diff options
Diffstat (limited to 'doc/rfc/rfc4251.txt')
-rw-r--r-- | doc/rfc/rfc4251.txt | 1683 |
1 files changed, 1683 insertions, 0 deletions
diff --git a/doc/rfc/rfc4251.txt b/doc/rfc/rfc4251.txt new file mode 100644 index 0000000..ffc33ea --- /dev/null +++ b/doc/rfc/rfc4251.txt @@ -0,0 +1,1683 @@ + + + + + + +Network Working Group T. Ylonen +Request for Comments: 4251 SSH Communications Security Corp +Category: Standards Track C. Lonvick, Ed. + Cisco Systems, Inc. + January 2006 + + + The Secure Shell (SSH) Protocol Architecture + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + The Secure Shell (SSH) Protocol is a protocol for secure remote login + and other secure network services over an insecure network. This + document describes the architecture of the SSH protocol, as well as + the notation and terminology used in SSH protocol documents. It also + discusses the SSH algorithm naming system that allows local + extensions. The SSH protocol consists of three major components: The + Transport Layer Protocol provides server authentication, + confidentiality, and integrity with perfect forward secrecy. The + User Authentication Protocol authenticates the client to the server. + The Connection Protocol multiplexes the encrypted tunnel into several + logical channels. Details of these protocols are described in + separate documents. + + + + + + + + + + + + + + + + +Ylonen & Lonvick Standards Track [Page 1] + +RFC 4251 SSH Protocol Architecture January 2006 + + +Table of Contents + + 1. Introduction ....................................................3 + 2. Contributors ....................................................3 + 3. Conventions Used in This Document ...............................4 + 4. Architecture ....................................................4 + 4.1. Host Keys ..................................................4 + 4.2. Extensibility ..............................................6 + 4.3. Policy Issues ..............................................6 + 4.4. Security Properties ........................................7 + 4.5. Localization and Character Set Support .....................7 + 5. Data Type Representations Used in the SSH Protocols .............8 + 6. Algorithm and Method Naming ....................................10 + 7. Message Numbers ................................................11 + 8. IANA Considerations ............................................12 + 9. Security Considerations ........................................13 + 9.1. Pseudo-Random Number Generation ...........................13 + 9.2. Control Character Filtering ...............................14 + 9.3. Transport .................................................14 + 9.3.1. Confidentiality ....................................14 + 9.3.2. Data Integrity .....................................16 + 9.3.3. Replay .............................................16 + 9.3.4. Man-in-the-middle ..................................17 + 9.3.5. Denial of Service ..................................19 + 9.3.6. Covert Channels ....................................20 + 9.3.7. Forward Secrecy ....................................20 + 9.3.8. Ordering of Key Exchange Methods ...................20 + 9.3.9. Traffic Analysis ...................................21 + 9.4. Authentication Protocol ...................................21 + 9.4.1. Weak Transport .....................................21 + 9.4.2. Debug Messages .....................................22 + 9.4.3. Local Security Policy ..............................22 + 9.4.4. Public Key Authentication ..........................23 + 9.4.5. Password Authentication ............................23 + 9.4.6. Host-Based Authentication ..........................23 + 9.5. Connection Protocol .......................................24 + 9.5.1. End Point Security .................................24 + 9.5.2. Proxy Forwarding ...................................24 + 9.5.3. X11 Forwarding .....................................24 + 10. References ....................................................26 + 10.1. Normative References .....................................26 + 10.2. Informative References ...................................26 + Authors' Addresses ................................................29 + Trademark Notice ..................................................29 + + + + + + + +Ylonen & Lonvick Standards Track [Page 2] + +RFC 4251 SSH Protocol Architecture January 2006 + + +1. Introduction + + Secure Shell (SSH) is a protocol for secure remote login and other + secure network services over an insecure network. It consists of + three major components: + + o The Transport Layer Protocol [SSH-TRANS] provides server + authentication, confidentiality, and integrity. It may optionally + also provide compression. The transport layer will typically be + run over a TCP/IP connection, but might also be used on top of any + other reliable data stream. + + o The User Authentication Protocol [SSH-USERAUTH] authenticates the + client-side user to the server. It runs over the transport layer + protocol. + + o The Connection Protocol [SSH-CONNECT] multiplexes the encrypted + tunnel into several logical channels. It runs over the user + authentication protocol. + + The client sends a service request once a secure transport layer + connection has been established. A second service request is sent + after user authentication is complete. This allows new protocols to + be defined and coexist with the protocols listed above. + + The connection protocol provides channels that can be used for a wide + range of purposes. Standard methods are provided for setting up + secure interactive shell sessions and for forwarding ("tunneling") + arbitrary TCP/IP ports and X11 connections. + +2. Contributors + + The major original contributors of this set of documents have been: + Tatu Ylonen, Tero Kivinen, Timo J. Rinne, Sami Lehtinen (all of SSH + Communications Security Corp), and Markku-Juhani O. Saarinen + (University of Jyvaskyla). Darren Moffat was the original editor of + this set of documents and also made very substantial contributions. + + Many people contributed to the development of this document over the + years. People who should be acknowledged include Mats Andersson, Ben + Harris, Bill Sommerfeld, Brent McClure, Niels Moller, Damien Miller, + Derek Fawcus, Frank Cusack, Heikki Nousiainen, Jakob Schlyter, Jeff + Van Dyke, Jeffrey Altman, Jeffrey Hutzelman, Jon Bright, Joseph + Galbraith, Ken Hornstein, Markus Friedl, Martin Forssen, Nicolas + Williams, Niels Provos, Perry Metzger, Peter Gutmann, Simon + Josefsson, Simon Tatham, Wei Dai, Denis Bider, der Mouse, and + Tadayoshi Kohno. Listing their names here does not mean that they + endorse this document, but that they have contributed to it. + + + +Ylonen & Lonvick Standards Track [Page 3] + +RFC 4251 SSH Protocol Architecture January 2006 + + +3. Conventions Used in This Document + + All documents related to the SSH protocols shall use the keywords + "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", + "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" to describe + requirements. These keywords are to be interpreted as described in + [RFC2119]. + + The keywords "PRIVATE USE", "HIERARCHICAL ALLOCATION", "FIRST COME + FIRST SERVED", "EXPERT REVIEW", "SPECIFICATION REQUIRED", "IESG + APPROVAL", "IETF CONSENSUS", and "STANDARDS ACTION" that appear in + this document when used to describe namespace allocation are to be + interpreted as described in [RFC2434]. + + Protocol fields and possible values to fill them are defined in this + set of documents. Protocol fields will be defined in the message + definitions. As an example, SSH_MSG_CHANNEL_DATA is defined as + follows. + + byte SSH_MSG_CHANNEL_DATA + uint32 recipient channel + string data + + Throughout these documents, when the fields are referenced, they will + appear within single quotes. When values to fill those fields are + referenced, they