This document provides an introduction to SSH and PGP protocols for secure communication. It discusses how SSH uses public-key cryptography to authenticate connections and encrypt data transmitted over untrusted networks, protecting against threats like IP spoofing. It also explains how SSH uses key pairs and configuration files. PGP is introduced as providing encryption, authentication and integrity for email through techniques like hashing, symmetric/asymmetric encryption and digital signatures. It describes how PGP handles the technical challenges of encoding encrypted data for transmission in email systems.

1. A. SARANG
INTRODUCTION
TO
SSH & PGP

2. Agenda
 Dial Up & broadband connections
 Introduction to SSH protocol & applications
 SSH-TRANS
 Client- Server Authentication
 SSH configuration
 Public & Private key pair generation
 Digital Signatures
 Use of SSH in Port Forwarding

3.  SSH in subversion control
 Introduction to PGP protocol & applications
 Email compatibility of PGP

4. A few years back ..
 DIAL-UP connection

5. Dial up connection
 Passwords were sent over
phoneline or LAN.
 Was it secure ?

6. The present day..
 Broadband connection

7. Broad band connection
 Passwords go through ISPs/
untrusted networks.
 How can there be a secure way of
sending passwords across the
internet ?

8. The need for encryption
 This can be solved by encrption of
the data sent over the untrusted
networks .
 This improves the strength of the
authentication mechanism people
use to login.
 We call this mechanism as …

9. SSH
Secure SHell
protocol & applications

11. SSH
 Replaces less secure telnet &
rlogin* programs.
 Uses public key cryptography to
authenticate remote PCs.
 *rlogin is a software utility for Unix-like computer operating
systems that allows users to log in on another host via
a network, communicating viaTCP port 513.

12. SSH can
 Execute commands & transfer files
(like unix rsh & rcp commands).
 Provides strong client/server
authentications
 Message integrity.

14. SSH can protect against ..
 Manipulation of data at intermediate
elements in the network.
 IP address spoofing where attack
hosts pretends to be trusted host by
sending packets with source address
of trusted hosts
 DNS spoofing.

15. SSH will not protect against ..
 A compromised root account .
 Insecure home directories
 Eg : if an attacker tries to modify
files in the home directory.

16. SSH version 2 protocols
 SSH-TRANS , a transport layer
protocol
 SSH-AUTH , an authentication
protocol.
 SSH-CONN , a connection
protocol.
 SSH-AUTH & SSH-TRANS are used for remote
login.

17. SSH - TRANS
 Provides encrypted channel
between client & server machines.
 Runs on top of TCP connection.

18. SSH-TRANS mechanism
 Client authenticates server using RSA
algorithm.
 After authentication , it establishes a
session key to encrypt data sent over
the channel.
 Message integrity check is done for
all data exchanged over the channel.

19.  Public key is owned by the server .
 How come client possesses the
server’s public key?

20. Step-1 : Client authenticates the server
 The server tells the client its public
key at the connection time.
 During first time , SSH application
warns the client that it has never
connected to the server before .

21.  The client remembers the server’s
public key.
 From the second time, the client
compares the key with the stored
public key.

22. Step 2 : Client authenticates itself to the
server
 This can be done in 3 ways :-
 User sends his password to user
directly in the secure channel.
 This is safe as the password is
encrypted.

23.  Public key is placed on the server
prior to connection .
 HOST BASED AUTHENTICATION
 The server has a set of trusted
hosts.
 Client claims to be a “trusted
host” .

24. Installing SSH on YOUR PC
 You can download the source code
from
 http://www.openssh.com/

25. Configuration files
 SSH has 2 different sets of
configuration files :-
 System wide configuration files
 User specific config files

26. System Wide Configuration Filles
 Stored in /etc/ssh directory
 Ssh_config : client config file.
 Sshd_config : sshd server config
files.
 Sshd.pid : Server’s pid in stored
here.

27. User specific configuration files ..
 Stored in ~UserName/.ssh
directory.
 Known_hosts : This file contains
host keys of SSH server s accessed
by the user.

28.  Authorized_keys2 : holds a list of
authorized public keys for users.
 When a client connects to a server
, server authenticates client by
checking the public key stored
here.

29. Why config files are important :
 Specify authentication methods.
 Specify SSH protocols supported .
 Behavior of server can be
controlled by :-
 Compling time configuration
 Config file
 Command line options

30. Key management in SSH
 SSH authenticates users using
keypairs :-
 Private key
 Public key

31. Keypairs

35. Key management commands
 Ssh-keygen : create key pairs
 Ssh-agent : holds private key in
memory
 Ssh-add : adds key to key agent

38. Applications of SSH : Port Forwarding

39. More practical application :
 Subversion control :-
 Github
 Gitorious
 svn

41. PGP
Pretty Good Privacy

42.  PGP is a data encryption and
decryption computer program that
provides cryptographic privacy
and authentication for data
communication.
 PGP combines the best available
cryptographic algorithms to achieve
secure e-mail communication.

43. PGP encryption is a serial combination
of :-
 Hashing
 Data Compression
 Symmetric Key Cryptography
 Public Key Cryptography

44. Supports
 Message Authentication
 Integrity Checking
(checking if message was altered
since completion ).

45. Using PGP to create Digital Signatures
 *plaintext : information a sender wishes to transmit to a receiver
 Hash function from plaintext*
 +
 Sender’s private keys

47. Using PGP in emails
 Authentication
 Confidentiality
 Compression
 Email compatibility using Radix 64
conversion

48. Alice sends Bob an email , again !
 Ad/Ae = private/public keypair
 m = digitally signed message
 SHA-1 = hashing function

49. Authentication- Sending
 Alice hashes the message using
SHA-1 to obtain SHA(m).
 Alice encrypts the hash using her
private key Ad to obtain
ciphertext c given by
 c=pk.encryptAd(SHA(m))
 Alice sends Bob the pair (m,c).

50. Authentication - Receiving
 Bob receives (m,c) .
 Bob decrypts c using Alice's public
key Ae to obtain signature s
 s=pk.decryptAe(c)

51.  Bob computes hash of m to get
signature s
 If s==m ,
Authenticated !! 

52. Confidentiality – Added Security
 Process is repeated with session
key sk
 m=sk.decryptk(c)
 NOTE : encryption is done for
session key+public key (same
time)

53. E-Mail compatibility
 Modern email system can transmit
only blocks of ASCII text.
 Encrypted ciphertext blocks may
not correspond to ASCII characters
.
 This problem is overcome by …

54. Radix-64 conversion/base 64 encoding
 The binary input is split into blocks of 24 bits
(3 bytes).
 Each 24 block is then split into four sets each
of 6-bits.
 Each 6-bit set will then have a value between
0 and 26-1 (=63).
 This value is encoded into a printable
character.

56. That’s all folks
THANK YOU !! 