aboutsummaryrefslogtreecommitdiff
path: root/doc/draft-ietf-secsh-architecture-14.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/draft-ietf-secsh-architecture-14.txt')
-rw-r--r--doc/draft-ietf-secsh-architecture-14.txt1736
1 files changed, 0 insertions, 1736 deletions
diff --git a/doc/draft-ietf-secsh-architecture-14.txt b/doc/draft-ietf-secsh-architecture-14.txt
deleted file mode 100644
index 9a7c4082..00000000
--- a/doc/draft-ietf-secsh-architecture-14.txt
+++ /dev/null
@@ -1,1736 +0,0 @@
-
-
-Network Working Group T. Ylonen
-Internet-Draft T. Kivinen
-Expires: January 12, 2004 SSH Communications Security Corp
- M. Saarinen
- University of Jyvaskyla
- T. Rinne
- S. Lehtinen
- SSH Communications Security Corp
- July 14, 2003
-
-
- SSH Protocol Architecture
- draft-ietf-secsh-architecture-14.txt
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six
- months and may be updated, replaced, or obsoleted by other
- documents at any time. It is inappropriate to use Internet-Drafts
- as reference material or to cite them other than as "work in
- progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on January 12, 2004.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
- SSH is a protocol for secure remote login and other secure network
- services over an insecure network. This document describes the
- architecture of the SSH protocol, as well as the notation and
- terminology used in SSH protocol documents. It also discusses the
- SSH algorithm naming system that allows local extensions. The SSH
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 1]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- protocol consists of three major components: The Transport Layer
- Protocol provides server authentication, confidentiality, and
- integrity with perfect forward secrecy. The User Authentication
- Protocol authenticates the client to the server. The Connection
- Protocol multiplexes the encrypted tunnel into several logical
- channels. Details of these protocols are described in separate
- documents.
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
- 2. Specification of Requirements . . . . . . . . . . . . . . . 4
- 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 4
- 3.1 Host Keys . . . . . . . . . . . . . . . . . . . . . . . . . 4
- 3.2 Extensibility . . . . . . . . . . . . . . . . . . . . . . . 6
- 3.3 Policy Issues . . . . . . . . . . . . . . . . . . . . . . . 6
- 3.4 Security Properties . . . . . . . . . . . . . . . . . . . . 7
- 3.5 Packet Size and Overhead . . . . . . . . . . . . . . . . . . 7
- 3.6 Localization and Character Set Support . . . . . . . . . . . 8
- 4. Data Type Representations Used in the SSH Protocols . . . . 9
- 5. Algorithm Naming . . . . . . . . . . . . . . . . . . . . . . 11
- 6. Message Numbers . . . . . . . . . . . . . . . . . . . . . . 12
- 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 12
- 8. Security Considerations . . . . . . . . . . . . . . . . . . 13
- 8.1 Pseudo-Random Number Generation . . . . . . . . . . . . . . 13
- 8.2 Transport . . . . . . . . . . . . . . . . . . . . . . . . . 14
- 8.2.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . 14
- 8.2.2 Data Integrity . . . . . . . . . . . . . . . . . . . . . . . 17
- 8.2.3 Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
- 8.2.4 Man-in-the-middle . . . . . . . . . . . . . . . . . . . . . 18
- 8.2.5 Denial-of-service . . . . . . . . . . . . . . . . . . . . . 20
- 8.2.6 Covert Channels . . . . . . . . . . . . . . . . . . . . . . 21
- 8.2.7 Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . 21
- 8.3 Authentication Protocol . . . . . . . . . . . . . . . . . . 21
- 8.3.1 Weak Transport . . . . . . . . . . . . . . . . . . . . . . . 22
- 8.3.2 Debug messages . . . . . . . . . . . . . . . . . . . . . . . 22
- 8.3.3 Local security policy . . . . . . . . . . . . . . . . . . . 23
- 8.3.4 Public key authentication . . . . . . . . . . . . . . . . . 23
- 8.3.5 Password authentication . . . . . . . . . . . . . . . . . . 24
- 8.3.6 Host based authentication . . . . . . . . . . . . . . . . . 24
- 8.4 Connection protocol . . . . . . . . . . . . . . . . . . . . 24
- 8.4.1 End point security . . . . . . . . . . . . . . . . . . . . . 24
- 8.4.2 Proxy forwarding . . . . . . . . . . . . . . . . . . . . . . 24
- 8.4.3 X11 forwarding . . . . . . . . . . . . . . . . . . . . . . . 25
- 9. Intellectual Property . . . . . . . . . . . . . . . . . . . 25
- 10. Additional Information . . . . . . . . . . . . . . . . . . . 26
- References . . . . . . . . . . . . . . . . . . . . . . . . . 26
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 29
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 2]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- Full Copyright Statement . . . . . . . . . . . . . . . . . . 31
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 3]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- 1. Introduction
-
- SSH is a protocol for secure remote login and other secure network
- services over an insecure network. It consists of three major
- components:
- o The Transport Layer Protocol [SSH-TRANS] provides server
- authentication, confidentiality, and integrity. It may
- optionally also provide compression. The transport layer will
- typically be run over a TCP/IP connection, but might also be
- used on top of any other reliable data stream.
- o The User Authentication Protocol [SSH-USERAUTH] authenticates
- the client-side user to the server. It runs over the transport
- layer protocol.
- o The Connection Protocol [SSH-CONNECT] multiplexes the encrypted
- tunnel into several logical channels. It runs over the user
- authentication protocol.
-
- The client sends a service request once a secure transport layer
- connection has been established. A second service request is sent
- after user authentication is complete. This allows new protocols
- to be defined and coexist with the protocols listed above.
-
- The connection protocol provides channels that can be used for a
- wide range of purposes. Standard methods are provided for setting
- up secure interactive shell sessions and for forwarding
- ("tunneling") arbitrary TCP/IP ports and X11 connections.
-
- 2. Specification of Requirements
-
- All documents related to the SSH protocols shall use the keywords
- "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
- "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" to describe
- requirements. They are to be interpreted as described in [RFC-
- 2119].
-
- 3. Architecture
-
- 3.1 Host Keys
-
- Each server host SHOULD have a host key. Hosts MAY have multiple
- host keys using multiple different algorithms. Multiple hosts MAY
- share the same host key. If a host has keys at all, it MUST have
- at least one key using each REQUIRED public key algorithm
- (currently DSS [FIPS-186]).
-
- The server host key is used during key exchange to verify that the
- client is really talking to the correct server. For this to be
- possible, the client must have a priori knowledge of the server's
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 4]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- public host key.
-
- Two different trust models can be used:
- o The client has a local database that associates each host name
- (as typed by the user) with the corresponding public host key.
