aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssh/doc/standard/draft-ietf-secsh-transport-17.2.ps
diff options
context:
space:
mode:
authorErlang/OTP <[email protected]>2009-11-20 14:54:40 +0000
committerErlang/OTP <[email protected]>2009-11-20 14:54:40 +0000
commit84adefa331c4159d432d22840663c38f155cd4c1 (patch)
treebff9a9c66adda4df2106dfd0e5c053ab182a12bd /lib/ssh/doc/standard/draft-ietf-secsh-transport-17.2.ps
downloadotp-84adefa331c4159d432d22840663c38f155cd4c1.tar.gz
otp-84adefa331c4159d432d22840663c38f155cd4c1.tar.bz2
otp-84adefa331c4159d432d22840663c38f155cd4c1.zip
The R13B03 release.OTP_R13B03
Diffstat (limited to 'lib/ssh/doc/standard/draft-ietf-secsh-transport-17.2.ps')
-rw-r--r--lib/ssh/doc/standard/draft-ietf-secsh-transport-17.2.ps3205
1 files changed, 3205 insertions, 0 deletions
diff --git a/lib/ssh/doc/standard/draft-ietf-secsh-transport-17.2.ps b/lib/ssh/doc/standard/draft-ietf-secsh-transport-17.2.ps
new file mode 100644
index 0000000000..d692285b4e
--- /dev/null
+++ b/lib/ssh/doc/standard/draft-ietf-secsh-transport-17.2.ps
@@ -0,0 +1,3205 @@
+%!PS-Adobe-3.0
+%%BoundingBox: 75 0 595 747
+%%Title: Enscript Output
+%%For: Magnus Thoang
+%%Creator: GNU enscript 1.6.1
+%%CreationDate: Fri Oct 31 13:35:14 2003
+%%Orientation: Portrait
+%%Pages: 15 0
+%%DocumentMedia: A4 595 842 0 () ()
+%%DocumentNeededResources: (atend)
+%%EndComments
+%%BeginProlog
+%%BeginProcSet: PStoPS 1 15
+userdict begin
+[/showpage/erasepage/copypage]{dup where{pop dup load
+ type/operatortype eq{1 array cvx dup 0 3 index cvx put
+ bind def}{pop}ifelse}{pop}ifelse}forall
+[/letter/legal/executivepage/a4/a4small/b5/com10envelope
+ /monarchenvelope/c5envelope/dlenvelope/lettersmall/note
+ /folio/quarto/a5]{dup where{dup wcheck{exch{}put}
+ {pop{}def}ifelse}{pop}ifelse}forall
+/setpagedevice {pop}bind 1 index where{dup wcheck{3 1 roll put}
+ {pop def}ifelse}{def}ifelse
+/PStoPSmatrix matrix currentmatrix def
+/PStoPSxform matrix def/PStoPSclip{clippath}def
+/defaultmatrix{PStoPSmatrix exch PStoPSxform exch concatmatrix}bind def
+/initmatrix{matrix defaultmatrix setmatrix}bind def
+/initclip[{matrix currentmatrix PStoPSmatrix setmatrix
+ [{currentpoint}stopped{$error/newerror false put{newpath}}
+ {/newpath cvx 3 1 roll/moveto cvx 4 array astore cvx}ifelse]
+ {[/newpath cvx{/moveto cvx}{/lineto cvx}
+ {/curveto cvx}{/closepath cvx}pathforall]cvx exch pop}
+ stopped{$error/errorname get/invalidaccess eq{cleartomark
+ $error/newerror false put cvx exec}{stop}ifelse}if}bind aload pop
+ /initclip dup load dup type dup/operatortype eq{pop exch pop}
+ {dup/arraytype eq exch/packedarraytype eq or
+ {dup xcheck{exch pop aload pop}{pop cvx}ifelse}
+ {pop cvx}ifelse}ifelse
+ {newpath PStoPSclip clip newpath exec setmatrix} bind aload pop]cvx def
+/initgraphics{initmatrix newpath initclip 1 setlinewidth
+ 0 setlinecap 0 setlinejoin []0 setdash 0 setgray
+ 10 setmiterlimit}bind def
+end
+%%EndProcSet
+%%BeginResource: procset Enscript-Prolog 1.6 1
+%
+% Procedures.
+%
+
+/_S { % save current state
+ /_s save def
+} def
+/_R { % restore from saved state
+ _s restore
+} def
+
+/S { % showpage protecting gstate
+ gsave
+ showpage
+ grestore
+} bind def
+
+/MF { % fontname newfontname -> - make a new encoded font
+ /newfontname exch def
+ /fontname exch def
+
+ /fontdict fontname findfont def
+ /newfont fontdict maxlength dict def
+
+ fontdict {
+ exch
+ dup /FID eq {
+ % skip FID pair
+ pop pop
+ } {
+ % copy to the new font dictionary
+ exch newfont 3 1 roll put
+ } ifelse
+ } forall
+
+ newfont /FontName newfontname put
+
+ % insert only valid encoding vectors
+ encoding_vector length 256 eq {
+ newfont /Encoding encoding_vector put
+ } if
+
+ newfontname newfont definefont pop
+} def
+
+/SF { % fontname width height -> - set a new font
+ /height exch def
+ /width exch def
+
+ findfont
+ [width 0 0 height 0 0] makefont setfont
+} def
+
+/SUF { % fontname width height -> - set a new user font
+ /height exch def
+ /width exch def
+
+ /F-gs-user-font MF
+ /F-gs-user-font width height SF
+} def
+
+/M {moveto} bind def
+/s {show} bind def
+
+/Box { % x y w h -> - define box path
+ /d_h exch def /d_w exch def /d_y exch def /d_x exch def
+ d_x d_y moveto
+ d_w 0 rlineto
+ 0 d_h rlineto
+ d_w neg 0 rlineto
+ closepath
+} def
+
+/bgs { % x y height blskip gray str -> - show string with bg color
+ /str exch def
+ /gray exch def
+ /blskip exch def
+ /height exch def
+ /y exch def
+ /x exch def
+
+ gsave
+ x y blskip sub str stringwidth pop height Box
+ gray setgray
+ fill
+ grestore
+ x y M str s
+} def
+
+% Highlight bars.
