9 - Cryptography Basics - SSH Protocol Explained

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to ssh protocol lesson as you may know ssh is a secure replacement for telnet since any data that is uh transmitted to telnet protocol including user credential is in a clear text format telnet is not secure that's why we use ssh so ssh encrypts everything and sends it from client to server and that's the reason that ssh is more secure and they should be used when a client communicates with the server or remote logins to a server ssh comprises three protocols that run on top of tcp protocol first we have transport layer protocol that provides server authentication and data confidentiality second is user authentication protocol that authenticates user and third is connection protocol that multiplexes multiple logical communication channels over a single ssh connection in other words there isn't only one logical connection between a client and server that everything goes through that logical connection instead there are multiple channels created for example one channel is for session another one is for port forwarding and so on let's go through these steps involved in establishing an ssh connection between client to server to find out how things work i've also run putty and ssh from my computer to one of my linux machine and capture the exchange packets using wireshark so that as we go through these steps i'm going to show you those packets to see the content of each packet now as i mentioned in earlier slide ssh runs on top of tcp protocol and the request starts from client requesting to communicate with server so here are the tcp handshake that we have seen synag and ag packets that are exchanged between the client and server to establish that tcp connection as soon as the connection is established the first step of ssh is called identification string exchange so here client constructs a packet in this format ssh protocol version and software version and send that to the server then the server responds back with its own identification string message now if you look at our captured packets in wireshark here you can see the ssh protocol that i mentioned the source is my machine 10.40.40.50 and my linux machine is on 64.120.50.10. so if we go down here and open this ssh protocol here you can see that identification string exchange we have ssh dash 2.0 which is the protocol version the software that is used is putty and that's release 0.73 so that's the identification string that was sent from client and if you look at the one that was sent from server is uh it's in the same format we have ssh and then the protocol version which in this case is 2.0 again and then the software and version and the software on the server is open ssh version 7.4 7.1 now next step is algorithm negotiation that means both client and server will negotiate to come up with key exchange encryption message authentication code and compression algorithms the client sends a key exchange initialization message where it tells the server about its supported algorithms the algorithms on the client list are sorted in order of preference so the most top algorithm on the list is the most preferred one by the client then the server responds back with the same key exchange initialization message telling the client about the list of supported algorithms now since this is pretty much done at the same time both client and server are guessing these algorithms so if both have come up with the same algorithm after the exchange of these messages then they move forward to the next step otherwise the server picks the first algorithm on the client list if it is supported by itself if both sides cannot come up with the same algorithm then the connection fails and both disconnect so the client cannot ssh to the server now here is that step on wireshark here you can see key exchange initialization and if i go down here ssh version 2 you can see the first algorithm on the list of client that's as256 that's a yes a symmetric algorithm and then we have hmac shot two and then compression method is none but if i open this and then down here key exchange and here is the algorithms you can see these are the list of algorithms that are supported by client and this is the one that is sent to the server now if you look at the servers list you can see here that these are this is the the algorithm the first preferred algorithm on the servers list and you can see here the list of algorithms that are supported by server now if everything goes well and both agree on the same set of algorithms then they enter the next step which is key exchange phase now in this phase both systems uh use a key exchange algorithm such as diffie-hellman algorithm or in our case elliptic curve diffie-hellman to calculate a secret key now elliptic curve diffie-hellman is another powerful version of diffie-hellman elliptic curve is the set of points that satisfy a specific mathematical equation so in simple words the key values that are used as input to your diffie-hellman algorithm are some points on that curve if you don't remember or don't know how dfe helmet works please refer to my dv hellman video to get a better understanding of the concept so the process begins by the client generating an ephemeral keeper one is private that remains with the client and the second one which is a public key will be sent to the server in a message called ssh message key exchange elliptical dv hellman initialization now i just want to emphasize that the public private keeper that i mentioned here are for diffie-hellman key calculation if you look at wireshark here you can see uh elliptic curve dv hellman key exchange initialization it's started from client and down here in under this ssh protocol you can see this key exchange and uh here i have ecdh that that's elliptic curve diffie-hellman clients ephemeral public key length and this is the public key it's itself so this is the one that is sent to the server now the server has been waiting for this message and as soon as it receives it it generates its own pair of ephemeral public and private keys and then uses these keys plus the public key that it received from client in its elliptic curve diffie-hellman algorithm to calculate a secret key the second thing that the server is going to compute is called an exchange hash so first let's see how the hash is generated and then i'll explain why we need that now to generate the hash the server is going to use the hashing algorithm that both client and server agreed on so in this case they both agreed on a sha-2 algorithm so here are the inputs to this hash we have clients identification string remember this is the one that the earlier client