will appear within double quotes. Using the above + example, possible values for 'data' are "foo" and "bar". + +4. Architecture + +4.1. Host Keys + + Each server host SHOULD have a host key. Hosts MAY have multiple + host keys using multiple different algorithms. Multiple hosts MAY + share the same host key. If a host has keys at all, it MUST have at + least one key that uses each REQUIRED public key algorithm (DSS + [FIPS-186-2]). + + The server host key is used during key exchange to verify that the + client is really talking to the correct server. For this to be + possible, the client must have a priori knowledge of the server's + public host key. + + Two different trust models can be used: + + o The client has a local database that associates each host name (as + typed by the user) with the corresponding public host key. This + method requires no centrally administered infrastructure, and no + + + +Ylonen & Lonvick Standards Track [Page 4] + +RFC 4251 SSH Protocol Architecture January 2006 + + + third-party coordination. The downside is that the database of + name-to-key associations may become burdensome to maintain. + + o The host name-to-key association is certified by a trusted + certification authority (CA). The client only knows the CA root + key, and can verify the validity of all host keys certified by + accepted CAs. + + The second alternative eases the maintenance problem, since ideally + only a single CA key needs to be securely stored on the client. On + the other hand, each host key must be appropriately certified by a + central authority before authorization is possible. Also, a lot of + trust is placed on the central infrastructure. + + The protocol provides the option that the server name - host key + association is not checked when connecting to the host for the first + time. This allows communication without prior communication of host + keys or certification. The connection still provides protection + against passive listening; however, it becomes vulnerable to active + man-in-the-middle attacks. Implementations SHOULD NOT normally allow + such connections by default, as they pose a potential security + problem. However, as there is no widely deployed key infrastructure + available on the Internet at the time of this writing, this option + makes the protocol much more usable during the transition time until + such an infrastructure emerges, while still providing a much higher + level of security than that offered by older solutions (e.g., telnet + [RFC0854] and rlogin [RFC1282]). + + Implementations SHOULD try to make the best effort to check host + keys. An example of a possible strategy is to only accept a host key + without checking the first time a host is connected, save the key in + a local database, and compare against that key on all future + connections to that host. + + Implementations MAY provide additional methods for verifying the + correctness of host keys, e.g., a hexadecimal fingerprint derived + from the SHA-1 hash [FIPS-180-2] of the public key. Such + fingerprints can easily be verified by using telephone or other + external communication channels. + + All implementations SHOULD provide an option not to accept host keys + that cannot be verified. + + The members of this Working Group believe that 'ease of use' is + critical to end-user acceptance of security solutions, and no + improvement in security is gained if the new solutions are not used. + Thus, providing the option not to check the server host key is + + + + +Ylonen & Lonvick Standards Track [Page 5] + +RFC 4251 SSH Protocol Architecture January 2006 + + + believed to improve the overall security of the Internet, even though + it reduces the security of the protocol in configurations where it is + allowed. + +4.2. Extensibility + + We believe that the protocol will evolve over time, and some + organizations will want to use their own encryption, authentication, + and/or key exchange methods. Central registration of all extensions + is cumbersome, especially for experimental or classified features. + On the other hand, having no central registration leads to conflicts + in method identifiers, making interoperability difficult. + + We have chosen to identify algorithms, methods, formats, and + extension protocols with textual names that are of a specific format. + DNS names are used to create local namespaces where experimental or + classified extensions can be defined without fear of conflicts with + other implementations. + + One design goal has been to keep the base protocol as simple as + possible, and to require as few algorithms as possible. However, all + implementations MUST support a minimal set of algorithms to ensure + interoperability (this does not imply that the local policy on all + hosts would necessarily allow these algorithms). The mandatory + algorithms are specified in the relevant protocol documents. + + Additional algorithms, methods, formats, and extension protocols can + be defined in separate documents. See Section 6, Algorithm Naming, + for more information. + +4.3. Policy Issues + + The protocol allows full negotiation of encryption, integrity, key + exchange, compression, and public key algorithms and formats. + Encryption, integrity, public key, and compression algorithms can be + different for each direction. + + The following policy issues SHOULD be addressed in the configuration + mechanisms of each implementation: + + o Encryption, integrity, and compression algorithms, separately for + each direction. The policy MUST specify which is the preferred + algorithm (e.g., the first algorithm listed in each category). + + o Public key algorithms and key exchange method to be used for host + authentication. The existence of trusted host keys for different + public key algorithms also affects this choice. + + + + +Ylonen & Lonvick Standards Track [Page 6] + +RFC 4251 SSH Protocol Architecture January 2006 + + + o The authentication methods that are to be required by the server + for each user. The server's policy MAY require multiple + authentication for some or all users. The required algorithms MAY + depend on the location from where the user is trying to gain + access. + + o The operations that the user is allowed to perform using the + connection protocol. Some issues are related to security; for + example, the policy SHOULD NOT allow the server to start sessions + or run commands on the client machine, and MUST NOT allow + connections to the authentication agent unless forwarding such + connections has been requested. Other issues, such as which + TCP/IP ports can be forwarded and by whom, are clearly issues of + local policy. Many of these issues may involve traversing or + bypassing firewalls, and are interrelated with the local security + policy. + +4.4. Security Properties + + The primary goal of the SSH protocol is to improve security on the + Internet. It attempts to do this in a way that is easy to deploy, + even at the cost of absolute security. + + o All encryption, integrity, and public key algorithms used are + well-known, well-established algorithms. + + o All algorithms are used with cryptographically sound key sizes + that are believed to provide protection against even the strongest + cryptanalytic attacks for decades. + + o All algorithms are negotiated, and in case some algorithm is + broken, it is easy to switch to some other algorithm without + modifying the base protocol. + + Specific concessions were made to make widespread, fast deployment + easier. The particular case where this comes up is verifying that + the server host key really belongs to the desired host; the protocol + allows the verification to be left out, but this is NOT RECOMMENDED. + This is believed to significantly improve usability in the short + term, until widespread Internet public key infrastructures emerge. + +4.5. Localization and Character Set Support + + For the most part, the SSH protocols do not directly pass text that + would