+/highlight_bars { % nlines lineheight output_y_margin gray -> -
+ gsave
+ setgray
+ /ymarg exch def
+ /lineheight exch def
+ /nlines exch def
+
+ % This 2 is just a magic number to sync highlight lines to text.
+ 0 d_header_y ymarg sub 2 sub translate
+
+ /cw d_output_w cols div def
+ /nrows d_output_h ymarg 2 mul sub lineheight div cvi def
+
+ % for each column
+ 0 1 cols 1 sub {
+ cw mul /xp exch def
+
+ % for each rows
+ 0 1 nrows 1 sub {
+ /rn exch def
+ rn lineheight mul neg /yp exch def
+ rn nlines idiv 2 mod 0 eq {
+ % Draw highlight bar. 4 is just a magic indentation.
+ xp 4 add yp cw 8 sub lineheight neg Box fill
+ } if
+ } for
+ } for
+
+ grestore
+} def
+
+% Line highlight bar.
+/line_highlight { % x y width height gray -> -
+ gsave
+ /gray exch def
+ Box gray setgray fill
+ grestore
+} def
+
+% Column separator lines.
+/column_lines {
+ gsave
+ .1 setlinewidth
+ 0 d_footer_h translate
+ /cw d_output_w cols div def
+ 1 1 cols 1 sub {
+ cw mul 0 moveto
+ 0 d_output_h rlineto stroke
+ } for
+ grestore
+} def
+
+% Column borders.
+/column_borders {
+ gsave
+ .1 setlinewidth
+ 0 d_footer_h moveto
+ 0 d_output_h rlineto
+ d_output_w 0 rlineto
+ 0 d_output_h neg rlineto
+ closepath stroke
+ grestore
+} def
+
+% Do the actual underlay drawing
+/draw_underlay {
+ ul_style 0 eq {
+ ul_str true charpath stroke
+ } {
+ ul_str show
+ } ifelse
+} def
+
+% Underlay
+/underlay { % - -> -
+ gsave
+ 0 d_page_h translate
+ d_page_h neg d_page_w atan rotate
+
+ ul_gray setgray
+ ul_font setfont
+ /dw d_page_h dup mul d_page_w dup mul add sqrt def
+ ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
+ draw_underlay
+ grestore
+} def
+
+/user_underlay { % - -> -
+ gsave
+ ul_x ul_y translate
+ ul_angle rotate
+ ul_gray setgray
+ ul_font setfont
+ 0 0 ul_h_ptsize 2 div sub moveto
+ draw_underlay
+ grestore
+} def
+
+% Page prefeed
+/page_prefeed { % bool -> -
+ statusdict /prefeed known {
+ statusdict exch /prefeed exch put
+ } {
+ pop
+ } ifelse
+} def
+
+% Wrapped line markers
+/wrapped_line_mark { % x y charwith charheight type -> -
+ /type exch def
+ /h exch def
+ /w exch def
+ /y exch def
+ /x exch def
+
+ type 2 eq {
+ % Black boxes (like TeX does)
+ gsave
+ 0 setlinewidth
+ x w 4 div add y M
+ 0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
+ closepath fill
+ grestore
+ } {
+ type 3 eq {
+ % Small arrows
+ gsave
+ .2 setlinewidth
+ x w 2 div add y h 2 div add M
+ w 4 div 0 rlineto
+ x w 4 div add y lineto stroke
+
+ x w 4 div add w 8 div add y h 4 div add M
+ x w 4 div add y lineto
+ w 4 div h 8 div rlineto stroke
+ grestore
+ } {
+ % do nothing
+ } ifelse
+ } ifelse
+} def
+
+% EPSF import.
+
+/BeginEPSF {
+ /b4_Inc_state save def % Save state for cleanup
+ /dict_count countdictstack def % Count objects on dict stack
+ /op_count count 1 sub def % Count objects on operand stack
+ userdict begin
+ /showpage { } def
+ 0 setgray 0 setlinecap
+ 1 setlinewidth 0 setlinejoin
+ 10 setmiterlimit [ ] 0 setdash newpath
+ /languagelevel where {
+ pop languagelevel
+ 1 ne {
+ false setstrokeadjust false setoverprint
+ } if
+ } if
+} bind def
+
+/EndEPSF {
+ count op_count sub { pos } repeat % Clean up stacks
+ countdictstack dict_count sub { end } repeat
+ b4_Inc_state restore
+} bind def
+
+% Check PostScript language level.
