Why produce a shared session key before authentication in SSH?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



The author wrote that an SSH session is established in two stages:



  1. Client and server establish encryption to secure the communication

  2. Client authentication

During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




  1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.










share|improve this question



























    up vote
    2
    down vote

    favorite












    I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



    The author wrote that an SSH session is established in two stages:



    1. Client and server establish encryption to secure the communication

    2. Client authentication

    During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




    1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



    My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



    It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.










    share|improve this question

























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



      The author wrote that an SSH session is established in two stages:



      1. Client and server establish encryption to secure the communication

      2. Client authentication

      During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




      1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



      My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



      It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.










      share|improve this question















      I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



      The author wrote that an SSH session is established in two stages:



      1. Client and server establish encryption to secure the communication

      2. Client authentication

      During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




      1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



      My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



      It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.







      ssh security encryption authentication






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 hours ago

























      asked 5 hours ago









      Adrian Wydmanski

      12516




      12516




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



          Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



          Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






          share|improve this answer
















          • 1




            I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
            – grawity
            2 hours ago










          • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
            – Adrian Wydmanski
            17 mins ago










          • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
            – jakub_d
            4 mins ago


















          up vote
          1
          down vote













          No. This is the primary layer of encryption. There's no other layer.




          The messages are secured by public key encryption and private key decryption anyway




          They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



          Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



          Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



          Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "3"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1369611%2fwhy-produce-a-shared-session-key-before-authentication-in-ssh%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote



            accepted










            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






            share|improve this answer
















            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              17 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              4 mins ago















            up vote
            3
            down vote



            accepted










            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






            share|improve this answer
















            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              17 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              4 mins ago













            up vote
            3
            down vote



            accepted







            up vote
            3
            down vote



            accepted






            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






            share|improve this answer












            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 2 hours ago









            jakub_d

            1562




            1562







            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              17 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              4 mins ago













            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              17 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              4 mins ago








            1




            1




            I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
            – grawity
            2 hours ago




            I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
            – grawity
            2 hours ago












            Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
            – Adrian Wydmanski
            17 mins ago




            Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
            – Adrian Wydmanski
            17 mins ago












            @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
            – jakub_d
            4 mins ago





            @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
            – jakub_d
            4 mins ago













            up vote
            1
            down vote













            No. This is the primary layer of encryption. There's no other layer.




            The messages are secured by public key encryption and private key decryption anyway




            They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



            Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



            Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



            Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






            share|improve this answer


























              up vote
              1
              down vote













              No. This is the primary layer of encryption. There's no other layer.




              The messages are secured by public key encryption and private key decryption anyway




              They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



              Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



              Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



              Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






              share|improve this answer
























                up vote
                1
                down vote










                up vote
                1
                down vote









                No. This is the primary layer of encryption. There's no other layer.




                The messages are secured by public key encryption and private key decryption anyway




                They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



                Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



                Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



                Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






                share|improve this answer














                No. This is the primary layer of encryption. There's no other layer.




                The messages are secured by public key encryption and private key decryption anyway




                They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



                Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



                Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



                Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 hours ago

























                answered 2 hours ago









                grawity

                223k33456520




                223k33456520



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1369611%2fwhy-produce-a-shared-session-key-before-authentication-in-ssh%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?