be displayed to the user. However, there are some places where + such data might be passed. When applicable, the character set for + + + + + +Ylonen & Lonvick Standards Track [Page 7] + +RFC 4251 SSH Protocol Architecture January 2006 + + + the data MUST be explicitly specified. In most places, ISO-10646 + UTF-8 encoding is used [RFC3629]. When applicable, a field is also + provided for a language tag [RFC3066]. + + One big issue is the character set of the interactive session. There + is no clear solution, as different applications may display data in + different formats. Different types of terminal emulation may also be + employed in the client, and the character set to be used is + effectively determined by the terminal emulation. Thus, no place is + provided for directly specifying the character set or encoding for + terminal session data. However, the terminal emulation type (e.g., + "vt100") is transmitted to the remote site, and it implicitly + specifies the character set and encoding. Applications typically use + the terminal type to determine what character set they use, or the + character set is determined using some external means. The terminal + emulation may also allow configuring the default character set. In + any case, the character set for the terminal session is considered + primarily a client local issue. + + Internal names used to identify algorithms or protocols are normally + never displayed to users, and must be in US-ASCII. + + The client and server user names are inherently constrained by what + the server is prepared to accept. They might, however, occasionally + be displayed in logs, reports, etc. They MUST be encoded using ISO + 10646 UTF-8, but other encodings may be required in some cases. It + is up to the server to decide how to map user names to accepted user + names. Straight bit-wise, binary comparison is RECOMMENDED. + + For localization purposes, the protocol attempts to minimize the + number of textual messages transmitted. When present, such messages + typically relate to errors, debugging information, or some externally + configured data. For data that is normally displayed, it SHOULD be + possible to fetch a localized message instead of the transmitted + message by using a numerical code. The remaining messages SHOULD be + configurable. + +5. Data Type Representations Used in the SSH Protocols + + byte + + A byte represents an arbitrary 8-bit value (octet). Fixed length + data is sometimes represented as an array of bytes, written + byte[n], where n is the number of bytes in the array. + + + + + + + +Ylonen & Lonvick Standards Track [Page 8] + +RFC 4251 SSH Protocol Architecture January 2006 + + + boolean + + A boolean value is stored as a single byte. The value 0 + represents FALSE, and the value 1 represents TRUE. All non-zero + values MUST be interpreted as TRUE; however, applications MUST NOT + store values other than 0 and 1. + + uint32 + + Represents a 32-bit unsigned integer. Stored as four bytes in the + order of decreasing significance (network byte order). For + example: the value 699921578 (0x29b7f4aa) is stored as 29 b7 f4 + aa. + + uint64 + + Represents a 64-bit unsigned integer. Stored as eight bytes in + the order of decreasing significance (network byte order). + + string + + Arbitrary length binary string. Strings are allowed to contain + arbitrary binary data, including null characters and 8-bit + characters. They are stored as a uint32 containing its length + (number of bytes that follow) and zero (= empty string) or more + bytes that are the value of the string. Terminating null + characters are not used. + + Strings are also used to store text. In that case, US-ASCII is + used for internal names, and ISO-10646 UTF-8 for text that might + be displayed to the user. The terminating null character SHOULD + NOT normally be stored in the string. For example: the US-ASCII + string "testing" is represented as 00 00 00 07 t e s t i n g. The + UTF-8 mapping does not alter the encoding of US-ASCII characters. + + mpint + + Represents multiple precision integers in two's complement format, + stored as a string, 8 bits per byte, MSB first. Negative numbers + have the value 1 as the most significant bit of the first byte of + the data partition. If the most significant bit would be set for + a positive number, the number MUST be preceded by a zero byte. + Unnecessary leading bytes with the value 0 or 255 MUST NOT be + included. The value zero MUST be stored as a string with zero + bytes of data. + + By convention, a number that is used in modular computations in + Z_n SHOULD be represented in the range 0 <= x < n. + + + +Ylonen & Lonvick Standards Track [Page 9] + +RFC 4251 SSH Protocol Architecture January 2006 + + + Examples: + + value (hex) representation (hex) + ----------- -------------------- + 0 00 00 00 00 + 9a378f9b2e332a7 00 00 00 08 09 a3 78 f9 b2 e3 32 a7 + 80 00 00 00 02 00 80 + -1234 00 00 00 02 ed cc + -deadbeef 00 00 00 05 ff 21 52 41 11 + + name-list + + A string containing a comma-separated list of names. A name-list + is represented as a uint32 containing its length (number of bytes + that follow) followed by a comma-separated list of zero or more + names. A name MUST have a non-zero length, and it MUST NOT + contain a comma (","). As this is a list of names, all of the + elements contained are names and MUST be in US-ASCII. Context may + impose additional restrictions on the names. For example, the + names in a name-list may have to be a list of valid algorithm + identifiers (see Section 6 below), or a list of [RFC3066] language + tags. The order of the names in a name-list may or may not be + significant. Again, this depends on the context in which the list + is used. Terminating null characters MUST NOT be used, neither + for the individual names, nor for the list as a whole. + + Examples: + + value representation (hex) + ----- -------------------- + (), the empty name-list 00 00 00 00 + ("zlib") 00 00 00 04 7a 6c 69 62 + ("zlib,none") 00 00 00 09 7a 6c 69 62 2c 6e 6f 6e 65 + +6. Algorithm and Method Naming + + The SSH protocols refer to particular hash, encryption, integrity, + compression, and key exchange algorithms or methods by name. There + are some standard algorithms and methods that all implementations + MUST support. There are also algorithms and methods that are defined + in the protocol specification, but are OPTIONAL. Furthermore, it is + expected that some organizations will want to use their own + algorithms or methods. + + In this protocol, all algorithm and method identifiers MUST be + printable US-ASCII, non-empty strings no longer than 64 characters. + Names MUST be case-sensitive. + + + + +Ylonen & Lonvick Standards Track [Page 10] + +RFC 4251 SSH Protocol Architecture January 2006 + + + There are two formats for algorithm and method names: + + o Names that do not contain an at-sign ("@") are reserved to be + assigned by IETF CONSENSUS. Examples include "3des-cbc", "sha-1", + "hmac-sha1", and "zlib" (the doublequotes are not part of the + name). Names of this format are only valid if they are first + registered with the IANA. Registered names MUST NOT contain an + at-sign ("@"), comma (","), whitespace, control characters (ASCII + codes 32 or less), or the ASCII code 127 (DEL). Names are case- + sensitive, and MUST NOT be longer than 64 characters. + + o Anyone can define additional algorithms or methods by using names + in the format name@domainname, e.g., "ourcipher-cbc@example.com". + The format of the part preceding the at-sign is not specified; + however, these names MUST be printable US-ASCII strings, and MUST + NOT contain the comma character (","), whitespace, control + characters (ASCII codes 32 or less), or the ASCII code 127 (DEL). + They MUST have only a single at-sign in them. The part following + the at-sign MUST be a valid, fully qualified domain name [RFC1034] + controlled by the person or organization defining the name. Names + are case-sensitive, and