+/languagelevel where {
+ pop /gs_languagelevel languagelevel def
+} {
+ /gs_languagelevel 1 def
+} ifelse
+%%EndResource
+%%BeginResource: procset Enscript-Encoding-88591 1.6 1
+/encoding_vector [
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/space /exclam /quotedbl /numbersign
+/dollar /percent /ampersand /quoteright
+/parenleft /parenright /asterisk /plus
+/comma /hyphen /period /slash
+/zero /one /two /three
+/four /five /six /seven
+/eight /nine /colon /semicolon
+/less /equal /greater /question
+/at /A /B /C
+/D /E /F /G
+/H /I /J /K
+/L /M /N /O
+/P /Q /R /S
+/T /U /V /W
+/X /Y /Z /bracketleft
+/backslash /bracketright /asciicircum /underscore
+/quoteleft /a /b /c
+/d /e /f /g
+/h /i /j /k
+/l /m /n /o
+/p /q /r /s
+/t /u /v /w
+/x /y /z /braceleft
+/bar /braceright /tilde /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/space /exclamdown /cent /sterling
+/currency /yen /brokenbar /section
+/dieresis /copyright /ordfeminine /guillemotleft
+/logicalnot /hyphen /registered /macron
+/degree /plusminus /twosuperior /threesuperior
+/acute /mu /paragraph /bullet
+/cedilla /onesuperior /ordmasculine /guillemotright
+/onequarter /onehalf /threequarters /questiondown
+/Agrave /Aacute /Acircumflex /Atilde
+/Adieresis /Aring /AE /Ccedilla
+/Egrave /Eacute /Ecircumflex /Edieresis
+/Igrave /Iacute /Icircumflex /Idieresis
+/Eth /Ntilde /Ograve /Oacute
+/Ocircumflex /Otilde /Odieresis /multiply
+/Oslash /Ugrave /Uacute /Ucircumflex
+/Udieresis /Yacute /Thorn /germandbls
+/agrave /aacute /acircumflex /atilde
+/adieresis /aring /ae /ccedilla
+/egrave /eacute /ecircumflex /edieresis
+/igrave /iacute /icircumflex /idieresis
+/eth /ntilde /ograve /oacute
+/ocircumflex /otilde /odieresis /divide
+/oslash /ugrave /uacute /ucircumflex
+/udieresis /yacute /thorn /ydieresis
+] def
+%%EndResource
+%%EndProlog
+%%BeginSetup
+%%IncludeResource: font Courier-Bold
+%%IncludeResource: font Courier
+/HFpt_w 10 def
+/HFpt_h 10 def
+/Courier-Bold /HF-gs-font MF
+/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
+/Courier /F-gs-font MF
+/F-gs-font 10 10 SF
+/#copies 1 def
+/d_page_w 520 def
+/d_page_h 747 def
+/d_header_x 0 def
+/d_header_y 747 def
+/d_header_w 520 def
+/d_header_h 0 def
+/d_footer_x 0 def
+/d_footer_y 0 def
+/d_footer_w 520 def
+/d_footer_h 0 def
+/d_output_w 520 def
+/d_output_h 747 def
+/cols 1 def
+userdict/PStoPSxform PStoPSmatrix matrix currentmatrix
+ matrix invertmatrix matrix concatmatrix
+ matrix invertmatrix put
+%%EndSetup
+%%Page: (0,1) 1
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 1 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 701 M
+(Network Working Group T. Ylonen) s
+5 690 M
+(Internet-Draft SSH Communications Security Corp) s
+5 679 M
+(Expires: March 31, 2004 D. Moffat, Editor, Ed.) s
+5 668 M
+( Sun Microsystems, Inc) s
+5 657 M
+( Oct 2003) s
+5 624 M
+( SSH Transport Layer Protocol) s
+5 613 M
+( draft-ietf-secsh-transport-17.txt) s
+5 591 M
+(Status of this Memo) s
+5 569 M
+( This document is an Internet-Draft and is in full conformance with) s
+5 558 M
+( all provisions of Section 10 of RFC2026.) s
+5 536 M
+( Internet-Drafts are working documents of the Internet Engineering) s
+5 525 M
+( Task Force \(IETF\), its areas, and its working groups. Note that other) s
+5 514 M
+( groups may also distribute working documents as Internet-Drafts.) s
+5 492 M
+( Internet-Drafts are draft documents valid for a maximum of six months) s
+5 481 M
+( and may be updated, replaced, or obsoleted by other documents at any) s
+5 470 M
+( time. It is inappropriate to use Internet-Drafts as reference) s
+5 459 M
+( material or to cite them other than as "work in progress.") s
+5 437 M
+( The list of current Internet-Drafts can be accessed at http://) s
+5 426 M
+( www.ietf.org/ietf/1id-abstracts.txt.) s
+5 404 M
+( The list of Internet-Draft Shadow Directories can be accessed at) s
+5 393 M
+( http://www.ietf.org/shadow.html.) s
+5 371 M
+( This Internet-Draft will expire on March 31, 2004.) s
+5 349 M
+(Copyright Notice) s
+5 327 M
+( Copyright \(C\) The Internet Society \(2003\). All Rights Reserved.) s
+5 305 M
+(Abstract) s
+5 283 M
+( SSH is a protocol for secure remote login and other secure network) s
+5 272 M
+( services over an insecure network.) s
+5 250 M
+( This document describes the SSH transport layer protocol which) s
+5 239 M
+( typically runs on top of TCP/IP. The protocol can be used as a basis) s
+5 228 M
+( for a number of secure network services. It provides strong) s
+5 217 M
+( encryption, server authentication, and integrity protection. It may) s
+5 206 M
+( also provide compression.) s
+5 184 M
+( Key exchange method, public key algorithm, symmetric encryption) s
+5 173 M
+( algorithm, message authentication algorithm, and hash algorithm are) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 1]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 2 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( all negotiated.) s
+5 668 M
+( This document also describes the Diffie-Hellman key exchange method) s
+5 657 M
+( and the minimal set of algorithms that are needed to implement the) s
+5 646 M
+( SSH transport layer protocol.) s
+5 624 M
+(Table of Contents) s
+5 602 M
+( 1. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 591 M
+( 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 580 M
+( 3. Conventions Used in This Document . . . . . . . . . . . . . 3) s
+5 569 M
+( 4. Connection Setup . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 558 M
