1, concept
SSH's English is known as SecurNetwork Working Group, other secure network services. If you need the network E shell of Security Corporation, it is the IETF (a national agreement set by Internet En, the purpose is to refer to www.ssh station) and www.openssh.org (Open Gineering Task Force) A secure remote login is available on a secure network (SSH Communications Source code OpenSSH organization website).
2. Basic framework
The most important SSH protocol framework in the SSH protocol framework is also used to indicate the following: Part of the three protocols: the network security application protocol of the transport layer protocol provides an extension, user authentication protocol, and connection protocol. At the same time. Hierarchical relationship between them
Figure 1 Schematic diagram of the hierarchical structure of the SSH protocol
In the protocol framework of SSH, data confidentiality, information integrity, provides a server-providing client tunnel to several logical channels outside the SSH basic system, and the transfer layer protocol (The Transport LA, etc.); user authentication Agreement (The identity identification; connection protocol (THE CONN, application protocol provided to higher levels) Relying on this basic framework, providing server authentication, user authentication protocol), User Authentication Protocol, ECTION Protocol, will encrypt information; various high-level Application protocols can relatively privately using SSH security mechanisms.
3, host key mechanism
For SSH to provide secure communication, the SSH protocol is a mechanism for hosting in an Internet network. That is to say, the SSH protocol requires each of the servers with different key algorithms to different key algorithms by the key to the client host key. For DSS algorithms, please refer to [FIPS-186 protocol, which is essential is a complete set of key mechanisms. Inter-interviews and information exchange, so the host key Became the basic key with this protocol, the host must have at least one of its own host key, to allow its connection request. A host can use multiple keys, but at least one is a must, that is, generated by the DSS algorithm].
There are two types of management schemes for host key authentication, as shown in Figure 2 below:
Figure 2 Schematic diagram of SSH host key management authentication scheme
Every host must have its own host key and private key. How to use in the actual application process, two programs are proposed in the SSH protocol framework. Multiple pairs of keys, each pair of host key pairs including public key, and rely on them to implement security features? Above
In the first scheme, the host uses the host's public key to encrypt the authentication, determine the client's Reliable host B and host C. At this time, A is laid according to the host name to find the corresponding all-in-style storage The key sends its own public key points to related data, and the host uses its own private secret. As can be seen in Figure 2 (a), it is used as a client, which must be configured in advance to configure the host public key. For the accessed host (also. Client, client to decrypt data when accessing the host, to initiate an operation from the host C keying, to access, b, and host C, When accessing is the server side), just guarantee
In the second solution, there is a key authentication key submit to the authentication center, and any as a client in this mode, the client can be properly connected to the destination host in this mode. The center, the host provides services in all systems, all of them can save the public key as long as the public key of the authentication center is saved. Before, you must also request authentication to the Key Certification Center. After the certification, it is clear that the first way must have a high demand for the certification center on the client, and who can use anyone. The central certification program is necessary to be easier to implement, but the client is dense; the second way is more perfect to understand such a concentration on the Internet? But from a long-term development. The maintenance of the key is a trouble, because every means of management of maintenance issues, however, this model is determined by the authoritative institution, is a view, in the business application and commercial application,
In addition, access to free authentication in the SSH protocol framework is, in a copy of a client, this is. When a folding machine of the host key is allowed to access the host for the first time, the key must be used in the case of the main unit, which is the first access to free certification. First check the key key, and will be issued to the customer, otherwise it will be considered illegal to reject its access.
4, character set and data type
The SSH protocol is treated very well. First, the SSH protocol stipulates that some information will be directly used by the agreement itself to the IS-style application, the protocol specifies most of the letter to the user and its operating system environment, because of the master . Hold the world's scope, in the word, its internal algorithm identification, protocol name, etc., and will not be used as the UTF-8 format under the user's display O 10646 standard, you must use a special domain to record Interest, what kind of character set is mainly taken, and the US-ASCII character set must be used in this SSH protocol framework. Second, the SSH protocol specifies the details of the RFC-2279. In addition, for the letter tag. For terminal systems that are derived from the user, that is, terminal norms, and programs for implementing protocols
In addition to flexible operation of the flexible operation in characters, including byte type, Boolean, string type, multi-precision integer type, and name, the SSH protocol framework is also regulated, and seven Type, no symbolic 32-bit integer type, no symbolic 64-bit integer class word type. The following explanation is explained:
(1) byte type (byte)
One byte (byte) represents an arbitrary 8, uses a byte array to write a BYTE [N-N-N-N-N-OcTet) [RFC-1700]. Sometimes the number of fixed lengths is in the form of a form, where n is the number of bytes in the array.
