Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cs490ns-cotter1 SSH / SSL Supplementary material.

Published byVerity Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "Cs490ns-cotter1 SSH / SSL Supplementary material."— Presentation transcript:

1 cs490ns-cotter1 SSH / SSL Supplementary material

2 cs490ns-cotter2 Secure Shell (SSH) One of the primary goals of the ARPANET was remote access Several different connections allowed –rlogin –rcp –rsh All data was unencrypted –This was a different world than exists today.

3 cs490ns-cotter3 SSH SSH is a UNIX-based command interface and protocol for securely accessing a remote computer Suite of four utilities—slogin, ssh, sftp, and scp Can protect against: –IP spoofing –DNS spoofing –Intercepting information

4 cs490ns-cotter4 SSH Objectives Protect data sent over the network –Negotiate an encryption algorithm between sender and receiver –Use that algorithm and a session key to encrypt / decrypt data sent Provide site authentication –Use public key / fingerprint to ensure identity of remote host. –Relies on locally generated keys, so no certifying authority is generally available.

5 cs490ns-cotter5 SSH Graphical Client

6 cs490ns-cotter6 SSH Command Line Client (Linux)

7 cs490ns-cotter7 SSH Communications Using password SSH Client SSH Server SSH2? SSH2 Diffie-Helman, etc? Diffie-Helman Serv_Pub_key(S_key) OK S_key(Uname,pwd) OK S_key(data) Send Serv_Pub_Key

8 cs490ns-cotter8 SSH Wire Shark Trace

9 SSH Communications Using Public Key Problems with Password Authentication –Passwords can be guessed. –Default allows multiple attempts against account –Only 1 account / password needs to be guessed –Alternate approach is to use public / private keys to authenticate user Public Key Authentication –Create public / private keypair –Ensure that private –Upload public key to server user account: ~.ssh/authorized_keys –ssh –o PreferredAuthentications=publickey server.example.org

10 SSH Communications Using Public Key cs490ns-cotter SSH Client SSH Server SSH2? SSH2 Diffie-Helman, etc? Diffie-Helman Serv_Pub_key(S_key) OK S_key(Uname) OK S_key(data) Send Serv_Pub_Key Client_Pub_key(Random) Client_Pri_key(msg) Hash(Random)

11 cs490ns-cotter11 sFTP in Linux

12 cs490ns-cotter12 SFTP

13 cs490ns-cotter13 SFTP

14 cs490ns-cotter14 SSH Tunneling Use SSH to create an encrypted channel between remote host and server Use that encrypted channel to carry other traffic. SSH Tunnel www access Web Server 192.168.1.10 Local port 12345 Internet LAN

15 SSH Tunneling ssh –L 12345:192.168.1.10:80 –l root homenet.net

16 cs490ns-cotter16 SSH Tunneling

17 cs490ns-cotter17 Secure Copy (scp) Allows encrypted transfer of files between machines Download files from server: –scp user@server.net:myfile1.txt myfile1.txt –user@server.net’s password: xxxxx Upload files to server –Scp myfile.txt user@server.net:myfile.txt –user@server.net’s password: xxxxx

18 cs490ns-cotter18 SSH Passwordless Login On remote client: –Create key pair. Store in.ssh subdirectory On ssh server: –Modify sshd_config to allow shosts based authentication –Create.shosts file in user’s subdirectory –Copy public key from remote client to.ssh subdirectory/authorized_keys

19 cs490ns-cotter19 SSH Passwordless Login SSH Client SSH Server SSH2? SSH2 Diffie-Helman, etc? Diffie-Helman Serv_Pub_key(S_key) OK S_key(Uname) OK S_key(data) Send Serv_Pub_Key Client_Pub_key(Random) Client_Pri_key(msg) Hash(Random)

20 cs490ns-cotter20 SecureSockets Layer (SSL) Transport Layer Security (TLS) Originally developed by Netscape to support encrypted access to web servers. SSL v3 released 1996. Served as the basis for IETF standard TLS (1999) Used by major financial institutions for secure commerce over the Internet Early problem with weak keys resolved with longer (128-bit) keys

21 cs490ns-cotter21 SSL / TLS Application (www) SSL / TLS TCP IP

22 cs490ns-cotter22 SSL/TLS Handshake SSL Client SSL Server Client hello Ciphers I have Server Hello Cipher I choose Server certificate (S_Pub) OK S_Pub(Session_key) Session_key(data)

23 cs490ns-cotter23 SSL/TLS Security Depends on integrity of public key certificate Public Key Infrastructure (PKI) –Components necessary to securely distribute public keys –Certificate Authorities: Organizations that certify the relationship between a public key and its owner. –Verisign,Thawte