+( 4.1 Use over TCP/IP . . . . . . . . . . . . . . . . . . . . . . 4) s
+5 547 M
+( 4.2 Protocol Version Exchange . . . . . . . . . . . . . . . . . 4) s
+5 536 M
+( 4.3 Compatibility With Old SSH Versions . . . . . . . . . . . . 4) s
+5 525 M
+( 4.3.1 Old Client, New Server . . . . . . . . . . . . . . . . . . . 5) s
+5 514 M
+( 4.3.2 New Client, Old Server . . . . . . . . . . . . . . . . . . . 5) s
+5 503 M
+( 5. Binary Packet Protocol . . . . . . . . . . . . . . . . . . . 5) s
+5 492 M
+( 5.1 Maximum Packet Length . . . . . . . . . . . . . . . . . . . 6) s
+5 481 M
+( 5.2 Compression . . . . . . . . . . . . . . . . . . . . . . . . 7) s
+5 470 M
+( 5.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 7) s
+5 459 M
+( 5.4 Data Integrity . . . . . . . . . . . . . . . . . . . . . . . 9) s
+5 448 M
+( 5.5 Key Exchange Methods . . . . . . . . . . . . . . . . . . . . 10) s
+5 437 M
+( 5.6 Public Key Algorithms . . . . . . . . . . . . . . . . . . . 11) s
+5 426 M
+( 6. Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . 13) s
+5 415 M
+( 6.1 Algorithm Negotiation . . . . . . . . . . . . . . . . . . . 13) s
+5 404 M
+( 6.2 Output from Key Exchange . . . . . . . . . . . . . . . . . . 16) s
+5 393 M
+( 6.3 Taking Keys Into Use . . . . . . . . . . . . . . . . . . . . 17) s
+5 382 M
+( 7. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . 18) s
+5 371 M
+( 7.1 diffie-hellman-group1-sha1 . . . . . . . . . . . . . . . . . 19) s
+5 360 M
+( 8. Key Re-Exchange . . . . . . . . . . . . . . . . . . . . . . 20) s
+5 349 M
+( 9. Service Request . . . . . . . . . . . . . . . . . . . . . . 21) s
+5 338 M
+( 10. Additional Messages . . . . . . . . . . . . . . . . . . . . 21) s
+5 327 M
+( 10.1 Disconnection Message . . . . . . . . . . . . . . . . . . . 22) s
+5 316 M
+( 10.2 Ignored Data Message . . . . . . . . . . . . . . . . . . . . 22) s
+5 305 M
+( 10.3 Debug Message . . . . . . . . . . . . . . . . . . . . . . . 23) s
+5 294 M
+( 10.4 Reserved Messages . . . . . . . . . . . . . . . . . . . . . 23) s
+5 283 M
+( 11. Summary of Message Numbers . . . . . . . . . . . . . . . . . 23) s
+5 272 M
+( 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . 24) s
+5 261 M
+( 13. Security Considerations . . . . . . . . . . . . . . . . . . 24) s
+5 250 M
+( 14. Intellectual Property . . . . . . . . . . . . . . . . . . . 24) s
+5 239 M
+( 15. Additional Information . . . . . . . . . . . . . . . . . . . 24) s
+5 228 M
+( Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 26) s
+5 217 M
+( Normative . . . . . . . . . . . . . . . . . . . . . . . . . 25) s
+5 206 M
+( Informative . . . . . . . . . . . . . . . . . . . . . . . . 25) s
+5 195 M
+( A. Contibutors . . . . . . . . . . . . . . . . . . . . . . . . 27) s
+5 184 M
+( Intellectual Property and Copyright Statements . . . . . . . 28) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 2]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (2,3) 2
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 3 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+(1. Contributors) s
+5 668 M
+( The major original contributors of this document were: Tatu Ylonen,) s
+5 657 M
+( Tero Kivinen, Timo J. Rinne, Sami Lehtinen \(all of SSH Communications) s
+5 646 M
+( Security Corp\), and Markku-Juhani O. Saarinen \(University of) s
+5 635 M
+( Jyvaskyla\)) s
+5 613 M
+( The document editor is: [email protected]. Comments on this) s
+5 602 M
+( internet draft should be sent to the IETF SECSH working group,) s
+5 591 M
+( details at: http://ietf.org/html.charters/secsh-charter.html) s
+5 569 M
+(2. Introduction) s
+5 547 M
+( The SSH transport layer is a secure low level transport protocol. It) s
+5 536 M
+( provides strong encryption, cryptographic host authentication, and) s
+5 525 M
+( integrity protection.) s
+5 503 M
+( Authentication in this protocol level is host-based; this protocol) s
+5 492 M
+( does not perform user authentication. A higher level protocol for) s
+5 481 M
+( user authentication can be designed on top of this protocol.) s
+5 459 M
+( The protocol has been designed to be simple, flexible, to allow) s
+5 448 M
+( parameter negotiation, and to minimize the number of round-trips.) s
+5 437 M
+( Key exchange method, public key algorithm, symmetric encryption) s
+5 426 M
+( algorithm, message authentication algorithm, and hash algorithm are) s
+5 415 M
+( all negotiated. It is expected that in most environments, only 2) s
+5 404 M
+( round-trips will be needed for full key exchange, server) s
+5 393 M
+( authentication, service request, and acceptance notification of) s
+5 382 M
+( service request. The worst case is 3 round-trips.) s
+5 360 M
+(3. Conventions Used in This Document) s
+5 338 M
+( The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",) s
+5 327 M
+( and "MAY" that appear in this document are to be interpreted as) s
+5 316 M
+( described in [RFC2119].) s
+5 294 M
+( The used data types and terminology are specified in the architecture) s
+5 283 M
+( document [SSH-ARCH].) s
+5 261 M
+( The architecture document also discusses the algorithm naming) s
+5 250 M
+( conventions that MUST be used with the SSH protocols.) s
+5 228 M
+(4. Connection Setup) s
+5 206 M
+( SSH works over any 8-bit clean, binary-transparent transport. The) s
+5 195 M
+( underlying transport SHOULD protect against transmission errors as) s
+5 184 M
+( such errors cause the SSH connection to terminate.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 3]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 4 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( The client initiates the connection.) s
