Dial Up & broadband connections
Introduction to SSH protocol & applications
Client- Server Authentication
Public & Private key pair generation
Use of SSH in Port Forwarding
SSH in subversion control
Introduction to PGP protocol & applications
Email compatibility of PGP
Broad band connection
Passwords go through ISPs/
How can there be a secure way of
sending passwords across the
The need for encryption
This can be solved by encrption of
the data sent over the untrusted
This improves the strength of the
authentication mechanism people
use to login.
We call this mechanism as …
Replaces less secure telnet &
Uses public key cryptography to
authenticate remote PCs.
*rlogin is a software utility for Unix-like computer operating
systems that allows users to log in on another host via
a network, communicating viaTCP port 513.
SSH can protect against ..
Manipulation of data at intermediate
elements in the network.
IP address spoofing where attack
hosts pretends to be trusted host by
sending packets with source address
of trusted hosts
SSH will not protect against ..
A compromised root account .
Insecure home directories
Eg : if an attacker tries to modify
files in the home directory.
SSH version 2 protocols
SSH-TRANS , a transport layer
SSH-AUTH , an authentication
SSH-CONN , a connection
SSH-AUTH & SSH-TRANS are used for remote
SSH - TRANS
Provides encrypted channel
between client & server machines.
Runs on top of TCP connection.
Client authenticates server using RSA
After authentication , it establishes a
session key to encrypt data sent over
Message integrity check is done for
all data exchanged over the channel.
Public key is owned by the server .
How come client possesses the
server’s public key?
Step-1 : Client authenticates the server
The server tells the client its public
key at the connection time.
During first time , SSH application
warns the client that it has never
connected to the server before .
The client remembers the server’s
From the second time, the client
compares the key with the stored
Step 2 : Client authenticates itself to the
This can be done in 3 ways :-
User sends his password to user
directly in the secure channel.
This is safe as the password is
Public key is placed on the server
prior to connection .
HOST BASED AUTHENTICATION
The server has a set of trusted
Client claims to be a “trusted
Installing SSH on YOUR PC
You can download the source code
SSH has 2 different sets of
configuration files :-
System wide configuration files
User specific config files
System Wide Configuration Filles
Stored in /etc/ssh directory
Ssh_config : client config file.
Sshd_config : sshd server config
Sshd.pid : Server’s pid in stored
User specific configuration files ..
Stored in ~UserName/.ssh
Known_hosts : This file contains
host keys of SSH server s accessed
by the user.
Authorized_keys2 : holds a list of
authorized public keys for users.
When a client connects to a server
, server authenticates client by
checking the public key stored
Why config files are important :
Specify authentication methods.
Specify SSH protocols supported .
Behavior of server can be
controlled by :-
Compling time configuration
Command line options
Key management in SSH
SSH authenticates users using
PGP is a data encryption and
decryption computer program that
provides cryptographic privacy
and authentication for data
PGP combines the best available
cryptographic algorithms to achieve
secure e-mail communication.
PGP encryption is a serial combination
Symmetric Key Cryptography
Public Key Cryptography
(checking if message was altered
since completion ).
Using PGP to create Digital Signatures
*plaintext : information a sender wishes to transmit to a receiver
Hash function from plaintext*
Sender’s private keys
Using PGP in emails
Email compatibility using Radix 64
Alice sends Bob an email , again !
Ad/Ae = private/public keypair
m = digitally signed message
SHA-1 = hashing function
Alice hashes the message using
SHA-1 to obtain SHA(m).
Alice encrypts the hash using her
private key Ad to obtain
ciphertext c given by
Alice sends Bob the pair (m,c).
Authentication - Receiving
Bob receives (m,c) .
Bob decrypts c using Alice's public
key Ae to obtain signature s
Bob computes hash of m to get
If s==m ,
Confidentiality – Added Security
Process is repeated with session
NOTE : encryption is done for
session key+public key (same
Modern email system can transmit
only blocks of ASCII text.
Encrypted ciphertext blocks may
not correspond to ASCII characters
This problem is overcome by …
Radix-64 conversion/base 64 encoding
The binary input is split into blocks of 24 bits
Each 24 block is then split into four sets each
Each 6-bit set will then have a value between
0 and 26-1 (=63).
This value is encoded into a printable