(2) Boolean type (Boolean)
A Boolean value (TRUE) (TRUE) is "true" (TRUE). All value stores 0 and 1 unexpected value.) Takes up a byte of storage. Numerous non-zero must be interpreted as "true" value 0 means "false), value 1, but can't put in the actual application
(3) No symbolic 32-bit integer type (Unit32)
A 32-bit non-symbol is tapped before, low after). For example, when storage is 03 CD F3 B type value, from four in descending order, there is a value of 63828921, its address assignment of the specific storage structure, such as the characterization (descending, network word, high ten Six refers to 0x03CDF3B9, in real 3. Figure 3 Typical storage format of unsigned 32-bit integer type
(4) No symbolic 64-bit integer type (Unit64)
A 64-word unsigned integer value, which is similar to the integer, compacted by picture 3. Eight bytes stored in sequence sequence, its specific storage structure and 32 bits
(5) String type (String)
String type is any long resignation (NULL) and 8-bit characters. The word is then how many bytes of bytes, and UN does not need to use empty characters to represent the binary sequence of the end degree. The first four bytes that can strings in the string are zero or more bytes after a Unit32IT32. Contains any binary data, including the empty word value, indicating the length of the string (also the value of the string is the value of the string. String type
The string is also used to store text information of the text, using ISO-10 (NULL). This data. In this case, the internal name 646 UTF-8 encodes. General happens using a US-ASCII character, may not store the end-of-the-empty characters in the user's display
The storage structure of the string "My ABC" is illustrated in Figure 4:
Figure 4 Typical storage format of string type
It can be apparent from Figure 4 that the character string byte), even if there is no character string that does not have any characters, it is similar. The length of the type takes up is 4 bytes plus the actual number of characters (to take up four bytes. This structure is string in the Pascal language.
(6) Multi-precision integer type (MPINT)
Multi-precision integer type actual points Each byte 8 bit, the high position is the highest bit of a positive number, and the extra front guide byte If a value of a zero zero (ST. Its storage format is passed 5 is a string, the data part is taken, the low is after. When the number is negative, its data part must be included in 0 or 255 when it is not included. Multi-precision integers are described in specific examples: an integer in binary complement format, and the first byte of the data section is 1 in the first byte of the data. As the byte 0x00 as a preamble. It is necessary to pay attention to the numerical value. Numerical 0 must still be stored or follow the normal integer algorithm
Figure 5 Typical storage format of multi-precision integer type
(7) Name Type (Name-List)
Name-List is a string of strings in a single storage method, the first four words in the name table, similar to the string type), followed by the name, must have a non-zero length, and No packages can identify the algorithm of the name generated in the name table, or both language tags. The context of the name. Like a string type, regardless of the end. As shown in Figure 6: String, which is composed of comma-separated names. In the segment is a Unit32 integer to indicate its length (a series of names separated by the subsequent byte comma, it can be 0 or more. Composites include a comma, because the comma is a separator between the names. When using, the external limit, for example, the name in a name table must be related to the name of the valid table and the order, but also depends on whether the name table is a single name, or the entire name, no need to use empty word
Figure 6 Typical storage format of the name table
The SSH protocol framework has support for these data types, which will bring great convenience to the processing of the protocol and algorithm.
5, naming rules and message encoding
The SSH protocol uses the name to be used when using a specific method and other protocol. Whether it is an algorithm or agreement in the SSH protocol framework, it must follow the hash algorithm, encryption algorithm, integrity to distinguish, so the algorithm or agreement essential in the SSH protocol framework is still a unified naming rule. Algorithm, compression algorithm, and key exchange are important part of the naming rules, the specific application is added when the SSH protocol is implemented.
The SSH protocol framework has a basic, prints a US-ASCII string; the name must be a big principle: all algorithm identifiers must be non-empty lowercase sensitive than 64 characters.
The specific algorithm has two formats:
(1) Do not include the name of the @ symbol, "hmac-sha1", this format name is not the word is the IETF standard (RFC document) "Zlib" (Note: Quotation marks are not named Of course, all registered names of the IETF are reserved. For example, part of "3DES-CBC", "). You cannot contain @ symbols or comma before the word before registration.
(2) Anyone can use "Name @ domamycipher-cbc @ ssh.com". Us-ASCII characters outside the @ symbol and comma before @ symbol. In the @ 符 (Refer to [RFC-1034]), the personal domain name and the organization domain are responsible. Inname "Format Named Custom Algorithm, such as" The specific format of the section is not limited, but the part must be used after this section must be a completely legal Internet domain name. As for the management of local namespace, it is self-contained by each domain.
Another major standardization rule in the SSH protocol framework is the message encoding. Basic provisions are described in Table 1:
