Skip to main content

Key Exchange (KEX) and Host Key Algorithms in SSH

Key Exchange (KEX) and Host Key Algorithms in SSH


Key Exchange (KEX):

Key Exchange is the process by which an SSH client and server establish cryptographic keys to secure the communication channel between them. The key exchange process typically involves the following steps:

Initiation: The SSH client initiates the connection by sending a Key Exchange Initiation (KEXINIT) message to the server, indicating its supported algorithms and preferences.

Example: The SSH client sends a Key Exchange Initiation (KEXINIT) message to the server:

Client: KEXINIT

Algorithm Negotiation: The server responds with its own list of supported key exchange algorithms. Both parties negotiate and agree upon a mutually acceptable algorithm to use for key exchange.

Example: The server responds with its list of supported key exchange algorithms:

Server: KEXINIT
Algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1

Key Generation: Both the client and server generate a shared secret key based on cryptographic principles such as Diffie-Hellman key exchange.

Example: Shared secret key generated using Diffie-Hellman algorithm.


Key Derivation: The shared secret key is then used to derive session keys for encrypting and decrypting data exchanged during the SSH session.

Authentication: Finally, both parties authenticate each other using the generated session keys, ensuring the integrity and authenticity of the connection.

Key Exchange algorithms in SSH are designed to provide secure and efficient key establishment while resisting cryptographic attacks such as man-in-the-middle (MITM) attacks. Some commonly used Key Exchange algorithms in SSH include:

Diffie-Hellman Group Exchange (DH Group Exchange): Allows the client and server to negotiate a group for Diffie-Hellman key exchange, providing forward secrecy.
Elliptic Curve Diffie-Hellman (ECDH): Uses elliptic curve cryptography for key exchange, offering strong security with smaller key sizes compared to traditional methods.
RSA Key Exchange: Uses RSA encryption for key exchange, but it's less commonly used due to its susceptibility to attacks such as Bleichenbacher's attack.


Host Key Algorithms


Host Key Algorithms are used in SSH to verify the authenticity of the SSH server and protect against server impersonation attacks. When a client connects to an SSH server for the first time, it receives the server's public host key. Subsequent connections include a verification step where the server's public key is checked against the previously received key.

Here's how Host Key Algorithms work:


Server Public Key Generation: The SSH server generates a public-private key pair for use in authentication and encryption. The server's public key is distributed to clients.
Example: The SSH server generates an RSA public-private key pair for authentication and encryption.


Client Verification: When a client connects to the server, the server sends its public key to the client during the key exchange process.

Example: When a client connects to the server, the server sends its public key during the key exchange process.

Server: SSH-2.0-OpenSSH_7.9
Server Host Key: RSA

Key Verification: The client verifies the authenticity of the server's public key by checking it against a list of trusted host keys stored locally.

Example: The client verifies the authenticity of the server's public key by checking it against a list of trusted host keys stored locally.

Client: Verify host key RSA

Trust On First Use (TOFU): If the server's public key is not found in the list of trusted keys, the client prompts the user to confirm whether to trust the key. Once trusted, the key is stored for future connections.

Example: If the server's public key is not found in the list of trusted keys, the client prompts the user to confirm whether to trust the key.

Client: The authenticity of host 'example.com (203.0.113.1)' can't be established.



Some common Host Key Algorithms used in SSH include:


RSA: Uses RSA encryption for generating the host key. RSA is widely supported and considered secure when used with sufficiently large key sizes.
DSA (Digital Signature Algorithm): Another commonly used algorithm for generating host keys, but its usage has declined due to security concerns and the preference for RSA or ECDSA.
ECDSA (Elliptic Curve Digital Signature Algorithm): Provides strong security with smaller key sizes compared to RSA or DSA, making it an efficient choice for host key generation.

Example:

Suppose a client wants to establish an SSH connection with a server. During the initial handshake, the client and server negotiate a Key Exchange Algorithm (e.g., Diffie-Hellman Group Exchange) and a Host Key Algorithm (e.g., RSA). The client then verifies the authenticity of the server's public key using its list of trusted host keys. Once verified, the client and server proceed with the key exchange process to establish a secure SSH connection.

In summary, Key Exchange (KEX) and Host Key Algorithms play critical roles in securing SSH connections by facilitating secure key exchange and verifying the authenticity of SSH servers, respectively. These algorithms help protect against various security threats and ensure the confidentiality, integrity, and authenticity of SSH communications.





If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

EBS 12.2 ADOP Interview Questions With Scenarios

EBS 12.2 ADOP Interview Questions With Scenarios Note: Check the patch cycle log is important to fix any issues.  Location: $ADOP_LOG_HOME Useful Adop Commands Click here 1.What is ADOP concept in oracle apps Online patching is the most important new feature in Oracle E-Business Suite Release 12.2. It is the ability to patch a running system without having to take the system down for a significant period of time while the patches are applied. 'adop' is the utility we use to apply patches in R12.2 2.What is PATCH_TOP directory in R12.2 In R12.2 there is a new directory location environment variable called $PATCH_TOP which points to $NE_BASE/EBSapps/patch $NE_BASE points to <Non-Editioned-filesystem-directory> Download the patch into the patch top directory and unzip it. This is the default location where the adop will look for patch files. If you are planning to put patches in non-defualt location then you need to use adop parameter 'patchtop=<patch_path>' to...
Post a Comment
Read more