SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.
-
Upload
colin-chapman -
Category
Documents
-
view
212 -
download
0
Transcript of SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.
![Page 1: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/1.jpg)
SSH and SSL
CIT304
University of Sunderland
Harry R. Erwin, PhD
![Page 2: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/2.jpg)
Resources
• Daniel J. Barrett and Richard E. Silverman, 2001, SSH, the Secure Shell, O’Reilly, ISBN: 0-596-00011-1
• Eric Rescorla, 2001, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, ISBN: 0-201-61598-3
![Page 3: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/3.jpg)
The Problem
• IPv4 is insecure. Most TCP/IP services are unencrypted. This allows anyone to monitor and reconstruct connection traffic on the internet.
• The following needs can be identified:– Encrypted connections between parties known to each
other.
– Third-party authentication and encrypted connection establishment when parties are not known to each other.
![Page 4: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/4.jpg)
Solutions
• SSH to support encrypted sessions
• SSL to provide trusted third-party authentication and to support encrypted sessions.
![Page 5: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/5.jpg)
SSH
• “Secure shell”
• Transparent encryption.
• Modern, secure encryption algorithms
• Reliable, fast, and effective
• Client/server interaction
• Eliminates .rhosts and hosts.equiv
![Page 6: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/6.jpg)
Services Provided
• Replaces:– rsh and telnet with ssh– rlogin with slogin– rcp with scp– ftp with sftp
• Protocols– ssh-1– ssh-2
![Page 7: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/7.jpg)
SSH1 Authentication Mechanisms
1. Kerberos
2. Rhosts (trusted host authentication, insecure)
3. RhostsRSA (trusted host authentication, insecure)
4. Public-key (RSA)
5. TIS
6. Password (various flavors, relatively insecure)
![Page 8: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/8.jpg)
SSH2 Authentication Mechanisms
1. Public-key (DSA, RSA, OpenPGP)
2. Hostbased
3. Password
![Page 9: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/9.jpg)
Ciphers
• SSH1– 3DES, IDEA, ARCFOUR (alleged RC4), DES
• SSH2– 3DES, Blowfish, Twofish, CAST-128, IDEA,
ARCFOUR
![Page 10: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/10.jpg)
Port Forwarding
• SSH can forward or tunnel ports, allowing you to run insecure services securely.
ssh -L 3002:localhost:119 news.yoyo.com
![Page 11: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/11.jpg)
A Simple Example
• ssh -l harry harry.sunderland.ac.uk
• This allows me to log into [email protected]
• Another way of doing the same thing is
• ssh [email protected]
![Page 12: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/12.jpg)
Using scp
• scp [email protected]:myfile afile• This transfers myfile from my home directory on
harry.sunderland.ac.uk to afile locally.• You can also use sftp similarly to ftp.
![Page 13: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/13.jpg)
Threats Countered
• Eavesdropping
• DNS and IP Spoofing
• Connection Hijacking
• Man-in-the-Middle Attacks
• Insertion Attack
![Page 14: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/14.jpg)
SSL
• Secure Sockets Layer• An authentication and encryption technique that
provides security services to TCP by a socket-style API.
• Relies on certificates issued by a trusted third party.
• Invented by Netscape.• Is slowly being replaced by TLS (Transport Layer
Security)
![Page 15: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/15.jpg)
Services Provided• Secure http• pop• imap• smtp• ftp• rmi• corba• iiop• telnet• ldap
![Page 16: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/16.jpg)
SSL Functions
• Confidential transmission
• Message integrity
• Endpoint authentication
![Page 17: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/17.jpg)
How It Works
• An understanding of how SSL works is necessary to use it safely.
• Uses public key (asymmetric) cryptography.
• Trusted third parties (Certificate Authorities) provide the certificates that contain the public keys.
• Supports many encryption algorithms.
![Page 18: SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.](https://reader036.fdocuments.in/reader036/viewer/2022081700/56649e7c5503460f94b7e7d0/html5/thumbnails/18.jpg)
SSL-Enabled UNIX Clients
• curl, • ethereal, • ettercap, • lynx, • stunnel, • gabber, • links, • mutt,
• xchat,
• bitchx,
• lftp,
• neon,
• openldap,
• openslp,
• pine,
• various database managers.