Why produce a shared session key before authentication in SSH?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
The author wrote that an SSH session is established in two stages:
- Client and server establish encryption to secure the communication
- Client authentication
During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:
- The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.
My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?
It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.
ssh security encryption authentication
add a comment |Â
up vote
2
down vote
favorite
I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
The author wrote that an SSH session is established in two stages:
- Client and server establish encryption to secure the communication
- Client authentication
During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:
- The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.
My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?
It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.
ssh security encryption authentication
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
The author wrote that an SSH session is established in two stages:
- Client and server establish encryption to secure the communication
- Client authentication
During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:
- The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.
My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?
It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.
ssh security encryption authentication
I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
The author wrote that an SSH session is established in two stages:
- Client and server establish encryption to secure the communication
- Client authentication
During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:
- The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.
My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?
It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.
ssh security encryption authentication
ssh security encryption authentication
edited 2 hours ago
asked 5 hours ago
Adrian Wydmanski
12516
12516
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.
Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.
Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.
1
I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
â grawity
2 hours ago
Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
â Adrian Wydmanski
17 mins ago
@AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
â jakub_d
4 mins ago
add a comment |Â
up vote
1
down vote
No. This is the primary layer of encryption. There's no other layer.
The messages are secured by public key encryption and private key decryption anyway
They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).
Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.
Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods â such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.
Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex â because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.
Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.
Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.
1
I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
â grawity
2 hours ago
Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
â Adrian Wydmanski
17 mins ago
@AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
â jakub_d
4 mins ago
add a comment |Â
up vote
3
down vote
accepted
It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.
Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.
Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.
1
I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
â grawity
2 hours ago
Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
â Adrian Wydmanski
17 mins ago
@AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
â jakub_d
4 mins ago
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.
Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.
Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.
It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.
Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.
Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.
answered 2 hours ago
jakub_d
1562
1562
1
I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
â grawity
2 hours ago
Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
â Adrian Wydmanski
17 mins ago
@AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
â jakub_d
4 mins ago
add a comment |Â
1
I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
â grawity
2 hours ago
Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
â Adrian Wydmanski
17 mins ago
@AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
â jakub_d
4 mins ago
1
1
I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
â grawity
2 hours ago
I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
â grawity
2 hours ago
Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
â Adrian Wydmanski
17 mins ago
Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
â Adrian Wydmanski
17 mins ago
@AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
â jakub_d
4 mins ago
@AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
â jakub_d
4 mins ago
add a comment |Â
up vote
1
down vote
No. This is the primary layer of encryption. There's no other layer.
The messages are secured by public key encryption and private key decryption anyway
They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).
Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.
Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods â such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.
Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex â because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).
add a comment |Â
up vote
1
down vote
No. This is the primary layer of encryption. There's no other layer.
The messages are secured by public key encryption and private key decryption anyway
They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).
Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.
Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods â such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.
Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex â because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).
add a comment |Â
up vote
1
down vote
up vote
1
down vote
No. This is the primary layer of encryption. There's no other layer.
The messages are secured by public key encryption and private key decryption anyway
They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).
Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.
Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods â such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.
Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex â because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).
No. This is the primary layer of encryption. There's no other layer.
The messages are secured by public key encryption and private key decryption anyway
They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).
Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.
Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods â such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.
Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex â because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).
edited 2 hours ago
answered 2 hours ago
grawity
223k33456520
223k33456520
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1369611%2fwhy-produce-a-shared-session-key-before-authentication-in-ssh%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password