- This method requires no centrally administered infrastructure,
- and no third-party coordination. The downside is that the
- database of name-to-key associations may become burdensome to
- maintain.
- o The host name-to-key association is certified by some trusted
- certification authority. The client only knows the CA root
- key, and can verify the validity of all host keys certified by
- accepted CAs.
-
- The second alternative eases the maintenance problem, since
- ideally only a single CA key needs to be securely stored on the
- client. On the other hand, each host key must be appropriately
- certified by a central authority before authorization is
- possible. Also, a lot of trust is placed on the central
- infrastructure.
-
- The protocol provides the option that the server name - host key
- association is not checked when connecting to the host for the
- first time. This allows communication without prior communication
- of host keys or certification. The connection still provides
- protection against passive listening; however, it becomes
- vulnerable to active man-in-the-middle attacks. Implementations
- SHOULD NOT normally allow such connections by default, as they
- pose a potential security problem. However, as there is no widely
- deployed key infrastructure available on the Internet yet, this
- option makes the protocol much more usable during the transition
- time until such an infrastructure emerges, while still providing a
- much higher level of security than that offered by older solutions
- (e.g. telnet [RFC-854] and rlogin [RFC-1282]).
-
- Implementations SHOULD try to make the best effort to check host
- keys. An example of a possible strategy is to only accept a host
- key without checking the first time a host is connected, save the
- key in a local database, and compare against that key on all
- future connections to that host.
-
- Implementations MAY provide additional methods for verifying the
- correctness of host keys, e.g. a hexadecimal fingerprint derived
- from the SHA-1 hash of the public key. Such fingerprints can
- easily be verified by using telephone or other external
- communication channels.
-
- All implementations SHOULD provide an option to not accept host
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 5]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- keys that cannot be verified.
-
- We believe that ease of use is critical to end-user acceptance of
- security solutions, and no improvement in security is gained if
- the new solutions are not used. Thus, providing the option not to
- check the server host key is believed to improve the overall
- security of the Internet, even though it reduces the security of
- the protocol in configurations where it is allowed.
-
- 3.2 Extensibility
-
- We believe that the protocol will evolve over time, and some
- organizations will want to use their own encryption,
- authentication and/or key exchange methods. Central registration
- of all extensions is cumbersome, especially for experimental or
- classified features. On the other hand, having no central
- registration leads to conflicts in method identifiers, making
- interoperability difficult.
-
- We have chosen to identify algorithms, methods, formats, and
- extension protocols with textual names that are of a specific
- format. DNS names are used to create local namespaces where
- experimental or classified extensions can be defined without fear
- of conflicts with other implementations.
-
- One design goal has been to keep the base protocol as simple as
- possible, and to require as few algorithms as possible. However,
- all implementations MUST support a minimal set of algorithms to
- ensure interoperability (this does not imply that the local policy
- on all hosts would necessary allow these algorithms). The
- mandatory algorithms are specified in the relevant protocol
- documents.
-
- Additional algorithms, methods, formats, and extension protocols
- can be defined in separate drafts. See Section Algorithm Naming
- (Section 5) for more information.
-
- 3.3 Policy Issues
-
- The protocol allows full negotiation of encryption, integrity, key
- exchange, compression, and public key algorithms and formats.
- Encryption, integrity, public key, and compression algorithms can
- be different for each direction.
-
- The following policy issues SHOULD be addressed in the
- configuration mechanisms of each implementation:
- o Encryption, integrity, and compression algorithms, separately
- for each direction. The policy MUST specify which is the
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 6]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- preferred algorithm (e.g. the first algorithm listed in each
- category).
- o Public key algorithms and key exchange method to be used for
- host authentication. The existence of trusted host keys for
- different public key algorithms also affects this choice.
- o The authentication methods that are to be required by the
- server for each user. The server's policy MAY require multiple
- authentication for some or all users. The required algorithms
- MAY depend on the location where the user is trying to log in
- from.
- o The operations that the user is allowed to perform using the
- connection protocol. Some issues are related to security; for
- example, the policy SHOULD NOT allow the server to start
- sessions or run commands on the client machine, and MUST NOT
- allow connections to the authentication agent unless forwarding
- such connections has been requested. Other issues, such as
- which TCP/IP ports can be forwarded and by whom, are clearly
- issues of local policy. Many of these issues may involve
- traversing or bypassing firewalls, and are interrelated with
- the local security policy.
-
- 3.4 Security Properties
-
- The primary goal of the SSH protocol is improved security on the
- Internet. It attempts to do this in a way that is easy to deploy,
- even at the cost of absolute security.
- o All encryption, integrity, and public key algorithms used are
- well-known, well-established algorithms.
- o All algorithms are used with cryptographically sound key sizes
- that are believed to provide protection against even the
- strongest cryptanalytic attacks for decades.
- o All algorithms are negotiated, and in case some algorithm is
- broken, it is easy to switch to some other algorithm without
- modifying the base protocol.
-
- Specific concessions were made to make wide-spread fast deployment
- easier. The particular case where this comes up is verifying that
- the server host key really belongs to the desired host; the
- protocol allows the verification to be left out (but this is NOT
- RECOMMENDED). This is believed to significantly improve usability
- in the short term, until widespread Internet public key
- infrastructures emerge.
-
- 3.5 Packet Size and Overhead
-
- Some readers will worry about the increase in packet size due to
- new headers, padding, and MAC. The minimum packet size is in the
- order of 28 bytes (depending on negotiated algorithms). The
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 7]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- increase is negligible for large packets, but very significant for
- one-byte packets (telnet-type sessions). There are, however,
- several factors that make this a non-issue in almost all cases:
- o The minimum size of a TCP/IP header is 32 bytes. Thus, the
- increase is actually from 33 to 51 bytes (roughly).
- o The minimum size of the data field of an Ethernet packet is 46
- bytes [RFC-894]. Thus, the increase is no more than 5 bytes.
- When Ethernet headers are considered, the increase is less than
- 10 percent.
- o The total fraction of telnet-type data in the Internet is
- negligible, even with increased packet sizes.
-
- The only environment where the packet size increase is likely to
- have a significant effect is PPP [RFC-1134] over slow modem lines
- (PPP compresses the TCP/IP headers, emphasizing the increase in
- packet size). However, with modern modems, the time needed to
- transfer is in the order of 2 milliseconds, which is a lot faster
- than people can type.
-
- There are also issues related to the maximum packet size. To
- minimize delays in screen updates, one does not want excessively
- large packets for interactive sessions. The maximum packet size
- is negotiated separately for each channel.
