Flexible and Scalable Public Key Security for SSH
A standard tool for secure remote access, the SSH protocol uses public-key cryptography to establish an encrypted and integrity-protected channel with a remote server. However, widely-deployed implementations of the protocol are vulnerable to man-in-the-middle attacks, where an adversary substitutes her public key for the server’s. This danger particularly threatens a traveling user Bob borrowing a client machine.
Imposing a traditional X.509 PKI on all SSH servers and clients is neither flexible nor scalable nor (in the foreseeable future) practical. Requiring extensive work or an SSL server at Bob’s site is also not practical for many users.
This paper presents our experiences designing and implementing an alternative scheme that solves the public-key security problem in SSH without requiring such an a priori universal trust structure or extensive sysadmin work—although it does require a modified SSH client. (The code is available for public download.)
KeywordsDictionary Attack Client Machine Internet Draft Network Working Group Algorithm Negotiation
Unable to display preview. Download preview PDF.
- 1.Adams, C., Farrell, S.: Internet X.509 Public Key Infrastructure Certificate Management Protocols. IETF RFC 2510 (March 1999)Google Scholar
- 2.Barrett, D.J., Silverman, R.E.: SSH: The Secure Shell, The Definitive Guide. O’Reilly & Associates, Sebastopol (2001)Google Scholar
- 3.Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed Hashing for Message Authentication. RFC 2104 (February 1997)Google Scholar
- 4.Myers, M., Ankney, R., Adams, C., Farrell, S., Covey, C.: Online Certificate Status Protocol, version 2. Internet Draft (March 2001)Google Scholar
- 5.Perrig, A., Sogn, D.: Hash Visualization: A New Technique to Improve Real-World Security. In: International Workshop on Cryptographic Techniques and E-Commerce (1999)Google Scholar
- 6.Pinkas, D., Housley, R.: Delegated Path Validation and Delegated Path Discovery Protocol Requirements. Internet Draft (February 2002)Google Scholar
- 7.Schlyter, J., Griffin, W.: Using DNS to Securely Publish SSH Key Fingerprints. Secure Shell Working Group, Internet Draft (September 2003)Google Scholar
- 8.Song, D., Wagner, D., Tian, X.: Timing Analysis of Keystrokes and Timing Attacks on SSH. In: 10th USENIX Security Symposium (2001)Google Scholar
- 9.Yerubandi, S.S., Wanalertlak, W.: SSH1 Man in the Middle Attack. Oregon State University (2002), http://islab.oregonstate.edu/koc/ece478/project/2002RP/YW.pdf
- 10.Ylonen, T., Moffat, D.: SSH Protocol Architecture. Network Working group, Internet Draft (October 2003)Google Scholar
- 11.Ylonen, T., Moffat, D.: SSH Connection Protocol. Network Working group, Internet Draft (October 2003)Google Scholar
- 12.Ylonen, T., Moffat, D.: SSH Transport Layer Protocol. Network Working group, Internet Draft (October 2003)Google Scholar
- 13.Ylonen, T., Moffat, D.: SSH Authentication Protocol. Network Working group, Internet Draft (September 2002)Google Scholar