+5 668 M
+(4.1 Use over TCP/IP) s
+5 646 M
+( When used over TCP/IP, the server normally listens for connections on) s
+5 635 M
+( port 22. This port number has been registered with the IANA, and has) s
+5 624 M
+( been officially assigned for SSH.) s
+5 602 M
+(4.2 Protocol Version Exchange) s
+5 580 M
+( When the connection has been established, both sides MUST send an) s
+5 569 M
+( identification string of the form "SSH-protoversion-softwareversion) s
+5 558 M
+( comments", followed by carriage return and newline characters \(ASCII) s
+5 547 M
+( 13 and 10, respectively\). Both sides MUST be able to process) s
+5 536 M
+( identification strings without carriage return character. No null) s
+5 525 M
+( character is sent. The maximum length of the string is 255) s
+5 514 M
+( characters, including the carriage return and newline.) s
+5 492 M
+( The part of the identification string preceding carriage return and) s
+5 481 M
+( newline is used in the Diffie-Hellman key exchange \(see Section) s
+5 470 M
+( Section 7\).) s
+5 448 M
+( The server MAY send other lines of data before sending the version) s
+5 437 M
+( string. Each line SHOULD be terminated by a carriage return and) s
+5 426 M
+( newline. Such lines MUST NOT begin with "SSH-", and SHOULD be) s
+5 415 M
+( encoded in ISO-10646 UTF-8 [RFC2279] \(language is not specified\).) s
+5 404 M
+( Clients MUST be able to process such lines; they MAY be silently) s
+5 393 M
+( ignored, or MAY be displayed to the client user; if they are) s
+5 382 M
+( displayed, control character filtering discussed in [SSH-ARCH] SHOULD) s
+5 371 M
+( be used. The primary use of this feature is to allow TCP-wrappers to) s
+5 360 M
+( display an error message before disconnecting.) s
+5 338 M
+( Version strings MUST consist of printable US-ASCII characters, not) s
+5 327 M
+( including whitespaces or a minus sign \(-\). The version string is) s
+5 316 M
+( primarily used to trigger compatibility extensions and to indicate) s
+5 305 M
+( the capabilities of an implementation. The comment string should) s
+5 294 M
+( contain additional information that might be useful in solving user) s
+5 283 M
+( problems.) s
+5 261 M
+( The protocol version described in this document is 2.0.) s
+5 239 M
+( Key exchange will begin immediately after sending this identifier.) s
+5 228 M
+( All packets following the identification string SHALL use the binary) s
+5 217 M
+( packet protocol, to be described below.) s
+5 195 M
+(4.3 Compatibility With Old SSH Versions) s
+5 173 M
+( During the transition period, it is important to be able to work in a) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 4]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (4,5) 3
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 5 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( way that is compatible with the installed SSH clients and servers) s
+5 679 M
+( that use an older version of the protocol. Information in this) s
+5 668 M
+( section is only relevant for implementations supporting compatibility) s
+5 657 M
+( with SSH versions 1.x. There is no standards track or informational) s
+5 646 M
+( draft available that defines the SSH 1.x protocol. The only known) s
+5 635 M
+( documentation of the 1.x protocol is contained in README files that) s
+5 624 M
+( are shipped along with the source code.) s
+5 602 M
+(4.3.1 Old Client, New Server) s
+5 580 M
+( Server implementations MAY support a configurable "compatibility") s
+5 569 M
+( flag that enables compatibility with old versions. When this flag is) s
+5 558 M
+( on, the server SHOULD identify its protocol version as "1.99".) s
+5 547 M
+( Clients using protocol 2.0 MUST be able to identify this as identical) s
+5 536 M
+( to "2.0". In this mode the server SHOULD NOT send the carriage) s
+5 525 M
+( return character \(ASCII 13\) after the version identification string.) s
+5 503 M
+( In the compatibility mode the server SHOULD NOT send any further data) s
+5 492 M
+( after its initialization string until it has received an) s
+5 481 M
+( identification string from the client. The server can then determine) s
+5 470 M
+( whether the client is using an old protocol, and can revert to the) s
+5 459 M
+( old protocol if required. In the compatibility mode, the server MUST) s
+5 448 M
+( NOT send additional data before the version string.) s
+5 426 M
+( When compatibility with old clients is not needed, the server MAY) s
+5 415 M
+( send its initial key exchange data immediately after the) s
+5 404 M
+( identification string.) s
+5 382 M
+(4.3.2 New Client, Old Server) s
+5 360 M
+( Since the new client MAY immediately send additional data after its) s
+5 349 M
+( identification string \(before receiving server's identification\), the) s
+5 338 M
+( old protocol may already have been corrupted when the client learns) s
+5 327 M
+( that the server is old. When this happens, the client SHOULD close) s
+5 316 M
+( the connection to the server, and reconnect using the old protocol.) s
+5 294 M
+(5. Binary Packet Protocol) s
+5 272 M
+( Each packet is in the following format:) s
+5 250 M
+( uint32 packet_length) s
+5 239 M
+( byte padding_length) s
+5 228 M
+( byte[n1] payload; n1 = packet_length - padding_length - 1) s
+5 217 M
+( byte[n2] random padding; n2 = padding_length) s
+5 206 M
+( byte[m] mac \(message authentication code\); m = mac_length) s