-
- 3.6 Localization and Character Set Support
-
- For the most part, the SSH protocols do not directly pass text
- that would be displayed to the user. However, there are some
- places where such data might be passed. When applicable, the
- character set for the data MUST be explicitly specified. In most
- places, ISO 10646 with UTF-8 encoding is used [RFC-2279]. When
- applicable, a field is also provided for a language tag [RFC-
- 1766].
-
- One big issue is the character set of the interactive session.
- There is no clear solution, as different applications may display
- data in different formats. Different types of terminal emulation
- may also be employed in the client, and the character set to be
- used is effectively determined by the terminal emulation. Thus,
- no place is provided for directly specifying the character set or
- encoding for terminal session data. However, the terminal
- emulation type (e.g. "vt100") is transmitted to the remote site,
- and it implicitly specifies the character set and encoding.
- Applications typically use the terminal type to determine what
- character set they use, or the character set is determined using
- some external means. The terminal emulation may also allow
- configuring the default character set. In any case, the character
- set for the terminal session is considered primarily a client
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 8]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- local issue.
-
- Internal names used to identify algorithms or protocols are
- normally never displayed to users, and must be in US-ASCII.
-
- The client and server user names are inherently constrained by
- what the server is prepared to accept. They might, however,
- occasionally be displayed in logs, reports, etc. They MUST be
- encoded using ISO 10646 UTF-8, but other encodings may be required
- in some cases. It is up to the server to decide how to map user
- names to accepted user names. Straight bit-wise binary comparison
- is RECOMMENDED.
-
- For localization purposes, the protocol attempts to minimize the
- number of textual messages transmitted. When present, such
- messages typically relate to errors, debugging information, or
- some externally configured data. For data that is normally
- displayed, it SHOULD be possible to fetch a localized message
- instead of the transmitted message by using a numerical code. The
- remaining messages SHOULD be configurable.
-
- 4. Data Type Representations Used in the SSH Protocols
- byte
-
- A byte represents an arbitrary 8-bit value (octet) [RFC-1700].
- Fixed length data is sometimes represented as an array of
- bytes, written byte[n], where n is the number of bytes in the
- array.
-
- boolean
-
- A boolean value is stored as a single byte. The value 0
- represents FALSE, and the value 1 represents TRUE. All non-
- zero values MUST be interpreted as TRUE; however, applications
- MUST NOT store values other than 0 and 1.
-
- uint32
-
- Represents a 32-bit unsigned integer. Stored as four bytes in
- the order of decreasing significance (network byte order). For
- example, the value 699921578 (0x29b7f4aa) is stored as 29 b7 f4
- aa.
-
- uint64
-
- Represents a 64-bit unsigned integer. Stored as eight bytes in
- the order of decreasing significance (network byte order).
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 9]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- string
-
- Arbitrary length binary string. Strings are allowed to contain
- arbitrary binary data, including null characters and 8-bit
- characters. They are stored as a uint32 containing its length
- (number of bytes that follow) and zero (= empty string) or more
- bytes that are the value of the string. Terminating null
- characters are not used.
-
- Strings are also used to store text. In that case, US-ASCII is
- used for internal names, and ISO-10646 UTF-8 for text that
- might be displayed to the user. The terminating null character
- SHOULD NOT normally be stored in the string.
-
- For example, the US-ASCII string "testing" is represented as 00
- 00 00 07 t e s t i n g. The UTF8 mapping does not alter the
- encoding of US-ASCII characters.
-
- mpint
-
- Represents multiple precision integers in two's complement
- format, stored as a string, 8 bits per byte, MSB first.
- Negative numbers have the value 1 as the most significant bit
- of the first byte of the data partition. If the most
- significant bit would be set for a positive number, the number
- MUST be preceded by a zero byte. Unnecessary leading bytes
- with the value 0 or 255 MUST NOT be included. The value zero
- MUST be stored as a string with zero bytes of data.
-
- By convention, a number that is used in modular computations in
- Z_n SHOULD be represented in the range 0 <= x < n.
-
- Examples:
- value (hex) representation (hex)
- ---------------------------------------------------------------
- 0 00 00 00 00
- 9a378f9b2e332a7 00 00 00 08 09 a3 78 f9 b2 e3 32 a7
- 80 00 00 00 02 00 80
- -1234 00 00 00 02 ed cc
- -deadbeef 00 00 00 05 ff 21 52 41 11
-
-
-
- name-list
-
- A string containing a comma separated list of names. A name
- list is represented as a uint32 containing its length (number
- of bytes that follow) followed by a comma-separated list of
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 10]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- zero or more names. A name MUST be non-zero length, and it
- MUST NOT contain a comma (','). Context may impose additional
- restrictions on the names; for example, the names in a list may
- have to be valid algorithm identifier (see Algorithm Naming
- below), or [RFC-1766] language tags. The order of the names in
- a list may or may not be significant, also depending on the
- context where the list is is used. Terminating NUL characters
- are not used, neither for the individual names, nor for the
- list as a whole.
-
- Examples:
- value representation (hex)
- ---------------------------------------
- (), the empty list 00 00 00 00
- ("zlib") 00 00 00 04 7a 6c 69 62
- ("zlib", "none") 00 00 00 09 7a 6c 69 62 2c 6e 6f 6e 65
-
-
-
-
- 5. Algorithm Naming
-
- The SSH protocols refer to particular hash, encryption, integrity,
- compression, and key exchange algorithms or protocols by names.
- There are some standard algorithms that all implementations MUST
- support. There are also algorithms that are defined in the
- protocol specification but are OPTIONAL. Furthermore, it is
- expected that some organizations will want to use their own
- algorithms.
-
- In this protocol, all algorithm identifiers MUST be printable US-
- ASCII non-empty strings no longer than 64 characters. Names MUST
- be case-sensitive.
-
- There are two formats for algorithm names:
- o Names that do not contain an at-sign (@) are reserved to be
- assigned by IETF consensus (RFCs). Examples include `3des-
- cbc', `sha-1', `hmac-sha1', and `zlib' (the quotes are not part
- of the name). Names of this format MUST NOT be used without
- first registering them. Registered names MUST NOT contain an
- at-sign (@) or a comma (,).
- o Anyone can define additional algorithms by using names in the
- format name@domainname, e.g. "ourcipher-cbc@ssh.com". The
- format of the part preceding the at sign is not specified; it
- MUST consist of US-ASCII characters except at-sign and comma.
- The part following the at-sign MUST be a valid fully qualified
- internet domain name [RFC-1034] controlled by the person or
- organization defining the name. It is up to each domain how it
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 11]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- manages its local namespace.
-
- 6. Message Numbers
-
- SSH packets have message numbers in the range 1 to 255. These
- numbers have been allocated as follows:
-
-
- Transport layer protocol:
-
- 1 to 19 Transport layer generic (e.g. disconnect, ignore, debug,
- etc.)