MUST NOT be longer than 64 characters. It + is up to each domain how it manages its local namespace. It + should be noted that these names resemble STD 11 [RFC0822] email + addresses. This is purely coincidental and has nothing to do with + STD 11 [RFC0822]. + +7. Message Numbers + + SSH packets have message numbers in the range 1 to 255. These + numbers have been allocated as follows: + + Transport layer protocol: + + 1 to 19 Transport layer generic (e.g., disconnect, ignore, + debug, etc.) + 20 to 29 Algorithm negotiation + 30 to 49 Key exchange method specific (numbers can be reused + for different authentication methods) + + User authentication protocol: + + 50 to 59 User authentication generic + 60 to 79 User authentication method specific (numbers can be + reused for different authentication methods) + + + + + + + +Ylonen & Lonvick Standards Track [Page 11] + +RFC 4251 SSH Protocol Architecture January 2006 + + + Connection protocol: + + 80 to 89 Connection protocol generic + 90 to 127 Channel related messages + + Reserved for client protocols: + + 128 to 191 Reserved + + Local extensions: + + 192 to 255 Local extensions + +8. IANA Considerations + + This document is part of a set. The instructions for the IANA for + the SSH protocol, as defined in this document, [SSH-USERAUTH], + [SSH-TRANS], and [SSH-CONNECT], are detailed in [SSH-NUMBERS]. The + following is a brief summary for convenience, but note well that + [SSH-NUMBERS] contains the actual instructions to the IANA, which may + be superseded in the future. + + Allocation of the following types of names in the SSH protocols is + assigned by IETF consensus: + + o Service Names + * Authentication Methods + * Connection Protocol Channel Names + * Connection Protocol Global Request Names + * Connection Protocol Channel Request Names + + o Key Exchange Method Names + + o Assigned Algorithm Names + * Encryption Algorithm Names + * MAC Algorithm Names + * Public Key Algorithm Names + * Compression Algorithm Names + + These names MUST be printable US-ASCII strings, and MUST NOT contain + the characters at-sign ("@"), comma (","), whitespace, control + characters (ASCII codes 32 or less), or the ASCII code 127 (DEL). + Names are case-sensitive, and MUST NOT be longer than 64 characters. + + Names with the at-sign ("@") are locally defined extensions and are + not controlled by the IANA. + + + + + +Ylonen & Lonvick Standards Track [Page 12] + +RFC 4251 SSH Protocol Architecture January 2006 + + + Each category of names listed above has a separate namespace. + However, using the same name in multiple categories SHOULD be avoided + to minimize confusion. + + Message numbers (see Section 7) in the range of 0 to 191 are + allocated via IETF CONSENSUS, as described in [RFC2434]. Message + numbers in the 192 to 255 range (local extensions) are reserved for + PRIVATE USE, also as described in [RFC2434]. + +9. Security Considerations + + In order to make the entire body of Security Considerations more + accessible, Security Considerations for the transport, + authentication, and connection documents have been gathered here. + + The transport protocol [SSH-TRANS] provides a confidential channel + over an insecure network. It performs server host authentication, + key exchange, encryption, and integrity protection. It also derives + a unique session id that may be used by higher-level protocols. + + The authentication protocol [SSH-USERAUTH] provides a suite of + mechanisms that can be used to authenticate the client user to the + server. Individual mechanisms specified in the authentication + protocol use the session id provided by the transport protocol and/or + depend on the security and integrity guarantees of the transport + protocol. + + The connection protocol [SSH-CONNECT] specifies a mechanism to + multiplex multiple streams (channels) of data over the confidential + and authenticated transport. It also specifies channels for + accessing an interactive shell, for proxy-forwarding various external + protocols over the secure transport (including arbitrary TCP/IP + protocols), and for accessing secure subsystems on the server host. + +9.1. Pseudo-Random Number Generation + + This protocol binds each session key to the session by including + random, session specific data in the hash used to produce session + keys. Special care should be taken to ensure that all of the random + numbers are of good quality. If the random data here (e.g., Diffie- + Hellman (DH) parameters) are pseudo-random, then the pseudo-random + number generator should be cryptographically secure (i.e., its next + output not easily guessed even when knowing all previous outputs) + and, furthermore, proper entropy needs to be added to the pseudo- + random number generator. [RFC4086] offers suggestions for sources of + random numbers and entropy. Implementers should note the importance + of entropy and the well-meant, anecdotal warning about the difficulty + in properly implementing pseudo-random number generating functions. + + + +Ylonen & Lonvick Standards Track [Page 13] + +RFC 4251 SSH Protocol Architecture January 2006 + + + The amount of entropy available to a given client or server may + sometimes be less than what is required. In this case, one must + either resort to pseudo-random number generation regardless of + insufficient entropy or refuse to run the protocol. The latter is + preferable. + +9.2. Control Character Filtering + + When displaying text to a user, such as error or debug messages, the + client software SHOULD replace any control characters (except tab, + carriage return, and newline) with safe sequences to avoid attacks by + sending terminal control characters. + +9.3. Transport + +9.3.1. Confidentiality + + It is beyond the scope of this document and the Secure Shell Working + Group to analyze or recommend specific ciphers other than the ones + that have been established and accepted within the industry. At the + time of this writing, commonly used ciphers include 3DES, ARCFOUR, + twofish, serpent, and blowfish. AES has been published by The US + Federal Information Processing Standards as [FIPS-197], and the + cryptographic community has accepted AES as well. As always, + implementers and users should check current literature to ensure that + no recent vulnerabilities have been found in ciphers used within + products. Implementers should also check to see which ciphers are + considered to be relatively stronger than others and should recommend + their use to users over relatively weaker ciphers. It would be + considered good form for an implementation to politely and + unobtrusively notify a user that a stronger cipher is available and + should be used when a weaker one is actively chosen. + + The "none" cipher is provided for debugging and SHOULD NOT be used + except for that purpose. Its cryptographic properties are + sufficiently described in [RFC2410], which will show that its use + does not meet the intent of this protocol. + + The relative merits of these and other ciphers may also be found in + current literature. Two references that may provide information on + the subject are [SCHNEIER] and [KAUFMAN]. Both of these describe the + CBC mode of operation of certain ciphers and the weakness of this + scheme. Essentially, this mode is theoretically vulnerable to chosen + cipher-text attacks because of the high predictability of the start + of packet sequence. However, this attack is deemed difficult and not + considered fully practicable, especially if relatively long block + sizes are used. + + + + +Ylonen & Lonvick Standards Track [Page 14] + +RFC 4251 SSH Protocol Architecture January 2006 + + + Additionally, another CBC mode attack may be mitigated through the + insertion of packets containing SSH_MSG_IGNORE. Without this + technique, a specific attack may be successful. For this attack + (commonly known as the Rogaway attack [ROGAWAY], [DAI], [BELLARE]) to + work, the attacker would need to know