CIS 551/TCOM 401
March 2, 2006
- Secure Shell (SSH)
- Passwords are sent in plaintext in telnet, ftp, etc.
- Developed as a replacement for those insecure tools.
- Uses a key to authenticate a remote server. Such public key needs to be
passed to the client beforehand.
- Compatible with Kerberos.
- In order to support different versions of SSH clients and servers, the
protocol and encryption methods to be used in a particular session need to
be negotiated every time.
- SSH Protocol
- Checks if client and server are compatible based on their version numbers.
- Sends a list of preferred algorithms each other (e.g. Diffee-Hellman :
192bits : DES)
- If client and server are the same version and developed by the same
author, then most likely they will send the same list of algorithms each
Note: DSA stands for Digital Signature Algorithm and is used only for
- SSH Protection
- Uses hash to protect from modification of data.
- To protect from spoofed connections to an X11 server, SSH tunneling
provides a way for a user to forward the X11 connection to the SSH encrypted
channel, although the X11 server itself may not explicitly support the SSH
- SSH1 vs. SSH2
- SSH2 is a newer version.
- SSH2 can be compatible with SSH1, but not vice versa.
- Human Authentication
- People use passwords, ID cards, and biometrics for authentication.
- Authenticating Humans
- Cannot forget passwords.
- Passwords, licenses, Penn Cards may be stolen.
- Shapes are very easy to be recognized by humans, but very hard
- Helps prevent automated attacks.
- Better not to reuse passwords for different services (if one is down,
everything else is down).
- In reality, very hard to keep track of all the passwords if one must
choose them all differently.
- Then if they wrote them down, that would be more insecure.
- Slowing down the time to prompt for login after failing to provide the
correct user name/password does not have much impact on a legitimate user
who remembers them correctly, but can slow down a malicious user from
- Hash-based 1-time
- Given a secret w, can decide how many times one wants to authenticate
ahead of time.