- 20 to 29 Algorithm negotiation
- 30 to 49 Key exchange method specific (numbers can be reused for
- different authentication methods)
-
- User authentication protocol:
-
- 50 to 59 User authentication generic
- 60 to 79 User authentication method specific (numbers can be
- reused for different authentication methods)
-
- Connection protocol:
-
- 80 to 89 Connection protocol generic
- 90 to 127 Channel related messages
-
- Reserved for client protocols:
-
- 128 to 191 Reserved
-
- Local extensions:
-
- 192 to 255 Local extensions
-
-
-
- 7. IANA Considerations
-
- Allocation of the following types of names in the SSH protocols is
- assigned by IETF consensus:
- o encryption algorithm names,
- o MAC algorithm names,
- o public key algorithm names (public key algorithm also implies
- encoding and signature/encryption capability),
- o key exchange method names, and
- o protocol (service) names.
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 12]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- These names MUST be printable US-ASCII strings, and MUST NOT
- contain the characters at-sign ('@'), comma (','), or whitespace
- or control characters (ASCII codes 32 or less). Names are case-
- sensitive, and MUST NOT be longer than 64 characters.
-
- Names with the at-sign ('@') in them are allocated by the owner of
- DNS name after the at-sign (hierarchical allocation in [RFC-
- 2343]), otherwise the same restrictions as above.
-
- Each category of names listed above has a separate namespace.
- However, using the same name in multiple categories SHOULD be
- avoided to minimize confusion.
-
- Message numbers (see Section Message Numbers (Section 6)) in the
- range of 0..191 should be allocated via IETF consensus; message
- numbers in the 192..255 range (the "Local extensions" set) are
- reserved for private use.
-
- 8. Security Considerations
-
- In order to make the entire body of Security Considerations more
- accessible, Security Considerations for the transport,
- authentication, and connection documents have been gathered here.
-
- The transport protocol [1] provides a confidential channel over an
- insecure network. It performs server host authentication, key
- exchange, encryption, and integrity protection. It also derives a
- unique session id that may be used by higher-level protocols.
-
- The authentication protocol [2] provides a suite of mechanisms
- which can be used to authenticate the client user to the server.
- Individual mechanisms specified in the in authentication protocol
- use the session id provided by the transport protocol and/or
- depend on the security and integrity guarantees of the transport
- protocol.
-
- The connection protocol [3] specifies a mechanism to multiplex
- multiple streams [channels] of data over the confidential and
- authenticated transport. It also specifies channels for accessing
- an interactive shell, for 'proxy-forwarding' various external
- protocols over the secure transport (including arbitrary TCP/IP
- protocols), and for accessing secure 'subsystems' on the server
- host.
-
- 8.1 Pseudo-Random Number Generation
-
- This protocol binds each session key to the session by including
- random, session specific data in the hash used to produce session
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 13]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- keys. Special care should be taken to ensure that all of the
- random numbers are of good quality. If the random data here
- (e.g., DH parameters) are pseudo-random then the pseudo-random
- number generator should be cryptographically secure (i.e., its
- next output not easily guessed even when knowing all previous
- outputs) and, furthermore, proper entropy needs to be added to the
- pseudo-random number generator. RFC 1750 [1750] offers
- suggestions for sources of random numbers and entropy.
- Implementors should note the importance of entropy and the well-
- meant, anecdotal warning about the difficulty in properly
- implementing pseudo-random number generating functions.
-
- The amount of entropy available to a given client or server may
- sometimes be less than what is required. In this case one must
- either resort to pseudo-random number generation regardless of
- insufficient entropy or refuse to run the protocol. The latter is
- preferable.
-
- 8.2 Transport
-
- 8.2.1 Confidentiality
-
- It is beyond the scope of this document and the Secure Shell
- Working Group to analyze or recommend specific ciphers other than
- the ones which have been established and accepted within the
- industry. At the time of this writing, ciphers commonly in use
- include 3DES, ARCFOUR, twofish, serpent and blowfish. AES has
- been accepted by The published as a US Federal Information
- Processing Standards [FIPS-197] and the cryptographic community as
- being acceptable for this purpose as well has accepted AES. As
- always, implementors and users should check current literature to
- ensure that no recent vulnerabilities have been found in ciphers
- used within products. Implementors should also check to see which
- ciphers are considered to be relatively stronger than others and
- should recommend their use to users over relatively weaker
- ciphers. It would be considered good form for an implementation
- to politely and unobtrusively notify a user that a stronger cipher
- is available and should be used when a weaker one is actively
- chosen.
-
- The "none" cipher is provided for debugging and SHOULD NOT be used
- except for that purpose. It's cryptographic properties are
- sufficiently described in RFC 2410, which will show that its use
- does not meet the intent of this protocol.
-
- The relative merits of these and other ciphers may also be found
- in current literature. Two references that may provide
- information on the subject are [SCHNEIER] and
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 14]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- [KAUFMAN,PERLMAN,SPECINER]. Both of these describe the CBC mode
- of operation of certain ciphers and the weakness of this scheme.
- Essentially, this mode is theoretically vulnerable to chosen
- cipher-text attacks because of the high predictability of the
- start of packet sequence. However, this attack is still deemed
- difficult and not considered fully practicable especially if
- relatively longer block sizes are used.
-
- Additionally, another CBC mode attack may be mitigated through the
- insertion of packets containing SSH_MSG_IGNORE. Without this
- technique, a specific attack may be successful. For this attack
- (commonly known as the Rogaway attack
- [ROGAWAY],[DAI],[BELLARE,KOHNO,NAMPREMPRE]) to work, the attacker
- would need to know the IV of the next block that is going to be
- encrypted. In CBC mode that is the output of the encryption of
- the previous block. If the attacker does not have any way to see
- the packet yet (i.e it is in the internal buffers of the ssh
- implementation or even in the kernel) then this attack will not
- work. If the last packet has been sent out to the network (i.e
- the attacker has access to it) then he can use the attack.
-
- In the optimal case an implementor would need to add an extra
- packet only if the packet has been sent out onto the network and
- there are no other packets waiting for transmission. Implementors
- may wish to check to see if there are any unsent packets awaiting
- transmission, but unfortunately it is not normally easy to obtain
- this information from the kernel or buffers. If there are not,
- then a packet containing SSH_MSG_IGNORE SHOULD be sent. If a new
- packet is added to the stream every time the attacker knows the IV
- that is supposed to be used for the next packet, then the attacker
- will not be able to guess the correct IV, thus the attack will
- never be successfull.