the Initialization Vector (IV) + of the next block that is going to be encrypted. In CBC mode that is + the output of the encryption of the previous block. If the attacker + does not have any way to see the packet yet (i.e., it is in the + internal buffers of the SSH implementation or even in the kernel), + then this attack will not work. If the last packet has been sent out + to the network (i.e., the attacker has access to it), then he can use + the attack. + + In the optimal case, an implementer would need to add an extra packet + only if the packet has been sent out onto the network and there are + no other packets waiting for transmission. Implementers may wish to + check if there are any unsent packets awaiting transmission; + unfortunately, it is not normally easy to obtain this information + from the kernel or buffers. If there are no unsent packets, then a + packet containing SSH_MSG_IGNORE SHOULD be sent. If a new packet is + added to the stream every time the attacker knows the IV that is + supposed to be used for the next packet, then the attacker will not + be able to guess the correct IV, thus the attack will never be + successful. + + As an example, consider the following case: + + Client Server + ------ ------ + TCP(seq=x, len=500) ----> + contains Record 1 + + [500 ms passes, no ACK] + + TCP(seq=x, len=1000) ----> + contains Records 1,2 + + ACK + + 1. The Nagle algorithm + TCP retransmits mean that the two records + get coalesced into a single TCP segment. + + 2. Record 2 is not at the beginning of the TCP segment and never will + be because it gets ACKed. + + 3. Yet, the attack is possible because Record 1 has already been + seen. + + + + +Ylonen & Lonvick Standards Track [Page 15] + +RFC 4251 SSH Protocol Architecture January 2006 + + + As this example indicates, it is unsafe to use the existence of + unflushed data in the TCP buffers proper as a guide to whether an + empty packet is needed, since when the second write() is performed + the buffers will contain the un-ACKed Record 1. + + On the other hand, it is perfectly safe to have the following + situation: + + Client Server + ------ ------ + TCP(seq=x, len=500) ----> + contains SSH_MSG_IGNORE + + TCP(seq=y, len=500) ----> + contains Data + + Provided that the IV for the second SSH Record is fixed after the + data for the Data packet is determined, then the following should + be performed: + + read from user + encrypt null packet + encrypt data packet + +9.3.2. Data Integrity + + This protocol does allow the Data Integrity mechanism to be disabled. + Implementers SHOULD be wary of exposing this feature for any purpose + other than debugging. Users and administrators SHOULD be explicitly + warned anytime the "none" MAC is enabled. + + So long as the "none" MAC is not used, this protocol provides data + integrity. + + Because MACs use a 32-bit sequence number, they might start to leak + information after 2**32 packets have been sent. However, following + the rekeying recommendations should prevent this attack. The + transport protocol [SSH-TRANS] recommends rekeying after one gigabyte + of data, and the smallest possible packet is 16 bytes. Therefore, + rekeying SHOULD happen after 2**28 packets at the very most. + +9.3.3. Replay + + The use of a MAC other than "none" provides integrity and + authentication. In addition, the transport protocol provides a + unique session identifier (bound in part to pseudo-random data that + is part of the algorithm and key exchange process) that can be used + by higher level protocols to bind data to a given session and prevent + + + +Ylonen & Lonvick Standards Track [Page 16] + +RFC 4251 SSH Protocol Architecture January 2006 + + + replay of data from prior sessions. For example, the authentication + protocol ([SSH-USERAUTH]) uses this to prevent replay of signatures + from previous sessions. Because public key authentication exchanges + are cryptographically bound to the session (i.e., to the initial key + exchange), they cannot be successfully replayed in other sessions. + Note that the session id can be made public without harming the + security of the protocol. + + If two sessions have the same session id (hash of key exchanges), + then packets from one can be replayed against the other. It must be + stressed that the chances of such an occurrence are, needless to say, + minimal when using modern cryptographic methods. This is all the + more true when specifying larger hash function outputs and DH + parameters. + + Replay detection using monotonically increasing sequence numbers as + input to the MAC, or HMAC in some cases, is described in [RFC2085], + [RFC2246], [RFC2743], [RFC1964], [RFC2025], and [RFC4120]. The + underlying construct is discussed in [RFC2104]. Essentially, a + different sequence number in each packet ensures that at least this + one input to the MAC function will be unique and will provide a + nonrecurring MAC output that is not predictable to an attacker. If + the session stays active long enough, however, this sequence number + will wrap. This event may provide an attacker an opportunity to + replay a previously recorded packet with an identical sequence number + but only if the peers have not rekeyed since the transmission of the + first packet with that sequence number. If the peers have rekeyed, + then the replay will be detected since the MAC check will fail. For + this reason, it must be emphasized that peers MUST rekey before a + wrap of the sequence numbers. Naturally, if an attacker does attempt + to replay a captured packet before the peers have rekeyed, then the + receiver of the duplicate packet will not be able to validate the MAC + and it will be discarded. The reason that the MAC will fail is + because the receiver will formulate a MAC based upon the packet + contents, the shared secret, and the expected sequence number. Since + the replayed packet will not be using that expected sequence number + (the sequence number of the replayed packet will have already been + passed by the receiver), the calculated MAC will not match the MAC + received with the packet. + +9.3.4. Man-in-the-middle + + This protocol makes no assumptions or provisions for an + infrastructure or means for distributing the public keys of hosts. + It is expected that this protocol will sometimes be used without + first verifying the association between the server host key and the + server host name. Such usage is vulnerable to man-in-the-middle + attacks. This section describes this and encourages administrators + + + +Ylonen & Lonvick Standards Track [Page 17] + +RFC 4251 SSH Protocol Architecture January 2006 + + + and users to understand the importance of verifying this association + before any session is initiated. + + There are three cases of man-in-the-middle attacks to consider. The + first is where an attacker places a device between the client and the + server before the session is initiated. In this case, the attack + device is trying to mimic the legitimate server and will offer its + public key to the client when the client initiates a session. If it + were to offer the public key of the server, then it would not be able + to decrypt or sign the transmissions between the legitimate server + and the client unless it also had access to the private key of the + host. The attack device will also, simultaneously to this, initiate + a session to the legitimate server, masquerading itself as the + client. If the public key of the server had been securely + distributed to the client prior to that session initiation, the key + offered to the client by the attack device will not match the key + stored on the client. In that case, the user SHOULD be given a + warning that the offered host key does not match the host key cached + on the client. As described in Section 4.1, the user may be free to + accept the new key and continue the session. It is RECOMMENDED that + the warning provide sufficient information to the user of the client + device so the user may make an informed decision. If the user + chooses to continue the session with the stored public key of the + server (not the public key offered at the start of the session), then + the session-specific data between the attacker and server will be + different between the client-to-attacker session and the attacker- + to-server sessions due to the randomness discussed above. From this, + the attacker will not be able to make this attack work since the + attacker will not be able to correctly sign packets containing this + session-specific data from the server, since he does not have the + private key of that server. + + The second case that should be considered is similar to the first + case in that it also happens at the time of connection, but this case + points out the need for the secure distribution of server public + keys. If the server public keys are not securely distributed, then + the client cannot know if it is talking to the intended server. An + attacker may use social engineering techniques to pass off server + keys to unsuspecting users and may then place a man-in-the-middle + attack device between the legitimate server and the clients. If this + is allowed to happen, then the clients will form client-to-attacker + sessions, and the attacker will form attacker-to-server sessions and + will be able to monitor and manipulate all of the traffic between the + clients and the legitimate servers. Server administrators are + encouraged to make host key fingerprints available for checking by + some means whose security does not rely on the integrity of the + actual host keys. Possible mechanisms are discussed in Section 4.1 + and may also include secured Web pages, physical pieces of paper, + + + +Ylonen & Lonvick Standards Track [Page 18] + +RFC 4251 SSH Protocol Architecture January 2006 + + + etc. Implementers SHOULD provide recommendations on how best to do + this with their implementation. Because the protocol is extensible, + future extensions to the protocol may provide better mechanisms for + dealing with the need to know the server's host key before + connecting. For example, making the host key fingerprint available + through a secure DNS lookup, or using Kerberos ([RFC4120]) over + GSS-API ([RFC1964]) during key exchange to authenticate the server + are possibilities. + + In the third man-in-the-middle case, attackers may attempt to + manipulate packets in transit between peers after the session has + been established. As described in Section 9.3.3, a successful attack + of this nature is very improbable. As in Section 9.3.3, this + reasoning does assume that the MAC is secure and that it is + infeasible to construct inputs to a MAC algorithm to give a known + output. This is discussed in much greater detail in Section 6 of + [RFC2104]. If the MAC algorithm has a vulnerability or is weak + enough, then the attacker may be able to specify certain inputs to + yield a known MAC. With that, they may be able to alter the contents + of a packet in transit. Alternatively, the attacker may be able to + exploit the algorithm vulnerability or weakness to find the shared + secret by reviewing the MACs from captured packets. In either of + those cases, an attacker could construct a packet or packets that + could be inserted into an SSH stream. To prevent this, implementers + are encouraged to utilize commonly accepted MAC algorithms, and + administrators are encouraged to watch current literature and + discussions of cryptography to ensure that they are not using a MAC + algorithm that has a recently found vulnerability or weakness. + + In summary, the use of this protocol without a reliable association + of the binding between a host and its host keys is inherently + insecure and is NOT RECOMMENDED. However, it may be necessary in + non-security-critical environments, and will still provide protection + against passive attacks. Implementers of protocols and applications + running on top of this protocol should keep this possibility in mind. + +9.3.5. Denial of Service + + This protocol is designed to be used over a reliable transport. If + transmission errors or message manipulation occur, the connection is + closed. The connection SHOULD be re-established if this occurs. + Denial of service attacks of this type (wire cutter) are almost + impossible to avoid. + + In addition, this protocol is vulnerable to denial of service attacks + because an attacker can force the server to go through the CPU and + memory intensive tasks of connection setup and key exchange without + authenticating. Implementers SHOULD provide features that make this + + + +Ylonen & Lonvick Standards Track [Page 19] + +RFC 4251 SSH Protocol Architecture January 2006 + + + more difficult, for example, only allowing connections from a subset + of clients known to have valid users. + +9.3.6. Covert Channels + + The protocol was not designed to eliminate covert channels. For + example, the padding, SSH_MSG_IGNORE messages, and several other + places in the protocol can be used to pass covert information, and + the recipient has no reliable way of verifying whether such + information is being sent. + +9.3.7. Forward Secrecy + + It should be noted that the Diffie-Hellman key exchanges may provide + perfect forward secrecy (PFS). PFS is essentially defined as the + cryptographic property of a key-establishment protocol in which the + compromise of a session key or long-term private key after a given + session does not cause the compromise of any earlier session + [ANSI-T1.523-2001]. SSH sessions resulting from a key exchange using + the diffie-hellman methods described in the section Diffie-Hellman + Key Exchange of [SSH-TRANS] (including "diffie-hellman-group1-sha1" + and "diffie-hellman-group14-sha1") are secure even if private + keying/authentication material is later revealed, but not if the + session keys are revealed. So, given this definition of PFS, SSH + does have PFS. However, this property is not commuted to any of the + applications or protocols using SSH as a transport. The transport + layer of SSH provides confidentiality for password authentication and + other methods that rely on secret data. + + Of course, if the DH private parameters for the client and server are + revealed, then the session key is revealed, but these items can be + thrown away after the key exchange completes. It's worth pointing + out that these items should not be allowed to end up on swap space + and that they should be erased from memory as soon as the key + exchange completes. + +9.3.8. Ordering of Key Exchange Methods + + As stated in the section on Algorithm Negotiation of [SSH-TRANS], + each device will send a list of preferred methods for key exchange. + The most-preferred method is the first in the list. It is + RECOMMENDED that the algorithms be sorted by cryptographic strength, + strongest first. Some additional guidance for this is given in + [RFC3766]. + + + + + + + +Ylonen & Lonvick Standards Track [Page 20] + +RFC 4251 SSH Protocol Architecture January 2006 + + +9.3.9. Traffic Analysis + + Passive monitoring of any protocol may give an attacker some + information about the session, the user, or protocol specific + information that they would otherwise not be able to garner. For + example, it has been shown that traffic analysis of an SSH session + can yield information about the length of the password - [Openwall] + and [USENIX]. Implementers should use the SSH_MSG_IGNORE packet, + along with the inclusion of random lengths of padding, to thwart + attempts at traffic analysis. Other methods may also be found and + implemented. + +9.4. Authentication Protocol + + The purpose of this protocol is to perform client user + authentication. It assumes that this runs over a secure transport + layer protocol, which has already authenticated the server machine, + established an encrypted communications channel, and computed a + unique session identifier for this