24 cs490ns-cotter24 SSL/TLS Implementations SSL v2 – Still in use SSL v3 – Most widely deployed TLS v1 – Starting Deployment OpenSSL – Linux/UNIX toolkit that supports all 3 protocols listed above. Private Communication Technology (PCT) –Developed by Microsoft –Compatible with SSL v2 Versions are not completely compatible

25 SSL/TLS Vulnerability SSL/TLS supports the concept of session renegotiation due to errors, requests, etc. This feature assumes that the renegotiation is with the original party, and any requests or messages transmitted before the renegotiation are combined (pre-pended) with the requests after renegotiation This behavior can be abused to allow man-in-the-middle attacks Demonstrated with https, but the vulnerability exists with any application that uses SSL/TLS

26 SSL/TLS Vulnerability Client MITMServer TLS handshake session #1 TLS handshake session #2 GET /ebanking/paymemoney.cgi? Acc=LU00000000?amount=1000 Ignore-what-comes-now; Trigger renegotiation TLS handshake session #1 continued within the encrypted session #2 Client has authenticated session At app layer (with cookie) GET /ebanking/ Cookie: AS2398648756083745 X Server receives: GET /ebanking/paymemoney.cgi? Acc=LU00000000?amount=1000 Ignore-what-comes-now; GET /ebanking/ Cookie: AS2398648756083745

27 cs490ns-cotter27 References SSH –SSH Tutorial (http://www.suso.org/docs/shell/ssh.sdf)SSH Tutorial –www.openssh.orgwww.openssh.org –UNIX Secure Shell – Carasik – McGraw-Hill, 1999 –SSH Agent Forwarding (unixwiz.net/techtips/ssh-agent-forwarding.html)unixwiz.net/techtips/ssh-agent-forwarding.html SSL –www.openSSL.orgwww.openSSL.org –RFCs – 2246, 3546 –SSL Authentication Gap (SSL Gap) (http://www.phonefactor.com/sslgap )http://www.phonefactor.com/sslgap –TLS/SSL renegotiation vulnerability explained (http://www.g-sec.lu/practicaltls.pdf )http://www.g-sec.lu/practicaltls.pdf

28 SSH RFCs 4250 The Secure Shell (SSH) Protocol Assigned Numbers. –S. Lehtinen, C. Lonvick, Ed.. January 2006. (Format: TXT=44010 bytes) –(Status: PROPOSED STANDARD) 4251 The Secure Shell (SSH) Protocol Architecture. –T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=71750 bytes) –(Status: PROPOSED STANDARD) 4252 The Secure Shell (SSH) Authentication Protocol. – T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=34268 bytes) –(Status: PROPOSED STANDARD) 4253 The Secure Shell (SSH) Transport Layer Protocol. – T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=68263 bytes) –(Status: PROPOSED STANDARD) 4254 The Secure Shell (SSH) Connection Protocol. – T. Ylonen, C. Lonvick, Ed.. January 2006. (Format: TXT=50338 bytes) – (Status: PROPOSED STANDARD) 4255 Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints. – J. Schlyter, W. Griffin. January 2006. (Format: TXT=18399 bytes) –(Status: PROPOSED STANDARD) 4256 Generic Message Exchange Authentication for the Secure Shell Protocol (SSH). –F. Cusack, M. Forssen. January 2006. (Format: TXT=24728 bytes) –(Status: PROPOSED STANDARD) 4344 The Secure Shell (SSH) Transport Layer Encryption Modes. –M. Bellare, T. Kohno, C. Namprempre. January 2006. (Format: TXT=27521 bytes) –(Status: PROPOSED STANDARD) 4419 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol. – M. Friedl, N. Provos, W. Simpson. March 2006. (Format: TXT=18356 bytes) –(Status: PROPOSED STANDARD) 4716 The Secure Shell (SSH) Public Key File Format –. J. Galbraith, R. Thayer. November 2006. (Format: TXT=18395 bytes) – (Status: INFORMATIONAL) 4819 Secure Shell Public Key Subsystem. –J. Galbraith, J. Van Dyke, J. Bright. March 2007. (Format: TXT=32794 bytes) –(Status: PROPOSED STANDARD)

29 cs490ns-cotter29 Summary SSH –Supports secure remote access to hosts –SSH – secure shell –SCP – secure copy –SFTP – secure file transfer SSL –Provides a framework for incorporating secure communications into applications –Uses strong cryptography –Can rely on PKI for reliable sharing of public keys

Download ppt "Cs490ns-cotter1 SSH / SSL Supplementary material."

Similar presentations

Network Security.

Network Security.
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Cryptography and Network Security

Cryptography and Network Security
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
© 2004, The Technology Firm WWW.THETECHFIRM.COM SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.

© 2004, The Technology Firm SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Chapter 8 Web Security.

Chapter 8 Web Security.
SSH Secure Login Connections over the Internet

SSH Secure Login Connections over the Internet

Similar presentations

Ads by Google