sent to the server when the client wanted to establish his ssh communication that's the first input to hash then we have servers identification string then after that we have the payload of the client's key exchange initialization that will be another input to this hashing algorithm then we have the payload of the server's key exchange initialization message the server also has a pair of public and private keys these keys are different from the one that we use in diffie-hellman these are the host keys that the server uses in asymmetric algorithms such as digital signature and digital certificates now the servers public key is also an input to the hash computation then we have clients fmrl public key this is the one that the client earlier sent to the server to be using diffie-hellman key calculation then we have a servers ephemeral public key again this key is the one that the server using dfe hellman key calculation and last but not least is the shared secret key after creating this the hash the server uses its private key to encrypt or sign the hash now the server creates the hash to prove few things to the client first since the hash has the shared secret key which was generated through diffie-hellman algorithm it proves that the server was able to generate this key based on the value that the client had sent earlier the hash is also signed by the server so the server is authenticating itself to the client and it's a proof of the position of the private key meaning if the client can decrypt the message with the server's public key that means the message was encrypted with the server's private key and the hash also serves as the session identifier in each key exchange phase so that's the reason that the server creates this hash out of those values that i just showed you then the server constructs a message called ssh message key exchange of elliptic curve diffie-hellman reply then it adds the exchange hash the host public key and the public key generated for diffie-hell helmet algorithm to this message and then send that to the client now here this step in wireshark looks like this so this is the message that was sent from the server to a client you can see elliptic curve diffie-hellman key exchange reply and let me close these two and we just need this one so we have ssh version 2s protocol here and that's the key exchange and here is the message code elliptical of diffie-hellman key exchange reply and these are the values that have been sent to the client we have key exchange host key so this is basically the public key of the server that has been sent to the client then we have ecdh elliptic curve diffie-hellman servers ephemeral public key so that's the public key for dv hellman key calculation that the server is sending to client and down here we have key exchange hash that has been signed by the server and all of these three are sent to the client as part of this elliptic curve diffie-hellman key exchange message now once the client receives the message it uses the server's public key as an input to dpl key calculation in addition to its own defilement private and public keys to compute the uh secret key once the secret key is calculated then the client generates the the exchange hash from the same inputs as the server so the same hashing algorithm is going to be used and the same client identification string servers identification string payload of clients key exchange initialization payload of servers key exchange initialization the server's public host key the client's ephemeral public key the server's public key and the shared secret key are going to be input to this hash next the client verifies the public key of the server this is done by using digital certificate sent by the server if there was one or a local database of public keys if neither of these exist meaning there is no digital certificate signed by a certification authority nor is a local database of the server's public key then it's up to client to go ahead with accepting the public key since the client is allowed to accept the key without verification so when you ssh to a server if you see any of these warning messages that means neither of the verification method existed so the top message that you can see comes from my putty and the bottom one is the ssh that i use on my linux machine to ssh to another linux machine now if you answer yes to these warnings that means you are accepting the public key of the server that means you're trusting that public key of the server now the client uses that public key to decrypt the hash that was sent by the server and compares it with the one that it created earlier in the process if these hashes are the same then the server has been authenticated now for the future communications the server and the client are not going to use the shared secret key that was created by diffie-hellman algorithm instead they are using that key as a base to derive six new keys two keys for encryption from server to client and client to server two initialization vector keys for server to client and vice versa these keys are random numbers that are usually added as input to symmetric algorithm just to make the algorithm more secure and make it more difficult to break the cipher text and two for the integrity from server to client and client to server the end of key exchange is signaled by the exchange of ssh message new keys message informing each other that all future messages are encrypted using these new keys and if we look at our wireshark here are these messages in wireshark you can see on the server here right at the end of this key exchange reply dpl monkey exchange reply i have new keys if i close this one right down here i have ssh version 2 and you can see here message code new keys and then right after that i have these ssh message new keys from client to server so that's let me close this one so that we don't have too many things open and here i have these new keys that was sent from client to server the final step is service request so the client sends an ssh message service request packet to request for the user authentication from the server and then the server responds back with ssh message service accept and that's how the secure session gets established and client can provide the credentials to login to the server through this encrypted channel so that's it for ssh protocol i hope you found this helpful and i'll see you in the next video
Info
Channel: CBTVid
Views: 3,276
Rating: 5 out of 5
Keywords: ssh, secure socket layer, cryptography, security plus, security, ssh protocol
Id: 0Sffl7YO0aY
Channel Id: undefined
Length: 17min 1sec (1021 seconds)
Published: Tue Jan 19 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.