session. + + Several authentication methods with different security + characteristics are allowed. It is up to the server's local policy + to decide which methods (or combinations of methods) it is willing to + accept for each user. Authentication is no stronger than the weakest + combination allowed. + + The server may go into a sleep period after repeated unsuccessful + authentication attempts to make key search more difficult for + attackers. Care should be taken so that this doesn't become a self- + denial of service vector. + +9.4.1. Weak Transport + + If the transport layer does not provide confidentiality, + authentication methods that rely on secret data SHOULD be disabled. + If it does not provide strong integrity protection, requests to + change authentication data (e.g., a password change) SHOULD be + disabled to prevent an attacker from modifying the ciphertext without + being noticed, or rendering the new authentication data unusable + (denial of service). + + The assumption stated above, that the Authentication Protocol only + runs over a secure transport that has previously authenticated the + server, is very important to note. People deploying SSH are reminded + of the consequences of man-in-the-middle attacks if the client does + not have a very strong a priori association of the server with the + host key of that server. Specifically, for the case of the + Authentication Protocol, the client may form a session to a man-in- + + + +Ylonen & Lonvick Standards Track [Page 21] + +RFC 4251 SSH Protocol Architecture January 2006 + + + the-middle attack device and divulge user credentials such as their + username and password. Even in the cases of authentication where no + user credentials are divulged, an attacker may still gain information + they shouldn't have by capturing key-strokes in much the same way + that a honeypot works. + +9.4.2. Debug Messages + + Special care should be taken when designing debug messages. These + messages may reveal surprising amounts of information about the host + if not properly designed. Debug messages can be disabled (during + user authentication phase) if high security is required. + Administrators of host machines should make all attempts to + compartmentalize all event notification messages and protect them + from unwarranted observation. Developers should be aware of the + sensitive nature of some of the normal event and debug messages, and + may want to provide guidance to administrators on ways to keep this + information away from unauthorized people. Developers should + consider minimizing the amount of sensitive information obtainable by + users during the authentication phase, in accordance with the local + policies. For this reason, it is RECOMMENDED that debug messages be + initially disabled at the time of deployment and require an active + decision by an administrator to allow them to be enabled. It is also + RECOMMENDED that a message expressing this concern be presented to + the administrator of a system when the action is taken to enable + debugging messages. + +9.4.3. Local Security Policy + + The implementer MUST ensure that the credentials provided validate + the professed user and also MUST ensure that the local policy of the + server permits the user the access requested. In particular, because + of the flexible nature of the SSH connection protocol, it may not be + possible to determine the local security policy, if any, that should + apply at the time of authentication because the kind of service being + requested is not clear at that instant. For example, local policy + might allow a user to access files on the server, but not start an + interactive shell. However, during the authentication protocol, it + is not known whether the user will be accessing files, attempting to + use an interactive shell, or even both. In any event, where local + security policy for the server host exists, it MUST be applied and + enforced correctly. + + Implementers are encouraged to provide a default local policy and + make its parameters known to administrators and users. At the + discretion of the implementers, this default policy may be along the + lines of anything-goes where there are no restrictions placed upon + users, or it may be along the lines of excessively-restrictive, in + + + +Ylonen & Lonvick Standards Track [Page 22] + +RFC 4251 SSH Protocol Architecture January 2006 + + + which case, the administrators will have to actively make changes to + the initial default parameters to meet their needs. Alternatively, + it may be some attempt at providing something practical and + immediately useful to the administrators of the system so they don't + have to put in much effort to get SSH working. Whatever choice is + made must be applied and enforced as required above. + +9.4.4 Public Key Authentication + + The use of public key authentication assumes that the client host has + not been compromised. It also assumes that the private key of the + server host has not been compromised. + + This risk can be mitigated by the use of passphrases on private keys; + however, this is not an enforceable policy. The use of smartcards, + or other technology to make passphrases an enforceable policy is + suggested. + + The server could require both password and public key authentication; + however, this requires the client to expose its password to the + server (see the section on Password Authentication below.) + +9.4.5. Password Authentication + + The password mechanism, as specified in the authentication protocol, + assumes that the server has not been compromised. If the server has + been compromised, using password authentication will reveal a valid + username/password combination to the attacker, which may lead to + further compromises. + + This vulnerability can be mitigated by using an alternative form of + authentication. For example, public key authentication makes no + assumptions about security on the server. + +9.4.6. Host-Based Authentication + + Host-based authentication assumes that the client has not been + compromised. There are no mitigating strategies, other than to use + host-based authentication in combination with another authentication + method. + + + + + + + + + + + +Ylonen & Lonvick Standards Track [Page 23] + +RFC 4251 SSH Protocol Architecture January 2006 + + +9.5. Connection Protocol + +9.5.1. End Point Security + + End point security is assumed by the connection protocol. If the + server has been compromised, any terminal sessions, port forwarding, + or systems accessed on the host are compromised. There are no + mitigating factors for this. + + If the client has been compromised, and the server fails to stop the + attacker at the authentication protocol, all services exposed (either + as subsystems or through forwarding) will be vulnerable to attack. + Implementers SHOULD provide mechanisms for administrators to control + which services are exposed to limit the vulnerability of other + services. These controls might include controlling which machines + and ports can be targeted in port-forwarding operations, which users + are allowed to use interactive shell facilities, or which users are + allowed to use exposed subsystems. + +9.5.2. Proxy Forwarding + + The SSH connection protocol allows for proxy forwarding of other + protocols such as SMTP, POP3, and HTTP. This may be a concern for + network administrators who wish to control the access of certain + applications by users located outside of their physical location. + Essentially, the forwarding of these protocols may violate site- + specific security policies, as they may be undetectably tunneled + through a firewall. Implementers SHOULD provide an administrative + mechanism to control the proxy forwarding functionality so that + site-specific security policies may be upheld. + + In addition, a reverse proxy forwarding functionality is available, + which, again, can be used to bypass firewall controls. + + As indicated above, end-point