On Wed, Apr 11, 2001 at 02:04:17AM -0500, chien-yu chen wrote:
> I am reading the ssh2 internet draft..and have some question that I am not
> really sure....
>
> the protocol is divided into 3 layers. transport, user auth. and connection.
>
> On the transport layer, it talks about encryption. and the method includes
> 3des-cbc, blowfish-cbc, twofish-cbc, arcfour, idea-cbc, cast128-cbc. Are
> those the actual encryption being used on the data once the connection is
> established? or is it used for the key exchange process?
These are the session encryptions, they're all symmetric cyphers so
message + key = data + key
both sides need the key
> 4.5. Key Exchange Methods
>
> The key exchange method specifies how one-time session keys are
> generated for encryption and for authentication, and how the server
> authentication is done.
>
> I am not too sure what this one is for...
>
> Can someone that's more familiar with the whole protocol give me a better
> over view? thanks
The key exchange and server authentication are done with public-key
crypto, so that
data + public_key => message => data + private_key
and
date + private_key => message => data + public_key
but these are one-way, such that if you encrypt the message with the
private_key, the corresponding public_key is the only thing that will
decrypt it (signatures) and vice-versa.
I don't know the details of the authentication, but here's how I suppose
it works:
you provide the server with your public_key. you then make a request
encrypted with your private_key. Since your public_key correctly
decodes the request, the server knows that only you could have made
that request, therefore you are authenticated.
key exchange is handled similarly. The holder of the public_key encrypts
a request to the server that includes a session key of some sort. The
server, as the holder of the private_key, is the only thing that can
decode the request, and therefore the only thing that will know the
session key inside it. That session key is used to encrypt the response
to the client. To further ensure the data is protected, the session key
is regenerated periodically and exhcanged with public_key crypto. Thus if
you do happen to decrypt one key exchange packet you might only have 1
minute of packets you can decrypt with that key.
anyway, that's how I understand it.
--
_____________________ _ _ _________________________
Michael Rice |_| Collective |_| http://www.colltech.com
[EMAIL PROTECTED] |_ Technologies _| 8009464646/1415141 pager
Consultant [] [] "The Power Of Many Minds"
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