+5 184 M
+( packet_length) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 5]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 6 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( The length of the packet \(bytes\), not including MAC or the) s
+5 679 M
+( packet_length field itself.) s
+5 657 M
+( padding_length) s
+5 646 M
+( Length of padding \(bytes\).) s
+5 624 M
+( payload) s
+5 613 M
+( The useful contents of the packet. If compression has been) s
+5 602 M
+( negotiated, this field is compressed. Initially, compression) s
+5 591 M
+( MUST be "none".) s
+5 569 M
+( random padding) s
+5 558 M
+( Arbitrary-length padding, such that the total length of) s
+5 547 M
+( \(packet_length || padding_length || payload || padding\) is a) s
+5 536 M
+( multiple of the cipher block size or 8, whichever is larger.) s
+5 525 M
+( There MUST be at least four bytes of padding. The padding) s
+5 514 M
+( SHOULD consist of random bytes. The maximum amount of padding) s
+5 503 M
+( is 255 bytes.) s
+5 481 M
+( mac) s
+5 470 M
+( Message authentication code. If message authentication has) s
+5 459 M
+( been negotiated, this field contains the MAC bytes. Initially,) s
+5 448 M
+( the MAC algorithm MUST be "none".) s
+5 415 M
+( Note that length of the concatenation of packet length, padding) s
+5 404 M
+( length, payload, and padding MUST be a multiple of the cipher block) s
+5 393 M
+( size or 8, whichever is larger. This constraint MUST be enforced) s
+5 382 M
+( even when using stream ciphers. Note that the packet length field is) s
+5 371 M
+( also encrypted, and processing it requires special care when sending) s
+5 360 M
+( or receiving packets.) s
+5 338 M
+( The minimum size of a packet is 16 \(or the cipher block size,) s
+5 327 M
+( whichever is larger\) bytes \(plus MAC\); implementations SHOULD decrypt) s
+5 316 M
+( the length after receiving the first 8 \(or cipher block size,) s
+5 305 M
+( whichever is larger\) bytes of a packet.) s
+5 283 M
+(5.1 Maximum Packet Length) s
+5 261 M
+( All implementations MUST be able to process packets with uncompressed) s
+5 250 M
+( payload length of 32768 bytes or less and total packet size of 35000) s
+5 239 M
+( bytes or less \(including length, padding length, payload, padding,) s
+5 228 M
+( and MAC.\). The maximum of 35000 bytes is an arbitrary chosen value) s
+5 217 M
+( larger than uncompressed size. Implementations SHOULD support longer) s
+5 206 M
+( packets, where they might be needed, e.g. if an implementation wants) s
+5 195 M
+( to send a very large number of certificates. Such packets MAY be) s
+5 184 M
+( sent if the version string indicates that the other party is able to) s
+5 173 M
+( process them. However, implementations SHOULD check that the packet) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 6]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (6,7) 4
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 7 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( length is reasonable for the implementation to avoid) s
+5 679 M
+( denial-of-service and/or buffer overflow attacks.) s
+5 657 M
+(5.2 Compression) s
+5 635 M
+( If compression has been negotiated, the payload field \(and only it\)) s
+5 624 M
+( will be compressed using the negotiated algorithm. The length field) s
+5 613 M
+( and MAC will be computed from the compressed payload. Encryption will) s
+5 602 M
+( be done after compression.) s
+5 580 M
+( Compression MAY be stateful, depending on the method. Compression) s
+5 569 M
+( MUST be independent for each direction, and implementations MUST) s
+5 558 M
+( allow independently choosing the algorithm for each direction.) s
+5 536 M
+( The following compression methods are currently defined:) s
+5 514 M
+( none REQUIRED no compression) s
+5 503 M
+( zlib OPTIONAL ZLIB \(LZ77\) compression) s
+5 481 M
+( The "zlib" compression is described in [RFC1950] and in [RFC1951].) s
+5 470 M
+( The compression context is initialized after each key exchange, and) s
+5 459 M
+( is passed from one packet to the next with only a partial flush being) s
+5 448 M
+( performed at the end of each packet. A partial flush means that the) s
+5 437 M
+( current compressed block is ended and all data will be output. If the) s
+5 426 M
+( current block is not a stored block, one or more empty blocks are) s
+5 415 M
+( added after the current block to ensure that there are at least 8) s
+5 404 M
+( bits counting from the start of the end-of-block code of the current) s
+5 393 M
+( block to the end of the packet payload.) s
+5 371 M
+( Additional methods may be defined as specified in [SSH-ARCH].) s
+5 349 M
+(5.3 Encryption) s
+5 327 M
+( An encryption algorithm and a key will be negotiated during the key) s
+5 316 M
+( exchange. When encryption is in effect, the packet length, padding) s
+5 305 M
+( length, payload and padding fields of each packet MUST be encrypted) s
+5 294 M
+( with the given algorithm.) s
+5 272 M
+( The encrypted data in all packets sent in one direction SHOULD be) s
+5 261 M
+( considered a single data stream. For example, initialization vectors) s
+5 250 M
+( SHOULD be passed from the end of one packet to the beginning of the) s
+5 239 M
+( next packet. All ciphers SHOULD use keys with an effective key length) s
+5 228 M
+( of 128 bits or more.) s
+5 206 M
+( The ciphers in each direction MUST run independently of each other,) s
+5 195 M
+( and implementations MUST allow independently choosing the algorithm) s
+5 184 M