security is assumed during proxy + forwarding operations. Failure of end-point security will compromise + all data passed over proxy forwarding. + +9.5.3. X11 Forwarding + + Another form of proxy forwarding provided by the SSH connection + protocol is the forwarding of the X11 protocol. If end-point + security has been compromised, X11 forwarding may allow attacks + against the X11 server. Users and administrators should, as a matter + of course, use appropriate X11 security mechanisms to prevent + unauthorized use of the X11 server. Implementers, administrators, + and users who wish to further explore the security mechanisms of X11 + are invited to read [SCHEIFLER] and analyze previously reported + + + +Ylonen & Lonvick Standards Track [Page 24] + +RFC 4251 SSH Protocol Architecture January 2006 + + + problems with the interactions between SSH forwarding and X11 in CERT + vulnerabilities VU#363181 and VU#118892 [CERT]. + + X11 display forwarding with SSH, by itself, is not sufficient to + correct well known problems with X11 security [VENEMA]. However, X11 + display forwarding in SSH (or other secure protocols), combined with + actual and pseudo-displays that accept connections only over local + IPC mechanisms authorized by permissions or access control lists + (ACLs), does correct many X11 security problems, as long as the + "none" MAC is not used. It is RECOMMENDED that X11 display + implementations default to allow the display to open only over local + IPC. It is RECOMMENDED that SSH server implementations that support + X11 forwarding default to allow the display to open only over local + IPC. On single-user systems, it might be reasonable to default to + allow the local display to open over TCP/IP. + + Implementers of the X11 forwarding protocol SHOULD implement the + magic cookie access-checking spoofing mechanism, as described in + [SSH-CONNECT], as an additional mechanism to prevent unauthorized use + of the proxy. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Ylonen & Lonvick Standards Track [Page 25] + +RFC 4251 SSH Protocol Architecture January 2006 + + +10. References + +10.1. Normative References + + [SSH-TRANS] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell + (SSH) Transport Layer Protocol", RFC 4253, January + 2006. + + [SSH-USERAUTH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell + (SSH) Authentication Protocol", RFC 4252, January + 2006. + + [SSH-CONNECT] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell + (SSH) Connection Protocol", RFC 4254, January + 2006. + + [SSH-NUMBERS] Lehtinen, S. and C. Lonvick, Ed., "The Secure + Shell (SSH) Protocol Assigned Numbers", RFC 4250, + January 2006. + + [RFC2119] Bradner, S., "Key words for use in RFCs to + Indicate Requirement Levels", BCP 14, RFC 2119, + March 1997. + + [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for + Writing an IANA Considerations Section in RFCs", + BCP 26, RFC 2434, October 1998. + + [RFC3066] Alvestrand, H., "Tags for the Identification of + Languages", BCP 47, RFC 3066, January 2001. + + [RFC3629] Yergeau, F., "UTF-8, a transformation format of + ISO 10646", STD 63, RFC 3629, November 2003. + +10.2. Informative References + + [RFC0822] Crocker, D., "Standard for the format of ARPA + Internet text messages", STD 11, RFC 822, August + 1982. + + [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol + Specification", STD 8, RFC 854, May 1983. + + [RFC1034] Mockapetris, P., "Domain names - concepts and + facilities", STD 13, RFC 1034, November 1987. + + + + + + +Ylonen & Lonvick Standards Track [Page 26] + +RFC 4251 SSH Protocol Architecture January 2006 + + + [RFC1282] Kantor, B., "BSD Rlogin", RFC 1282, December 1991. + + [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, + "The Kerberos Network Authentication Service + (V5)", RFC 4120, July 2005. + + [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API + Mechanism", RFC 1964, June 1996. + + [RFC2025] Adams, C., "The Simple Public-Key GSS-API + Mechanism (SPKM)", RFC 2025, October 1996. + + [RFC2085] Oehler, M. and R. Glenn, "HMAC-MD5 IP + Authentication with Replay Prevention", RFC 2085, + February 1997. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC + 2104, February 1997. + + [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version + 1.0", RFC 2246, January 1999. + + [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption + Algorithm and Its Use With IPsec", RFC 2410, + November 1998. + + [RFC2743] Linn, J., "Generic Security Service Application + Program Interface Version 2, Update 1", RFC 2743, + January 2000. + + [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths + For Public Keys Used For Exchanging Symmetric + Keys", BCP 86, RFC 3766, April 2004. + + [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, + RFC 4086, June 2005. + + [FIPS-180-2] US National Institute of Standards and Technology, + "Secure Hash Standard (SHS)", Federal Information + Processing Standards Publication 180-2, August + 2002. + + [FIPS-186-2] US National Institute of Standards and Technology, + "Digital Signature Standard (DSS)", Federal + Information Processing Standards Publication 186- + 2, January 2000. + + + +Ylonen & Lonvick Standards Track [Page 27] + +RFC 4251 SSH Protocol Architecture January 2006 + + + [FIPS-197] US National Institute of Standards and Technology, + "Advanced Encryption Standard (AES)", Federal + Information Processing Standards Publication 197, + November 2001. + + [ANSI-T1.523-2001] American National Standards Institute, Inc., + "Telecom Glossary 2000", ANSI T1.523-2001, + February 2001. + + [SCHNEIER] Schneier, B., "Applied Cryptography Second + Edition: protocols algorithms and source in code + in C", John Wiley and Sons, New York, NY, 1996. + + [SCHEIFLER] Scheifler, R., "X Window System : The Complete + Reference to Xlib, X Protocol, Icccm, Xlfd, 3rd + edition.", Digital Press, ISBN 1555580882, + February 1992. + + [KAUFMAN] Kaufman, C., Perlman, R., and M. Speciner, + "Network Security: PRIVATE Communication in a + PUBLIC World", Prentice Hall Publisher, 1995. + + [CERT] CERT Coordination Center, The., + "http://www.cert.org/nav/index_red.html". + + [VENEMA] Venema, W., "Murphy's Law and Computer Security", + Proceedings of 6th USENIX Security Symposium, San + Jose CA + http://www.usenix.org/publications/library/ + proceedings/sec96/venema.html, July 1996. + + [ROGAWAY] Rogaway, P., "Problems with Proposed IP + Cryptography", Unpublished paper + http://www.cs.ucdavis.edu/~rogaway/ papers/draft- + rogaway-ipsec-comments-00.txt, 1996. + + [DAI] Dai, W., "An attack against SSH2 protocol", Email + to the SECSH Working Group ietf-ssh@netbsd.org + ftp:// ftp.ietf.org/ietf-mail-archive/secsh/2002- + 02.mail, Feb 2002. + + [BELLARE] Bellaire, M., Kohno, T., and C. Namprempre, + "Authenticated Encryption in SSH: Fixing the SSH + Binary Packet Protocol", Proceedings of the 9th + ACM Conference on Computer and Communications + Security, Sept 2002. + + + + + +Ylonen & Lonvick Standards Track [Page 28] + +RFC 4251 SSH Protocol Architecture January 2006 + + + [Openwall] Solar Designer and D. Song, "SSH Traffic Analysis + Attacks", Presentation given at HAL2001 and + NordU2002 Conferences, Sept 2001. + + [USENIX] Song, X.D., Wagner, D., and X. Tian, "Timing + Analysis of Keystrokes and SSH Timing Attacks", + Paper given at 10th USENIX Security Symposium, + 2001. + +Authors' Addresses + + Tatu Ylonen + SSH Communications Security Corp + Valimotie 17 + 00380 Helsinki + Finland + + EMail: ylo@ssh.com + + + Chris Lonvick (editor) + Cisco Systems, Inc. + 12515 Research Blvd. + Austin 78759 + USA + + EMail: clonvick@cisco.com + +Trademark Notice + + "ssh" is a registered trademark in the United States and/or other + countries. + + + + + + + + + + + + + + + + + + + +Ylonen & Lonvick Standards Track [Page 29] + +RFC 4251 SSH Protocol Architecture January 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Ylonen & Lonvick Standards Track [Page 30] + |