SSH and The Power of Public Key Cryptography

Basics of Secure Shell (SSH)

SSH is essentially a network protocol that leverages cryptography. As you might know, it replaced older technologies like Telnet, Rlogin and RSH etc to connect to a remote machine over a network where breaches are common these days. The older protocols worked fine initially because then people only required to connect to devices within their own LANs or WANs. But with the advent of the Internet, any network that the data was travelling over could sniff the packets and see the data that was being transmitted. In 1995, Tatu Ylonen from Finland (Where Linux is was also originated) developed SSH protocol to encrypt the data to be transmitted. With SSH, you can see that data is being transmitted, you can see how much data is being transmitted, you can comprehend the frequency of it but you cannot know what the data actually is since it is encrypted.

When you SSH a machine (You can do this except for a Windows machine or a mainframe), a TCP connection gets established between your device and the remote device (Note that SSH can use other reliable standards like RS-232, Web socket etc). SSH breaks down the data into a series of packets. Each packet has a basic structure as shown below.

We may choose to compress the payload using compression algorithms like Zlib and then the whole packet is encrypted (Excluding the length because we need to know how much data is being transmitted over a network segment in compliance with the MTU for that network). The algorithms used for encryption and for the message authentication code are established by the server and client at the beginning.

So first a TCP connection gets established. Secondly, the packets are encrypted and then a channel is created on top of the TCP connection which enables you to multiplex multiple connections over it. This establishes a shell connection where we can communicate and control things. We can have multiple channels between same machines or different types of connections for example. SSH also allows you to forward any sort of TCP connection over the secure channel so formed so that you can connect to a remote server via the SSH tunnel.

Now, is that all what SSH can do..? Not really. SSH is capable of shell access, file transfers, executing remote commands, port forwarding and tunneling, creating VPNs, forwarding X displays (Linux environments) such as our GUI, encrypted proxy browsing via the SOCKS protocol (Socket Secure) and mounting remote directories etc. Additionally, in Linux systems, admins use SCP over SSH for copying files securely while also zipping them up. There have been two versions of SSH primarily and the differences between them are listed below in the form of points.

• Version 2 has a separate transport, authentication and connection protocols whereas version 1 is a single monolithic protocol.
• Version 2 offers strong cryptography integrity check whereas version 1 weak CRC-32 integrity check.
• Version 2 offers any number of session channels per connection whereas version 1 provides exactly one session channel per connection.
• Encryption, MAC (Mandatory Access Control) and compression are negotiated separately for each direction with independent keys whereas in SSH version 1, the same ciphers and keys are used in both directions.
• User authentication methods in SSH 2 are public key (DSA, RSA, Open PGP), host-based, password and rhosts dropped due to insecurity. Whereas, SSH 1 supports wider variety - public key (RSA only), RhostsRSA, password, Rhosts (RSH style), TIS and Kerberos.
• Periodic replacement of session keys happens in SSH 2 but not in SSH 1.

Particularly in Linux based systems, If we make an SSH connection with verbose mode on (-v), we can actually see the setting up of the connection. It is displayed that first, if the remote device supports the SSH version and then the method used for encryption and so on. After successful authentication, a new channel gets created and then it sets up environment variables which is done by sending packets of data wrapped up inside the SSH packets. And once that's done, we can communicate with the remote machine.

Cryptography

Cryptography is simply the process of converting plain text into cipher text which is generated after running an encryption algorithm (Cipher) on plain text. The algorithm uses a 'Key' for the encryption which is in some or the other form, required to decrypt the cipher text at the receiver. A key is a piece of information that determines the functional output of a cryptographic algorithm. Further, a password cannot be used as a key since it is human readable. To compensate for this, a good crypto system will use password-acting-as-key not to perform the primary encryption task but rather to act as an input to a Key Derivation Function (KDF). KDF uses the password and generates secure encryption key. Simply, a key is a string of characters used within an encryption algorithm. Cryptography is implemented as Asymmetric Key Cryptography (or Public Key Cryptography) these days. Here we use two keys, public and private for each device. If we encrypt the message with a device's public key, the message can be decrypted by the same device's public key. Public key is known to all other devices on the network but private key is not. We requite '2n' number of keys for 'n' devices. Public key cryptography can be pictorially represented as follows.

Additionally, if sender encrypts the message with its own private key along with receiver's public key, it will be clear to receiver that the message is surely from a particular sender since the receiver then needs to use the sender's public key along with it's own private key to decrypt the message.

Understanding SSH Keys

To explain how SSH keys work, let's take an example of an admin trying to connect to a server via SSH. The server generates its own public key and private keys so that it can be uniquely identified on the network. Now when admin connects to the server, the server passes its public key to admin and asks him/her if the public key received is right for connecting to the server. If agreed, the key is stored on the admin's device so that he/she can always trust that is the server. Hence the public key of the server enables the admin to uniquely identify the server thereafter. In addition to this, administrators may need to authenticate a number of devices and it is not ideal to record username and password for all those devices. So what they may do is generate their own key pair and get their public key into their respective accounts on servers which can allow them to authenticate without having to put in a password but using their private key and servers accept it. Admins can use this method for all the servers by storing their public key on the all the servers.

Specifically, Cisco routers and switches use RSA (Rivest-Shamir-Adleman) algorithm to generate their asymmetric crypto key-pairs. The RSA algorithm can be simply explained as follows:

1. Choose two different large random prime numbers 'p' and 'q'.
2. Calculate n = p*q.
3. Calculate F(n) = (p-1)*(q-1) (The Euler's Totient function).
4. Choose 'e' such that 1 < e < F(n) where 'e' is co-prime to F(n).
5. Calculate 'd' such that d*e=1 mod F(n).
6. Public key is 'e' and private key is 'd'.

Below is the example process of generating RSA crypto key-pairs on a Cisco ISR router.

Courtesy of Google images.

So in this article, I have tried to explain the cryptography involved between SSH key-pairs and the algorithm behind it. SSH is so powerful that it's transformed the way we communicate over the Internet with our private servers where security is utmost important. This is it for this article and stay tuned for more articles on Electronics and Networking. Have fun!