+( for each direction \(if multiple algorithms are allowed by local) s
+5 173 M
+( policy\).) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 7]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 8 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( The following ciphers are currently defined:) s
+5 668 M
+( 3des-cbc REQUIRED three-key 3DES in CBC mode) s
+5 657 M
+( blowfish-cbc OPTIONALi Blowfish in CBC mode) s
+5 646 M
+( twofish256-cbc OPTIONAL Twofish in CBC mode,) s
+5 635 M
+( with 256-bit key) s
+5 624 M
+( twofish-cbc OPTIONAL alias for "twofish256-cbc" \(this) s
+5 613 M
+( is being retained for) s
+5 602 M
+( historical reasons\)) s
+5 591 M
+( twofish192-cbc OPTIONAL Twofish with 192-bit key) s
+5 580 M
+( twofish128-cbc OPTIONAL Twofish with 128-bit key) s
+5 569 M
+( aes256-cbc OPTIONAL AES \(Rijndael\) in CBC mode,) s
+5 558 M
+( with 256-bit key) s
+5 547 M
+( aes192-cbc OPTIONAL AES with 192-bit key) s
+5 536 M
+( aes128-cbc RECOMMENDED AES with 128-bit key) s
+5 525 M
+( serpent256-cbc OPTIONAL Serpent in CBC mode, with) s
+5 514 M
+( 256-bit key) s
+5 503 M
+( serpent192-cbc OPTIONAL Serpent with 192-bit key) s
+5 492 M
+( serpent128-cbc OPTIONAL Serpent with 128-bit key) s
+5 481 M
+( arcfour OPTIONAL the ARCFOUR stream cipher) s
+5 470 M
+( idea-cbc OPTIONAL IDEA in CBC mode) s
+5 459 M
+( cast128-cbc OPTIONAL CAST-128 in CBC mode) s
+5 448 M
+( none OPTIONAL no encryption; NOT RECOMMENDED) s
+5 426 M
+( The "3des-cbc" cipher is three-key triple-DES) s
+5 415 M
+( \(encrypt-decrypt-encrypt\), where the first 8 bytes of the key are) s
+5 404 M
+( used for the first encryption, the next 8 bytes for the decryption,) s
+5 393 M
+( and the following 8 bytes for the final encryption. This requires 24) s
+5 382 M
+( bytes of key data \(of which 168 bits are actually used\). To) s
+5 371 M
+( implement CBC mode, outer chaining MUST be used \(i.e., there is only) s
+5 360 M
+( one initialization vector\). This is a block cipher with 8 byte) s
+5 349 M
+( blocks. This algorithm is defined in [FIPS-46-3]) s
+5 327 M
+( The "blowfish-cbc" cipher is Blowfish in CBC mode, with 128 bit keys) s
+5 316 M
+( [SCHNEIER]. This is a block cipher with 8 byte blocks.) s
+5 294 M
+( The "twofish-cbc" or "twofish256-cbc" cipher is Twofish in CBC mode,) s
+5 283 M
+( with 256 bit keys as described [TWOFISH]. This is a block cipher with) s
+5 272 M
+( 16 byte blocks.) s
+5 250 M
+( The "twofish192-cbc" cipher. Same as above but with 192-bit key.) s
+5 228 M
+( The "twofish128-cbc" cipher. Same as above but with 128-bit key.) s
+5 206 M
+( The "aes256-cbc" cipher is AES \(Advanced Encryption Standard\)) s
+5 195 M
+( [FIPS-197], formerly Rijndael, in CBC mode. This version uses 256-bit) s
+5 184 M
+( key.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 8]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (8,9) 5
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 9 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( The "aes192-cbc" cipher. Same as above but with 192-bit key.) s
+5 668 M
+( The "aes128-cbc" cipher. Same as above but with 128-bit key.) s
+5 646 M
+( The "serpent256-cbc" cipher in CBC mode, with 256-bit key as) s
+5 635 M
+( described in the Serpent AES submission.) s
+5 613 M
+( The "serpent192-cbc" cipher. Same as above but with 192-bit key.) s
+5 591 M
+( The "serpent128-cbc" cipher. Same as above but with 128-bit key.) s
+5 569 M
+( The "arcfour" is the Arcfour stream cipher with 128 bit keys. The) s
+5 558 M
+( Arcfour cipher is believed to be compatible with the RC4 cipher) s
+5 547 M
+( [SCHNEIER]. RC4 is a registered trademark of RSA Data Security Inc.) s
+5 536 M
+( Arcfour \(and RC4\) has problems with weak keys, and should be used) s
+5 525 M
+( with caution.) s
+5 503 M
+( The "idea-cbc" cipher is the IDEA cipher in CBC mode [SCHNEIER].) s
+5 481 M
+( The "cast128-cbc" cipher is the CAST-128 cipher in CBC mode) s
+5 470 M
+( [RFC2144].) s
+5 448 M
+( The "none" algorithm specifies that no encryption is to be done.) s
+5 437 M
+( Note that this method provides no confidentiality protection, and it) s
+5 426 M
+( is not recommended. Some functionality \(e.g. password) s
+5 415 M
+( authentication\) may be disabled for security reasons if this cipher) s
+5 404 M
+( is chosen.) s
+5 382 M
+( Additional methods may be defined as specified in [SSH-ARCH].) s
+5 360 M
+(5.4 Data Integrity) s
+5 338 M
+( Data integrity is protected by including with each packet a message) s
+5 327 M
+( authentication code \(MAC\) that is computed from a shared secret,) s
+5 316 M
+( packet sequence number, and the contents of the packet.) s
+5 294 M
+( The message authentication algorithm and key are negotiated during) s
+5 283 M
+( key exchange. Initially, no MAC will be in effect, and its length) s
+5 272 M
+( MUST be zero. After key exchange, the selected MAC will be computed) s
+5 261 M
+( before encryption from the concatenation of packet data:) s
+5 239 M
+( mac = MAC\(key, sequence_number || unencrypted_packet\)) s
+5 217 M
+( where unencrypted_packet is the entire packet without MAC \(the length) s
+5 206 M
+( fields, payload and padding\), and sequence_number is an implicit) s
+5 195 M
+( packet sequence number represented as uint32. The sequence number is) s
+5 184 M
+( initialized to zero for the first packet, and is incremented after) s
+5 173 M