-
- As an example, consider the following case:
-
-
- Client Server
- ------ ------
- TCP(seq=x, len=500) ->
- contains Record 1
-
- [500 ms passes, no ACK]
-
- TCP(seq=x, len=1000) ->
- contains Records 1,2
-
- ACK
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 15]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- 1. The Nagle algorithm + TCP retransmits mean that the two
- records get coalesced into a single TCP segment
- 2. Record 2 is *not* at the beginning of the TCP segment and
- never will be, since it gets ACKed.
- 3. Yet, the attack is possible because Record 1 has already been
- seen.
-
- As this example indicates, it's totally unsafe to use the
- existence of unflushed data in the TCP buffers proper as a guide
- to whether you need an empty packet, since when you do the second
- write(), the buffers will contain the un-ACKed Record 1.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 16]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- On the other hand, it's perfectly safe to have the following
- situation:
-
-
- Client Server
- ------ ------
- TCP(seq=x, len=500) ->
- contains SSH_MSG_IGNORE
-
- TCP(seq=y, len=500) ->
- contains Data
-
- Provided that the IV for second SSH Record is fixed after the data for
- the Data packet is determined -i.e. you do:
- read from user
- encrypt null packet
- encrypt data packet
-
-
- 8.2.2 Data Integrity
-
- This protocol does allow the Data Integrity mechanism to be
- disabled. Implementors SHOULD be wary of exposing this feature
- for any purpose other than debugging. Users and administrators
- SHOULD be explicitly warned anytime the "none" MAC is enabled.
-
- So long as the "none" MAC is not used, this protocol provides data
- integrity.
-
- Because MACs use a 32 bit sequence number, they might start to
- leak information after 2**32 packets have been sent. However,
- following the rekeying recommendations should prevent this attack.
- The transport protocol [1] recommends rekeying after one gigabyte
- of data, and the smallest possible packet is 16 bytes. Therefore,
- rekeying SHOULD happen after 2**28 packets at the very most.
-
- 8.2.3 Replay
-
- The use of a MAC other than 'none' provides integrity and
- authentication. In addition, the transport protocol provides a
- unique session identifier (bound in part to pseudo-random data
- that is part of the algorithm and key exchange process) that can
- be used by higher level protocols to bind data to a given session
- and prevent replay of data from prior sessions. For example, the
- authentication protocol uses this to prevent replay of signatures
- from previous sessions. Because public key authentication
- exchanges are cryptographically bound to the session (i.e., to the
- initial key exchange) they cannot be successfully replayed in
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 17]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- other sessions. Note that the session ID can be made public
- without harming the security of the protocol.
-
- If two session happen to have the same session ID [hash of key
- exchanges] then packets from one can be replayed against the
- other. It must be stressed that the chances of such an occurrence
- are, needless to say, minimal when using modern cryptographic
- methods. This is all the more so true when specifying larger hash
- function outputs and DH parameters.
-
- Replay detection using monotonically increasing sequence numbers
- as input to the MAC, or HMAC in some cases, is described in RFC
- 2085 [2085], RFC 2246 [2246], RFC 2743 [2743], RFC 1964 [1964],
- RFC 2025 [2025], and RFC 1510 [1510]. The underlying construct is
- discussed in RFC 2104 [2104]. Essentially a different sequence
- number in each packet ensures that at least this one input to the
- MAC function will be unique and will provide a nonrecurring MAC
- output that is not predictable to an attacker. If the session
- stays active long enough, however, this sequence number will wrap.
- This event may provide an attacker an opportunity to replay a
- previously recorded packet with an identical sequence number but
- only if the peers have not rekeyed since the transmission of the
- first packet with that sequence number. If the peers have
- rekeyed, then the replay will be detected as the MAC check will
- fail. For this reason, it must be emphasized that peers MUST
- rekey before a wrap of the sequence numbers. Naturally, if an
- attacker does attempt to replay a captured packet before the peers
- have rekeyed, then the receiver of the duplicate packet will not
- be able to validate the MAC and it will be discarded. The reason
- that the MAC will fail is because the receiver will formulate a
- MAC based upon the packet contents, the shared secret, and the
- expected sequence number. Since the replayed packet will not be
- using that expected sequence number (the sequence number of the
- replayed packet will have already been passed by the receiver)
- then the calculated MAC will not match the MAC received with the
- packet.
-
- 8.2.4 Man-in-the-middle
-
- This protocol makes no assumptions nor provisions for an
- infrastructure or means for distributing the public keys of hosts.
- It is expected that this protocol will sometimes be used without
- first verifying the association between the server host key and
- the server host name. Such usage is vulnerable to man-in-the-
- middle attacks. This section describes this and encourages
- administrators and users to understand the importance of verifying
- this association before any session is initiated.
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 18]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- There are three cases of man-in-the-middle attacks to consider.
- The first is where an attacker places a device between the client
- and the server before the session is initiated. In this case, the
- attack device is trying to mimic the legitimate server and will
- offer its public key to the client when the client initiates a
- session. If it were to offer the public key of the server, then
- it would not be able to decrypt or sign the transmissions between
- the legitimate server and the client unless it also had access to
- the private-key of the host. The attack device will also,
- simultaneously to this, initiate a session to the legitimate
- server masquerading itself as the client. If the public key of
- the server had been securely distributed to the client prior to
- that session initiation, the key offered to the client by the
- attack device will not match the key stored on the client. In
- that case, the user SHOULD be given a warning that the offered
- host key does not match the host key cached on the client. As
- described in Section 3.1 of [ARCH], the user may be free to accept
- the new key and continue the session. It is RECOMMENDED that the
- warning provide sufficient information to the user of the client
- device so they may make an informed decision. If the user chooses
- to continue the session with the stored public-key of the server
- (not the public-key offered at the start of the session), then the
- session specific data between the attacker and server will be
- different between the client-to-attacker session and the attacker-
- to-server sessions due to the randomness discussed above. From
- this, the attacker will not be able to make this attack work since
- the attacker will not be able to correctly sign packets containing
- this session specific data from the server since he does not have
- the private key of that server.
-
- The second case that should be considered is similar to the first
- case in that it also happens at the time of connection but this
- case points out the need for the secure distribution of server
- public keys. If the server public keys are not securely
- distributed then the client cannot know if it is talking to the
- intended server. An attacker may use social engineering
- techniques to pass off server keys to unsuspecting users and may
- then place a man-in-the-middle attack device between the
- legitimate server and the clients. If this is allowed to happen
- then the clients will form client-to-attacker sessions and the
- attacker will form attacker-to-server sessions and will be able to
- monitor and manipulate all of the traffic between the clients and
- the legitimate servers. Server administrators are encouraged to
- make host key fingerprints available for checking by some means
- whose security does not rely on the integrity of the actual host
- keys. Possible mechanisms are discussed in Section 3.1 of [SSH-
- ARCH] and may also include secured Web pages, physical pieces of
- paper, etc. Implementors SHOULD provide recommendations on how
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 19]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- best to do this with their implementation. Because the protocol
- is extensible, future extensions to the protocol may provide
- better mechanisms for dealing with the need to know the server's
- host key before connecting. For example, making the host key
- fingerprint available through a secure DNS lookup, or using
- kerberos over gssapi during key exchange to authenticate the
- server are possibilities.
