SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD
Resources Daniel J. Barrett and Richard E. Silverman, 2001, SSH, the Secure Shell, O’Reilly, ISBN: Eric Rescorla, 2001, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, ISBN:
The Problem IPv4 is insecure. Most TCP/IP services are unencrypted. This allows anyone to monitor and reconstruct connection traffic on the internet. The following needs can be identified: –Encrypted connections between parties known to each other. –Third-party authentication and encrypted connection establishment when parties are not known to each other.
Solutions SSH to support encrypted sessions SSL to provide trusted third-party authentication and to support encrypted sessions.
SSH “Secure shell” Transparent encryption. Modern, secure encryption algorithms Reliable, fast, and effective Client/server interaction Eliminates.rhosts and hosts.equiv
Services Provided Replaces: –rsh and telnet with ssh –rlogin with slogin –rcp with scp –ftp with sftp Protocols –ssh-1 –ssh-2
SSH1 Authentication Mechanisms 1.Kerberos 2.Rhosts (trusted host authentication, insecure) 3.RhostsRSA (trusted host authentication, insecure) 4.Public-key (RSA) 5.TIS 6.Password (various flavors, relatively insecure)
SSH2 Authentication Mechanisms 1.Public-key (DSA, RSA, OpenPGP) 2.Hostbased 3.Password
Ciphers SSH1 –3DES, IDEA, ARCFOUR (alleged RC4), DES SSH2 –3DES, Blowfish, Twofish, CAST-128, IDEA, ARCFOUR
Port Forwarding SSH can forward or tunnel ports, allowing you to run insecure services securely. ssh -L 3002:localhost:119 news.yoyo.com
A Simple Example ssh -l harry harry.sunderland.ac.uk This allows me to log into Another way of doing the same thing is ssh
Using scp scp This transfers myfile from my home directory on harry.sunderland.ac.uk to afile locally. You can also use sftp similarly to ftp.
Threats Countered Eavesdropping DNS and IP Spoofing Connection Hijacking Man-in-the-Middle Attacks Insertion Attack
SSL Secure Sockets Layer An authentication and encryption technique that provides security services to TCP by a socket- style API. Relies on certificates issued by a trusted third party. Invented by Netscape. Is slowly being replaced by TLS (Transport Layer Security)
Services Provided Secure http pop imap smtp ftp rmi corba iiop telnet ldap
SSL Functions Confidential transmission Message integrity Endpoint authentication
How It Works An understanding of how SSL works is necessary to use it safely. Uses public key (asymmetric) cryptography. Trusted third parties (Certificate Authorities) provide the certificates that contain the public keys. Supports many encryption algorithms.
SSL-Enabled UNIX Clients curl, ethereal, ettercap, lynx, stunnel, gabber, links, mutt, xchat, bitchx, lftp, neon, openldap, openslp, pine, various database managers.