This is about … .
Mechanism
Negotiation
The first step is to inform what software and SSH version are used by both the client and the server. Then, they are trying to find the key exchange and message authentication algorithm that suits them both.
SSH header and payload sit atop the TCP header and look something like this:
βοΈ All the data and the requests the were generated by the client π₯Ά are coloured in blue. Each type of request or reply (the SSH payload, to be precise) sent has its own dedicated emoji (for example, the identification string is a π).
Since the client π₯Ά needs the service, the client π₯Ά initiates the connection and presents his preferences for both the SSH version and the software. This is called an identification string π.
The server π then demonstrates it’s “household” with a similar reply π:
Now, they need to agree on the settings: ciphers and hash algorithms. First, the client π₯Ά is coming out with the Key Exchange Init
π message.
Then the server π sends a similar Key Exchange Init
π message showing its acceptable cipher suits.
The server π typically uses the first acceptable option presented by the client. But if none is acceptable for the server π, the SSH connection won’t be established.
πΌ π€« Session Key Generation
The client π₯Ά generates two keys: a private ποΈ and a public π one. The algorithm used for this key generation was agreed upon in the previous stage. Often it’s Elliptic Curve Diffie-Hellman or Diffie-Hellman. To understand how Diffie-Hellman works to exchange secret keys without actually sending them over (something like when scientists from different parts of the world come up with the same ideas).
The client’s π₯Ά public key π is then sent over to the server π and that’s called an SSH message Key Exchange Initialisation
π.
Upon receiving the client’s π₯Ά public key π, the server π starts generating its own pair of asymmetrical keys.
Here are the states of both the client π₯Ά and the server π at this stage.
As you can see, the client π₯Ά has only its own private ποΈ and public π keys, while the server π has the following data:
- the client’s π₯Ά DF public key π;
- the server’s π DF public π and private ποΈ keys;
- the server’s π host asymmetrical public π and private ποΈ keys (these can be used, for example, with other clients or/and in SSL connections etc.). Let’s call them global. CA (certificate authority) will store the certificate with this public π key so that the server’s π clients can verify its identity. But that’s another story.
Both parties have all the information needed to generate a shared secret key πΌ π€« and a hash π§Ά. Let’s take a little peek at the server’s π activity first. The server π takes its private ποΈ and public π keys, plus the client’s π₯Ά public key π shared previously to derive the value of the shared secret key (session key πΌ π€«).
Then the server will calculate the hash based on the following data (the list is quite long):
- the client’s π₯Ά identification string π (the payload of the first client’s request);
- the server’s π identification string π (the payload of the first server’s reply);
- the payload of the second client’s π₯Ά request π;
- the payload of the second server’s π reply π;
- the server’s π global public π πͺͺ key generated long ago;
- the client’s π₯Ά public π key;
- the server’s public DF π key that was generated at the beginning;
- the shared secret key πΌ π€« was generated in the previous stage.
Now, the server π will sign this hash with its global private key ποΈ πͺͺ so that the client π₯Ά who has its global public key π πͺͺ can verify that the server sent this. No one is supposed to have the private key ποΈ πͺͺ of the server π and the corresponding public key can only decrypt the message locked by the corresponding public key π .
βοΈβοΈ If the private key ποΈ was compromised, game over.
Now, the server π sends the calculated and signed hash π§Ά, its DF public key π and the global public key ππͺͺ to the client π₯Ά so that the client π₯Ά can repeat the same steps.
And so the client does. This message is called SSH Message Exchange Elliptic Curve Diffie-Hellman Reply
π.
First, the client π₯Ά generates the same shared secret key πΌπ€«, but using its own private ποΈ and public π keys (not the server’s) and the server’s global public key π πͺͺ received in the previous step.
Now, it’s time to calculate the hash π§Ά. Note the client π₯Ά doesn’t yet touch the hash π§Ά sent over by the server π.
βοΈ βοΈ Note that both the client π₯Ά and the server π have all this data. However, the eavesdropper won’t have one little element: πΌ π€« the shared secret key. That’s because the eavesdropper has neither the client’s nor the server’s private keys ποΈ.
But now, the client π₯Ά will use the server’s π public key π πͺͺ to unlock the hash π§Ά sent over by the server π. After that, the client π₯Ά will compare this hash π§Ά to the one the client π₯Ά has just calculated.
βοΈ By the way, note that the client π₯Ά doesn’t have nor it needs a client certificate π₯Ά πͺͺ.
πͺ Decryption Key Generation
Now, at this point, both the client and the server have the session key (shared secret one), and can proceed to the next stage. At this stage, they both will derive three values from this session key:
- πͺ Decryption key that will be used to encrypt and decrypt the messages.
- π§ IV (initialisation vector) - a random value generated separately by the client and the server to randomise the ciphertext.
- π© A key for HMAC (signing the messages exchange to spot tampering).
βοΈNote that π₯Άπͺ = ππͺ, π₯Άπ© = ππ©, but the IVs are random and thus different. IV is not a private value! I have tried to show this by using blue colors for client specific data, yellow - for server’s specific data, and purple - for separately generated data that’s the same for both parties.
Establishing The Connection
Now, the server informs the client π₯Ά that it has finished and sends a New Keys
π message over.
The client π₯Ά then responds with a similar message π, also New Keys
.
It took so long to establish this connection that the server π and the client π₯Ά might have forgotten already what this was all about… . Ah, right, the service request!
The client sends a service request
π₯ message to the server.
All is good, no point to back off at this stage, so the server π presents the lucky winner with a flag.txt
π¦πΊ.
Attacks
Detection and Investigation
π ExtraHop
or π ntop
(see Chapter 1) provides insight into the amount of data being transferred and to where even when that data is encrypted.
π Wireshark Filters:
http.request
- show only HTTP request. Useful to get rid of all ARP and TCP handshake garbage.ip.src == 192.168.22.94 and udp.port == 67
- show the DHCP requests for this machine. Can show the computer name.