-
- In the third man-in-the-middle case, attackers may attempt to
- manipulate packets in transit between peers after the session has
- been established. As described in the Replay part of this
- section, a successful attack of this nature is very improbable.
- As in the Replay section, this reasoning does assume that the MAC
- is secure and that it is infeasible to construct inputs to a MAC
- algorithm to give a known output. This is discussed in much
- greater detail in Section 6 of RFC 2104. If the MAC algorithm has
- a vulnerability or is weak enough, then the attacker may be able
- to specify certain inputs to yield a known MAC. With that they
- may be able to alter the contents of a packet in transit.
- Alternatively the attacker may be able to exploit the algorithm
- vulnerability or weakness to find the shared secret by reviewing
- the MACs from captured packets. In either of those cases, an
- attacker could construct a packet or packets that could be
- inserted into an SSH stream. To prevent that, implementors are
- encouraged to utilize commonly accepted MAC algorithms and
- administrators are encouraged to watch current literature and
- discussions of cryptography to ensure that they are not using a
- MAC algorithm that has a recently found vulnerability or weakness.
-
- In summary, the use of this protocol without a reliable
- association of the binding between a host and its host keys is
- inherently insecure and is NOT RECOMMENDED. It may however be
- necessary in non-security critical environments, and will still
- provide protection against passive attacks. Implementors of
- protocols and applications running on top of this protocol should
- keep this possibility in mind.
-
- 8.2.5 Denial-of-service
-
- This protocol is designed to be used over a reliable transport.
- If transmission errors or message manipulation occur, the
- connection is closed. The connection SHOULD be re-established if
- this occurs. Denial of service attacks of this type ("wire
- cutter") are almost impossible to avoid.
-
- In addition, this protocol is vulnerable to Denial of Service
- attacks because an attacker can force the server to go through the
- CPU and memory intensive tasks of connection setup and key
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 20]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- exchange without authenticating. Implementors SHOULD provide
- features that make this more difficult. For example, only
- allowing connections from a subset of IPs known to have valid
- users.
-
- 8.2.6 Covert Channels
-
- The protocol was not designed to eliminate covert channels. For
- example, the padding, SSH_MSG_IGNORE messages, and several other
- places in the protocol can be used to pass covert information, and
- the recipient has no reliable way to verify whether such
- information is being sent.
-
- 8.2.7 Forward Secrecy
-
- It should be noted that the Diffie-Hellman key exchanges may
- provide perfect forward secrecy (PFS). PFS is essentially defined
- as the cryptographic property of a key-establishment protocol in
- which the compromise of a session key or long-term private key
- after a given session does not cause the compromise of any earlier
- session. [ANSI T1.523-2001] SSHv2 sessions resulting from a key
- exchange using diffie-hellman-group1-sha1 are secure even if
- private keying/authentication material is later revealed, but not
- if the session keys are revealed. So, given this definition of
- PFS, SSHv2 does have PFS. It is hoped that all other key exchange
- mechanisms proposed and used in the future will also provide PFS.
- This property is not commuted to any of the applications or
- protocols using SSH as a transport however. The transport layer
- of SSH provides confidentiality for password authentication and
- other methods that rely on secret data.
-
- Of course, if the DH private parameters for the client and server
- are revealed then the session key is revealed, but these items can
- be thrown away after the key exchange completes. It's worth
- pointing out that these items should not be allowed to end up on
- swap space and that they should be erased from memory as soon as
- the key exchange completes.
-
- 8.3 Authentication Protocol
-
- The purpose of this protocol is to perform client user
- authentication. It assumes that this run over a secure transport
- layer protocol, which has already authenticated the server
- machine, established an encrypted communications channel, and
- computed a unique session identifier for this session.
-
- Several authentication methods with different security
- characteristics are allowed. It is up to the server's local
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 21]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- policy to decide which methods (or combinations of methods) it is
- willing to accept for each user. Authentication is no stronger
- than the weakest combination allowed.
-
- The server may go into a "sleep" period after repeated
- unsuccessful authentication attempts to make key search more
- difficult for attackers. Care should be taken so that this
- doesn't become a self-denial of service vector.
-
- 8.3.1 Weak Transport
-
- If the transport layer does not provide confidentiality,
- authentication methods that rely on secret data SHOULD be
- disabled. If it does not provide strong integrity protection,
- requests to change authentication data (e.g. a password change)
- SHOULD be disabled to prevent an attacker from modifying the
- ciphertext without being noticed, or rendering the new
- authentication data unusable (denial of service).
-
- The assumption as stated above that the Authentication Protocol
- only run over a secure transport that has previously authenticated
- the server is very important to note. People deploying SSH are
- reminded of the consequences of man-in-the-middle attacks if the
- client does not have a very strong a priori association of the
- server with the host key of that server. Specifically for the
- case of the Authentication Protocol the client may form a session
- to a man-in-the-middle attack device and divulge user credentials
- such as their username and password. Even in the cases of
- authentication where no user credentials are divulged, an attacker
- may still gain information they shouldn't have by capturing key-
- strokes in much the same way that a honeypot works.
-
- 8.3.2 Debug messages
-
- Special care should be taken when designing debug messages. These
- messages may reveal surprising amounts of information about the
- host if not properly designed. Debug messages can be disabled
- (during user authentication phase) if high security is required.
- Administrators of host machines should make all attempts to
- compartmentalize all event notification messages and protect them
- from unwarranted observation. Developers should be aware of the
- sensitive nature of some of the normal event messages and debug
- messages and may want to provide guidance to administrators on
- ways to keep this information away from unauthorized people.
- Developers should consider minimizing the amount of sensitive
- information obtainable by users during the authentication phase in
- accordance with the local policies. For this reason, it is
- RECOMMENDED that debug messages be initially disabled at the time
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 22]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- of deployment and require an active decision by an administrator
- to allow them to be enabled. It is also RECOMMENDED that a
- message expressing this concern be presented to the administrator
- of a system when the action is taken to enable debugging messages.
-
- 8.3.3 Local security policy
-
- Implementer MUST ensure that the credentials provided validate the
- professed user and also MUST ensure that the local policy of the
- server permits the user the access requested. In particular,
- because of the flexible nature of the SSH connection protocol, it
- may not be possible to determine the local security policy, if
- any, that should apply at the time of authentication because the
- kind of service being requested is not clear at that instant. For
- example, local policy might allow a user to access files on the
- server, but not start an interactive shell. However, during the
- authentication protocol, it is not known whether the user will be
- accessing files or attempting to use an interactive shell, or even
- both. In any event, where local security policy for the server
- host exists, it MUST be applied and enforced correctly.
