Introduction to SSH & PGP

6,880 views
6,597 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,880
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
216
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Introduction to SSH & PGP

  1. 1. A. SARANG INTRODUCTION TO SSH & PGP
  2. 2. Agenda  Dial Up & broadband connections  Introduction to SSH protocol & applications  SSH-TRANS  Client- Server Authentication  SSH configuration  Public & Private key pair generation  Digital Signatures  Use of SSH in Port Forwarding
  3. 3.  SSH in subversion control  Introduction to PGP protocol & applications  Email compatibility of PGP
  4. 4. A few years back ..  DIAL-UP connection
  5. 5. Dial up connection  Passwords were sent over phoneline or LAN.  Was it secure ?
  6. 6. The present day..  Broadband connection
  7. 7. Broad band connection  Passwords go through ISPs/ untrusted networks.  How can there be a secure way of sending passwords across the internet ?
  8. 8. The need for encryption  This can be solved by encrption of the data sent over the untrusted networks .  This improves the strength of the authentication mechanism people use to login.  We call this mechanism as …
  9. 9. SSH Secure SHell protocol & applications
  10. 10. SSH  Replaces less secure telnet & rlogin* programs.  Uses public key cryptography to authenticate remote PCs.  *rlogin is a software utility for Unix-like computer operating systems that allows users to log in on another host via a network, communicating viaTCP port 513.
  11. 11. SSH can  Execute commands & transfer files (like unix rsh & rcp commands).  Provides strong client/server authentications  Message integrity.
  12. 12. SSH can protect against ..  Manipulation of data at intermediate elements in the network.  IP address spoofing where attack hosts pretends to be trusted host by sending packets with source address of trusted hosts  DNS spoofing.
  13. 13. SSH will not protect against ..  A compromised root account .  Insecure home directories  Eg : if an attacker tries to modify files in the home directory.
  14. 14. SSH version 2 protocols  SSH-TRANS , a transport layer protocol  SSH-AUTH , an authentication protocol.  SSH-CONN , a connection protocol.  SSH-AUTH & SSH-TRANS are used for remote login.
  15. 15. SSH - TRANS  Provides encrypted channel between client & server machines.  Runs on top of TCP connection.
  16. 16. SSH-TRANS mechanism  Client authenticates server using RSA algorithm.  After authentication , it establishes a session key to encrypt data sent over the channel.  Message integrity check is done for all data exchanged over the channel.
  17. 17.  Public key is owned by the server .  How come client possesses the server’s public key?
  18. 18. Step-1 : Client authenticates the server  The server tells the client its public key at the connection time.  During first time , SSH application warns the client that it has never connected to the server before .
  19. 19.  The client remembers the server’s public key.  From the second time, the client compares the key with the stored public key.
  20. 20. Step 2 : Client authenticates itself to the server  This can be done in 3 ways :-  User sends his password to user directly in the secure channel.  This is safe as the password is encrypted.
  21. 21.  Public key is placed on the server prior to connection .  HOST BASED AUTHENTICATION  The server has a set of trusted hosts.  Client claims to be a “trusted host” .
  22. 22. Installing SSH on YOUR PC  You can download the source code from  http://www.openssh.com/
  23. 23. Configuration files  SSH has 2 different sets of configuration files :-  System wide configuration files  User specific config files
  24. 24. System Wide Configuration Filles  Stored in /etc/ssh directory  Ssh_config : client config file.  Sshd_config : sshd server config files.  Sshd.pid : Server’s pid in stored here.
  25. 25. User specific configuration files ..  Stored in ~UserName/.ssh directory.  Known_hosts : This file contains host keys of SSH server s accessed by the user.
  26. 26.  Authorized_keys2 : holds a list of authorized public keys for users.  When a client connects to a server , server authenticates client by checking the public key stored here.
  27. 27. Why config files are important :  Specify authentication methods.  Specify SSH protocols supported .  Behavior of server can be controlled by :-  Compling time configuration  Config file  Command line options
  28. 28. Key management in SSH  SSH authenticates users using keypairs :-  Private key  Public key
  29. 29. Keypairs
  30. 30. Key management commands  Ssh-keygen : create key pairs  Ssh-agent : holds private key in memory  Ssh-add : adds key to key agent
  31. 31. Applications of SSH : Port Forwarding
  32. 32. More practical application :  Subversion control :-  Github  Gitorious  svn
  33. 33. PGP Pretty Good Privacy
  34. 34.  PGP is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication.  PGP combines the best available cryptographic algorithms to achieve secure e-mail communication.
  35. 35. PGP encryption is a serial combination of :-  Hashing  Data Compression  Symmetric Key Cryptography  Public Key Cryptography
  36. 36. Supports  Message Authentication  Integrity Checking (checking if message was altered since completion ).
  37. 37. Using PGP to create Digital Signatures  *plaintext : information a sender wishes to transmit to a receiver  Hash function from plaintext*  +  Sender’s private keys
  38. 38. Using PGP in emails  Authentication  Confidentiality  Compression  Email compatibility using Radix 64 conversion
  39. 39. Alice sends Bob an email , again !  Ad/Ae = private/public keypair  m = digitally signed message  SHA-1 = hashing function
  40. 40. Authentication- Sending  Alice hashes the message using SHA-1 to obtain SHA(m).  Alice encrypts the hash using her private key Ad to obtain ciphertext c given by  c=pk.encryptAd(SHA(m))  Alice sends Bob the pair (m,c).
  41. 41. Authentication - Receiving  Bob receives (m,c) .  Bob decrypts c using Alice's public key Ae to obtain signature s  s=pk.decryptAe(c)
  42. 42.  Bob computes hash of m to get signature s  If s==m , Authenticated !! 
  43. 43. Confidentiality – Added Security  Process is repeated with session key sk  m=sk.decryptk(c)  NOTE : encryption is done for session key+public key (same time)
  44. 44. E-Mail compatibility  Modern email system can transmit only blocks of ASCII text.  Encrypted ciphertext blocks may not correspond to ASCII characters .  This problem is overcome by …
  45. 45. Radix-64 conversion/base 64 encoding  The binary input is split into blocks of 24 bits (3 bytes).  Each 24 block is then split into four sets each of 6-bits.  Each 6-bit set will then have a value between 0 and 26-1 (=63).  This value is encoded into a printable character.
  46. 46. That’s all folks THANK YOU !! 

×