How Does SSH Work?

Photo by Markus Spiske on Unsplash

This article is for beginners struggling to understand the concept of SSH. I attempt to break down the SSH connection process to its most basic steps. This article will cover :

• What SSH is.
• The process of initiating SSH.
• Stages in the SSH operation.

WHAT IS SSH?

The purpose of SSH is to provide a secure channel of communication over an unsecure network such as the internet. It is a network protocol applied to a client-server architecture that encrypts the exchange of data between a server and a client, over a TCP/IP connection. You can think of it as “a way for Alice to send information to Bob without Eve eavesdropping” — an analogy popular in cryptography literature. Let’s say Alice is the client, Bob is the server, and Eve is a potential intruder.

THE PROCESS OF INITIATING SSH

To begin the SSH operation, the client generates an SSH key pair. This pair comprises a private key (verification key) and a public key (signing key).

The public key is shared with anyone. It serves as a sort of digital signature for the client. Once generated, the client uploads the public key to the server. The server has a home directory specifically for the client. This home directory contains another directory named ~/.ssh. The ~/.ssh directory contains a file named authorized_keys. The client’s public key is placed in this authorized_keys file.

The private key must be kept secret and is known only to the client. Its presence confirms the client’s identity. The server also has its own key pair.

This concept of a key pair is a requirement for the entire SSH routine.

STAGES IN THE SSH OPERATION

The steps in establishing an SSH connection pass through two primary stages:

A) Secure encryption for communication

This stage handles the creation of a ‘shell’, protecting the communication channel from snooping by intruders. Both sides of the communication do this using a form of symmetrical encryption referred to as ‘shared secret key encryption’.

Here, both parties exchange public keys and arrive at a shared secret key used to encrypt information sent over the connection. The key pair used in this stage differs from the initial SSH key pair used for authentication.

The classic algorithm used in this process is the Diffie-Hellman key exchange algorithm. Here’s an analogy of how it works:

1. Let’s say Alice and Bob decide to make breakfast. They both decide on a common ingredient to use — eggs.
2. Alice chooses a secret ingredient (cheese) that Bob does not know about, and Bob does the same (tomatoes).
3. They both mix up their ingredients independently, resulting in different mixtures.
4. Bob and Alice exchange mixtures.
5. Alice then adds her secret ingredient to Bob’s mixture, while Bob adds his own secret ingredient to Alice’s mixture.
6. And finally, they both come up with the same meal — an omelette.

Now, let’s explore a more technical description of the Diffie-Hellman algorithm.

1. The client and server agree on a large prime number as a base value. Any intruder eavesdropping on the communication has access to this number.
2. The client and server choose another prime number independently. This number is secret from each other. It will be the private key for this exchange. And is unknown to any intruder.
3. Both entities also agree on an encryption generator (usually Advanced Encryption Standard — AES). This generator is used to manipulate the values in a pre-defined way.
4. The private key, the encryption generator, and the shared prime number are used to generate a public key that is shared with each other. Both entities perform this operation independently.
5. Both entities exchange the generated public keys. Any intruder eavesdropping on the communication also has access to the generated public key of both the client and server.
6. The client uses its own private key, the server’s public key, and the original shared prime number to compute a shared secret key. And the server does the same thing.
7. Finally, even though each entity computes the shared secret key independently — using opposite public and private keys, each entity outputs the same shared secret key.

This shared secret key encrypts any message and is also used to decrypt it on the other end. The shared secret key is unknown to Eve because the private key for each entity is secret.

This symmetric encryption key is session-based. This means that every new connection produces a new shared secret key.

After establishing a secure session via encryption, the client authentication stage begins.

B) Authentication

The simplest method of authentication is using a password. The server basically prompts the client for the password of the account they are attempting to login with. This is not a recommended method. This is because, although the password is encrypted, automated scripts may break the password.

The recommended approach is the use of SSH key-based authentication. This involves the application of asymmetrical encryption and hashing.

With asymmetrical encryption, the public key encrypts information that only the private key can decrypt, as opposed to symmetrical encryption where the same key — the shared secret key — is used to encrypt and decrypt information both ways.

Here’s how it happens:

1. The client starts by sending an ID for the key pair it would like to authenticate with the server. You can think of this ID as a username or email address.

2. The server scans the authorized_keys file of the directory that the client is attempting to log into for the key pair ID.

3. Once a public key with a matching ID is found in the file, the server creates a random number and encrypts the number using the public key.

4. The server relays this encrypted number to the client.

5. The client decrypts the number using the private key associated with the public key, disclosing the original random number.

6. The client integrates this decrypted number with the shared secret key used to encrypt the communication, to form an output.

7. The client computes the MD5 hash of the output.

8. The client transmits the MD5 hash back to the server as a response to the encrypted number.

9. The server performs the same hashing operation using the same shared secret key and the original random number, to arrive at the hash value independently.

10. The server compares its own hash value with that contained in the client response.

11. If the values match, it confirms that the client owns the private key.

12. The client is authenticated and now has access to the server.

SSH provides a way to protect client-server interactions from man-in-the-middle attacks. In all versions of SSH, it is imperative to associate public keys with an ID before accepting them as valid.

Accepting an attacker’s public key without authentication gives the attacker unauthorized access to the server.

Additional resources

SSH (Secure Shell). For an extensive study of SSH, check out this documentation.

Encryption Techniques. For an overview of cryptography and encryption, check out this article.

Thank you for reading this article.

Let me know in the comments section if you found this article helpful!