-
- Implementors are encouraged to provide a default local policy and
- make its parameters known to administrators and users. At the
- discretion of the implementors, this default policy may be along
- the lines of 'anything goes' where there are no restrictions
- placed upon users, or it may be along the lines of 'excessively
- restrictive' in which case the administrators will have to
- actively make changes to this policy to meet their needs.
- Alternatively, it may be some attempt at providing something
- practical and immediately useful to the administrators of the
- system so they don't have to put in much effort to get SSH
- working. Whatever choice is made MUST be applied and enforced as
- required above.
-
- 8.3.4 Public key authentication
-
- The use of public-key authentication assumes that the client host
- has not been compromised.
-
- This risk can be mitigated by the use of passphrases on private
- keys; however, this is not an enforceable policy. The use of
- smartcards, or other technology to make passphrases an enforceable
- policy is suggested.
-
- The server could require both password and public-key
- authentication, however, this requires the client to expose its
- password to the server (see section on password authentication
- below.)
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 23]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- 8.3.5 Password authentication
-
- The password mechanism as specified in the authentication protocol
- assumes that the server has not been compromised. If the server
- has been compromised, using password authentication will reveal a
- valid username / password combination to the attacker, which may
- lead to further compromises.
-
- This vulnerability can be mitigated by using an alternative form
- of authentication. For example, public-key authentication makes
- no assumptions about security on the server.
-
- 8.3.6 Host based authentication
-
- Host based authentication assumes that the client has not been
- compromised. There are no mitigating strategies, other than to
- use host based authentication in combination with another
- authentication method.
-
- 8.4 Connection protocol
-
- 8.4.1 End point security
-
- End point security is assumed by the connection protocol. If the
- server has been compromised, any terminal sessions, port
- forwarding, or systems accessed on the host are compromised.
- There are no mitigating factors for this.
-
- If the client end point has been compromised, and the server fails
- to stop the attacker at the authentication protocol, all services
- exposed (either as subsystems or through forwarding) will be
- vulnerable to attack. Implementors SHOULD provide mechanisms for
- administrators to control which services are exposed to limit the
- vulnerability of other services.
-
- These controls might include controlling which machines and ports
- can be target in 'port-forwarding' operations, which users are
- allowed to use interactive shell facilities, or which users are
- allowed to use exposed subsystems.
-
- 8.4.2 Proxy forwarding
-
- The SSH connection protocol allows for proxy forwarding of other
- protocols such as SNMP, POP3, and HTTP. This may be a concern for
- network administrators who wish to control the access of certain
- applications by users located outside of their physical location.
- Essentially, the forwarding of these protocols may violate site
- specific security policies as they may be undetectably tunneled
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 24]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- through a firewall. Implementors SHOULD provide an administrative
- mechanism to control the proxy forwarding functionality so that
- site specific security policies may be upheld.
-
- In addition, a reverse proxy forwarding functionality is
- available, which again can be used to bypass firewall controls.
-
- As indicated above, end-point security is assumed during proxy
- forwarding operations. Failure of end-point security will
- compromise all data passed over proxy forwarding.
-
- 8.4.3 X11 forwarding
-
- Another form of proxy forwarding provided by the ssh connection
- protocol is the forwarding of the X11 protocol. If end-point
- security has been compromised, X11 forwarding may allow attacks
- against the X11 server. Users and administrators should, as a
- matter of course, use appropriate X11 security mechanisms to
- prevent unauthorized use of the X11 server. Implementors,
- administrators and users who wish to further explore the security
- mechanisms of X11 are invited to read [SCHEIFLER] and analyze
- previously reported problems with the interactions between SSH
- forwarding and X11 in CERT vulnerabilities VU#363181 and VU#118892
- [CERT].
-
- X11 display forwarding with SSH, by itself, is not sufficient to
- correct well known problems with X11 security [VENEMA]. However,
- X11 display forwarding in SSHv2 (or other, secure protocols),
- combined with actual and pseudo-displays which accept connections
- only over local IPC mechanisms authorized by permissions or ACLs,
- does correct many X11 security problems as long as the "none" MAC
- is not used. It is RECOMMENDED that X11 display implementations
- default to allowing display opens only over local IPC. It is
- RECOMMENDED that SSHv2 server implementations that support X11
- forwarding default to allowing display opens only over local IPC.
- On single-user systems it might be reasonable to default to
- allowing local display opens over TCP/IP.
-
- Implementors of the X11 forwarding protocol SHOULD implement the
- magic cookie access checking spoofing mechanism as described in
- [ssh-connect] as an additional mechanism to prevent unauthorized
- use of the proxy.
-
- 9. Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- intellectual property or other rights that might be claimed to
- pertain to the implementation or use of the technology described
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 25]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- in this document or the extent to which any license under such
- rights might or might not be available; neither does it represent
- that it has made any effort to identify any such rights.
- Information on the IETF's procedures with respect to rights in
- standards-track and standards-related documentation can be found
- in BCP-11. Copies of claims of rights made available for
- publication and any assurances of licenses to be made available,
- or the result of an attempt made to obtain a general license or
- permission for the use of such proprietary rights by implementers
- or users of this specification can be obtained from the IETF
- Secretariat.
-
- The IETF has been notified of intellectual property rights claimed
- in regard to some or all of the specification contained in this
- document. For more information consult the online list of claimed
- rights.
-
- 10. Additional Information
-
- The current document editor is: Darren.Moffat@Sun.COM. Comments
- on this internet draft should be sent to the IETF SECSH working
- group, details at: http://ietf.org/html.charters/secsh-
- charter.html
-
-References
-
- [FIPS-186] Federal Information Processing
- Standards Publication, ., "FIPS PUB
- 186, Digital Signature Standard", May
- 1994.
-
- [FIPS-197] National Institue of Standards and
- Technology, ., "FIPS 197,
- Specification for the Advanced
- Encryption Standard", November 2001.
-
- [ANSI T1.523-2001] American National Standards Insitute,
- Inc., "Telecom Glossary 2000",
- February 2001.
-
- [SCHEIFLER] Scheifler, R., "X Window System : The
- Complete Reference to Xlib, X
- Protocol, Icccm, Xlfd, 3rd edition.",
- Digital Press ISBN 1555580882,
- Feburary 1992.
-
- [RFC0854] Postel, J. and J. Reynolds, "Telnet
- Protocol Specification", STD 8, RFC
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 26]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- 854, May 1983.
-
- [RFC0894] Hornig, C., "Standard for the
- transmission of IP datagrams over
- Ethernet networks", STD 41, RFC 894,
- Apr 1984.
