s public-key and the client needs to decrypt it with the
correct private key. After decrypting the random generated string, the client adds
the session identifier to the string, hashes it, and then sends it to the server. The
server will compute the hash and if it matches, the authentication process is
complete (Barrett, 2002).
In summary, when running SSH, the user first connects to a server and shared
key is determined. Usually this shared secret key is created using the DiffieHellman key exchange algorithm. After a key is determined, SSH begins to use
Section 1
Page 6 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
its encryption scheme, usually the Blowfish cipher, to encrypt the information
being sent from user to server and from server to user. Once the server verifies
the user based on username and password or public-key, the server can open an
encrypted connection with the user (SSH Protocol Overview, 2005).
3.0 SSH-2 Architecture
Figure 1: SSH-2 Architecture (Barrett, 2002)
Due to security issues and limitations of SSH-1, the SSH Communications
Security developed SSH-2. One of the main differences between SSH-1 and
Section 1
Page 7 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
SSH-2 are their architectures. SSH-1 is composed of only one layer that
contains all the functions within a single protocol whereas SSH-2 is divided into
three protocols: the transport, authentication, and connection protocol. When
trying to establish a connection, the SSH transport protocol does server
authentication, algorithm negotiation, and key exchange. Once the SSH-TRANS
protocol has been completed, a full-duplex session is established and SSH
Authentication (SSH-AUTH) and Connection protocol (SSH-CONN) begin. SSHAUTH protocol allows for client authentication, which includes public-key, hostbased, password, and password change options. SSH-2 uses the DSA algorithm
for public-key authentication by default. The SSH-CONN protocol’s job is to
allow for flow control, terminal handling, forwarding, data compression, and many
others. Figure 1 shows the overview interactions between the three protocols
(Barrett, 2002). There are many advantages for layering the protocols. One of
those advantages is to decrease the processing overhead, since once a
connection has been established, any application on the client computer wishing
to communicate with the server does not need to go through the SSH-TRANS
protocol (Loshin, 2001).
4.0 Possible Attacks on SSH
Like other secure programs, there are still attacks that can be performed against
which Secure Shell has no protection. Let us consider a few attacks. The first is
users’ carelessness. Secure Shell uses password or a passphrase as a method
of authentication. A password itself, although an inexpensive and easy way to
gain access is not secure because passwords can be easily guessed if not
chosen carefully. Furthermore, users may be careless with storing their
passwords such as writing it on a post-it. In order to authenticate using a
public/private key pair, the intruder would need the private key file. This file is
generally stored in the users home directory and while it is possible to encrypt it,
often times it is stored in plain text. This would allow an attacker who
compromised one machine to possibly access many, many others. Another
attack that SSH does not protect against is the denial-of-service-attack. Anytime
that SSH detects a possible intrusion while the program is sending encrypted
data from and to a remote computer, it will terminate the connection. This
causes the client to lose his/her connection and therefore, the client is denied
from using the server. Lastly, SSH does not protect against traffic-analysis
attack. This attack monitors the traffic being sent between client and server. It
can use this analysis to determine the time the heaviest traffic occurs (for a
denial-of-service-attack), the amount of information being sent, etc (Barrett,
2002).
Besides the attacks mentioned above, there is a research topic done on a timing
attacks on SSH by monitoring keystrokes. In the article, “Timing Analysis of
Keystrokes and Timing Attacks on SSH”, the authors claimed that SSH has two
weaknesses. One is if a block cipher is used SSH only uses 8 bytes to pad each
Section 1
Page 8 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
packet. This allows the intruder to estimate the length of the original message.
Second, SSH sends each keystroke in a single packet right after it is entered,
which can cause the intruder to determine the time between each key being
pressed and the password length. For example, typing the keys “er” is less time
consuming than typing “qz”. To support their research, the authors mentioned
research conduced that use the user’s unique keystroke timing to authenticate
the user (Song, 2001).
Although the authors of “Timing Analysis of Keystrokes and Timing Attacks on
SSH” claims seem plausible, the SSH Communications Security counters that
claim in their article, "Timing Analysis is Not a Real-Life Threat to SSH Secure
Shell Users". In summary, the SCS stated that it is not practical because SSH
does not rely solely on password for authentication. To further investigate on this
matter, the authors of “Analysis of the Feasibility of Keystroke Timing Attacks
over SSH Connections” preformed a practical experiment and concluded that
keystroke timing attacks on SSH is very difficult to achieve in the real world
(Hogye, 2001).
5.0 Conclusion – Future Development
From the overall research done on Secure Shell, Secure Shell has shown to be a
much better program and more secure than what was on the market. Secure
Shell has used modern encryption schemes and algorithm as its base for
security. The encryption schemes such as Diffie-Hellman key exchange, 3DES,
and DSA are still shown to be secure as of today. Furthermore, there are
organizations that research the development of Secure Shell and are always
looking for ways to improve SSH. As of today there are not many successful
attacks published regarding to Secure Shell.
Although many people consider that SSH-2 to be a complete protocol, the
program, SSH still has room for improvement and add-ons. As more secure
encryption algorithms are being develop, SSH is there to adopt them. Even
though SSH has gain many attentions, it is mostly used on Linux and UNIX
systems. If Microsoft incorporates SSH within its operating systems, SSH will
receive the exposure it deserves (Loshin, 2001).
Section 1
Page 9 of 10
March 24, 2005
Secure Shell
Tam Ngo
Steve Licking
References:
Acheson, S. The Secure Shell Frequently Asked Questions. March, 2001
<http://www.employees.org/~satch/ssh/faq/ssh-faq.html>
Barrett, J. D. and Silverman, R. SSH: The Secure Shell The Definitive Guide
O'Reilly & Associates, 2002
<http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh/ch
01_05.htm>
Boran, S. All About SSH - Part I/II. July, 2004
<http://www.boran.com/security/sp/ssh-part1.html>
Hogye, M., Hughes, C., Sarfaty, J., & Wolf, J. Analysis of the Feasibility of
Keystroke Timing Attacks Over SSH Connections. 2001
<http://www.cs.virginia.edu/~evans/cs588fall2001/projects/reports/team4.pdf>
Loshin, P. Protocols. Information Security Magazine. 2001
<http://infosecuritymag.techtarget.com/articles/june01/features_protocols.s
html>
SSH Protocol Overview
<http://www.freesoft.org/CIE/Topics/139.htm> (Retrieved 3/23/2005)
Song, D. X., Tian, X., & Wagner, D. Timing Analysis of Keystrokes and
Timing Attacks on SSH. 2001
<http://www.cs.jhu.edu/~rubin/courses/fall03/papers/timing.ssh.pdf>
Timing analysis is not a real-life threat to SSH Secure Shell users. 2001
< http://www.ssh.com/company/newsroom/article/204/>
What is SSH? <http://www.webopedia.com/TERM/S/SSH.html> (Retrieved
3/23/2005)
Section 1
Page 10 of 10
March 24, 2005
Download