-
- [RFC1034] Mockapetris, P., "Domain names -
- concepts and facilities", STD 13, RFC
- 1034, Nov 1987.
-
- [RFC1134] Perkins, D., "Point-to-Point Protocol:
- A proposal for multi-protocol
- transmission of datagrams over Point-
- to-Point links", RFC 1134, Nov 1989.
-
- [RFC1282] Kantor, B., "BSD Rlogin", RFC 1282,
- December 1991.
-
- [RFC1510] Kohl, J. and C. Neuman, "The Kerberos
- Network Authentication Service (V5)",
- RFC 1510, September 1993.
-
- [RFC1700] Reynolds, J. and J. Postel, "Assigned
- Numbers", STD 2, RFC 1700, October
- 1994.
-
- [RFC1750] Eastlake, D., Crocker, S. and J.
- Schiller, "Randomness Recommendations
- for Security", RFC 1750, December
- 1994.
-
- [RFC1766] Alvestrand, H., "Tags for the
- Identification of Languages", RFC
- 1766, March 1995.
-
- [RFC1964] Linn, J., "The Kerberos Version 5 GSS-
- API Mechanism", RFC 1964, June 1996.
-
- [RFC2025] Adams, C., "The Simple Public-Key GSS-
- API Mechanism (SPKM)", RFC 2025,
- October 1996.
-
- [RFC2085] Oehler, M. and R. Glenn, "HMAC-MD5 IP
- Authentication with Replay
- Prevention", RFC 2085, February 1997.
-
- [RFC2104] Krawczyk, H., Bellare, M. and R.
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 27]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- Canetti, "HMAC: Keyed-Hashing for
- Message Authentication", RFC 2104,
- February 1997.
-
- [RFC2119] Bradner, S., "Key words for use in
- RFCs to Indicate Requirement Levels",
- BCP 14, RFC 2119, March 1997.
-
- [RFC2246] Dierks, T. and C. Allen, "The TLS
- Protocol Version 1.0", RFC 2246,
- January 1999.
-
- [RFC2279] Yergeau, F., "UTF-8, a transformation
- format of ISO 10646", RFC 2279,
- January 1998.
-
- [RFC2410] Glenn, R. and S. Kent, "The NULL
- Encryption Algorithm and Its Use With
- IPsec", RFC 2410, November 1998.
-
- [RFC2434] Narten, T. and H. Alvestrand,
- "Guidelines for Writing an IANA
- Considerations Section in RFCs", BCP
- 26, RFC 2434, October 1998.
-
- [RFC2743] Linn, J., "Generic Security Service
- Application Program Interface Version
- 2, Update 1", RFC 2743, January 2000.
-
- [SSH-ARCH] Ylonen, T., "SSH Protocol
- Architecture", I-D draft-ietf-
- architecture-14.txt, July 2003.
-
- [SSH-TRANS] Ylonen, T., "SSH Transport Layer
- Protocol", I-D draft-ietf-transport-
- 16.txt, July 2003.
-
- [SSH-USERAUTH] Ylonen, T., "SSH Authentication
- Protocol", I-D draft-ietf-userauth-
- 17.txt, July 2003.
-
- [SSH-CONNECT] Ylonen, T., "SSH Connection Protocol",
- I-D draft-ietf-connect-17.txt, July
- 2003.
-
- [SSH-NUMBERS] Lehtinen, S. and D. Moffat, "SSH
- Protocol Assigned Numbers", I-D draft-
- ietf-secsh-assignednumbers-03.txt,
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 28]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- July 2003.
-
- [SCHNEIER] Schneier, B., "Applied Cryptography
- Second Edition: protocols algorithms
- and source in code in C", 1996.
-
- [KAUFMAN,PERLMAN,SPECINER] Kaufman, C., Perlman, R. and M.
- Speciner, "Network Security: PRIVATE
- Communication in a PUBLIC World",
- 1995.
-
- [CERT] CERT Coordination Center, The.,
- "http://www.cert.org/nav/index_red.html"
- .
-
- [VENEMA] Venema, W., "Murphy's Law and Computer
- Security", Proceedings of 6th USENIX
- Security Symposium, San Jose CA
- http://www.usenix.org/publications/library/proceedings/sec96/venema.html
- , July 1996.
-
- [ROGAWAY] Rogaway, P., "Problems with Proposed
- IP Cryptography", Unpublished paper
- http://www.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt
- , 1996.
-
- [DAI] Dai, W., "An attack against SSH2
- protocol", Email to the SECSH Working
- Group ietf-ssh@netbsd.org
- ftp://ftp.ietf.org/ietf-mail-
- archive/secsh/2002-02.mail, Feb 2002.
-
- [BELLARE,KOHNO,NAMPREMPRE] Bellaire, M., Kohno, T. and C.
- Namprempre, "Authenticated Encryption
- in SSH: Fixing the SSH Binary Packet
- Protocol", , Sept 2002.
-
-
-Authors' Addresses
-
- Tatu Ylonen
- SSH Communications Security Corp
- Fredrikinkatu 42
- HELSINKI FIN-00100
- Finland
-
- EMail: ylo@ssh.com
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 29]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
- Tero Kivinen
- SSH Communications Security Corp
- Fredrikinkatu 42
- HELSINKI FIN-00100
- Finland
-
- EMail: kivinen@ssh.com
-
-
- Markku-Juhani O. Saarinen
- University of Jyvaskyla
-
-
- Timo J. Rinne
- SSH Communications Security Corp
- Fredrikinkatu 42
- HELSINKI FIN-00100
- Finland
-
- EMail: tri@ssh.com
-
-
- Sami Lehtinen
- SSH Communications Security Corp
- Fredrikinkatu 42
- HELSINKI FIN-00100
- Finland
-
- EMail: sjl@ssh.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 30]
-
-Internet-Draft SSH Protocol Architecture July 2003
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2003). All Rights Reserved.
-
- This document and translations of it may be copied and furnished
- to others, and derivative works that comment on or otherwise
- explain it or assist in its implementation may be prepared,
- copied, published and distributed, in whole or in part, without
- restriction of any kind, provided that the above copyright notice
- and this paragraph are included on all such copies and derivative
- works. However, this document itself may not be modified in any
- way, such as by removing the copyright notice or references to the
- Internet Society or other Internet organizations, except as needed
- for the purpose of developing Internet standards in which case the
- procedures for copyrights defined in the Internet Standards
- process must be followed, or as required to translate it into
- languages other than English.
-
- The limited permissions granted above are perpetual and will not
- be revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on
- an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
- THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ylonen, et. al. Expires January 12, 2004 [Page 31]
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 16:50:08 +0000