+( every packet \(regardless of whether encryption or MAC is in use\). It) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 9]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 10 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( is never reset, even if keys/algorithms are renegotiated later. It) s
+5 679 M
+( wraps around to zero after every 2^32 packets. The packet sequence) s
+5 668 M
+( number itself is not included in the packet sent over the wire.) s
+5 646 M
+( The MAC algorithms for each direction MUST run independently, and) s
+5 635 M
+( implementations MUST allow choosing the algorithm independently for) s
+5 624 M
+( both directions.) s
+5 602 M
+( The MAC bytes resulting from the MAC algorithm MUST be transmitted) s
+5 591 M
+( without encryption as the last part of the packet. The number of MAC) s
+5 580 M
+( bytes depends on the algorithm chosen.) s
+5 558 M
+( The following MAC algorithms are currently defined:) s
+5 536 M
+( hmac-sha1 REQUIRED HMAC-SHA1 \(digest length = key) s
+5 525 M
+( length = 20\)) s
+5 514 M
+( hmac-sha1-96 RECOMMENDED first 96 bits of HMAC-SHA1 \(digest) s
+5 503 M
+( length = 12, key length = 20\)) s
+5 492 M
+( hmac-md5 OPTIONAL HMAC-MD5 \(digest length = key) s
+5 481 M
+( length = 16\)) s
+5 470 M
+( hmac-md5-96 OPTIONAL first 96 bits of HMAC-MD5 \(digest) s
+5 459 M
+( length = 12, key length = 16\)) s
+5 448 M
+( none OPTIONAL no MAC; NOT RECOMMENDED) s
+5 426 M
+( Figure 1) s
+5 404 M
+( The "hmac-*" algorithms are described in [RFC2104] The "*-n" MACs use) s
+5 393 M
+( only the first n bits of the resulting value.) s
+5 371 M
+( The hash algorithms are described in [SCHNEIER].) s
+5 349 M
+( Additional methods may be defined as specified in [SSH-ARCH].) s
+5 327 M
+(5.5 Key Exchange Methods) s
+5 305 M
+( The key exchange method specifies how one-time session keys are) s
+5 294 M
+( generated for encryption and for authentication, and how the server) s
+5 283 M
+( authentication is done.) s
+5 261 M
+( Only one REQUIRED key exchange method has been defined:) s
+5 239 M
+( diffie-hellman-group1-sha1 REQUIRED) s
+5 217 M
+( This method is described later in this document.) s
+5 195 M
+( Additional methods may be defined as specified in [SSH-ARCH].) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 10]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (10,11) 6
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 11 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+(5.6 Public Key Algorithms) s
+5 668 M
+( This protocol has been designed to be able to operate with almost any) s
+5 657 M
+( public key format, encoding, and algorithm \(signature and/or) s
+5 646 M
+( encryption\).) s
+5 624 M
+( There are several aspects that define a public key type:) s
+5 613 M
+( o Key format: how is the key encoded and how are certificates) s
+5 602 M
+( represented. The key blobs in this protocol MAY contain) s
+5 591 M
+( certificates in addition to keys.) s
+5 580 M
+( o Signature and/or encryption algorithms. Some key types may not) s
+5 569 M
+( support both signing and encryption. Key usage may also be) s
+5 558 M
+( restricted by policy statements in e.g. certificates. In this) s
+5 547 M
+( case, different key types SHOULD be defined for the different) s
+5 536 M
+( policy alternatives.) s
+5 525 M
+( o Encoding of signatures and/or encrypted data. This includes but is) s
+5 514 M
+( not limited to padding, byte order, and data formats.) s
+5 492 M
+( The following public key and/or certificate formats are currently defined:) s
+5 470 M
+( ssh-dss REQUIRED sign Raw DSS Key) s
+5 459 M
+( ssh-rsa RECOMMENDED sign Raw RSA Key) s
+5 448 M
+( x509v3-sign-rsa OPTIONAL sign X.509 certificates \(RSA key\)) s
+5 437 M
+( x509v3-sign-dss OPTIONAL sign X.509 certificates \(DSS key\)) s
+5 426 M
+( spki-sign-rsa OPTIONAL sign SPKI certificates \(RSA key\)) s
+5 415 M
+( spki-sign-dss OPTIONAL sign SPKI certificates \(DSS key\)) s
+5 404 M
+( pgp-sign-rsa OPTIONAL sign OpenPGP certificates \(RSA key\)) s
+5 393 M
+( pgp-sign-dss OPTIONAL sign OpenPGP certificates \(DSS key\)) s
+5 371 M
+( Additional key types may be defined as specified in [SSH-ARCH].) s
+5 349 M
+( The key type MUST always be explicitly known \(from algorithm) s
+5 338 M
+( negotiation or some other source\). It is not normally included in) s
+5 327 M
+( the key blob.) s
+5 305 M
+( Certificates and public keys are encoded as follows:) s
+5 283 M
+( string certificate or public key format identifier) s
+5 272 M
+( byte[n] key/certificate data) s
+5 250 M
+( The certificate part may have be a zero length string, but a public) s
+5 239 M
+( key is required. This is the public key that will be used for) s
+5 228 M
+( authentication; the certificate sequence contained in the certificate) s
+5 217 M
+( blob can be used to provide authorization.) s
+5 195 M
+( Public key / certifcate formats that do not explicitly specify a) s
+5 184 M
+( signature format identifier MUST use the public key / certificate) s
+5 173 M
+( format identifier as the signature identifier.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 11]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 12 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( Signatures are encoded as follows:) s
+5 679 M
+( string signature format identifier \(as specified by the) s
+5 668 M
+( public key / cert format\)) s
+5 657 M
+( byte[n] signature blob in format specific encoding.) s
+5 624 M
+( The "ssh-dss" key format has the following specific encoding:) s
+5 602 M
+( string "ssh-dss") s
+5 591 M
+( mpint p) s
+5 580 M
+( mpint q) s
+5 569 M
+( mpint g) s
+5 558 M
+( mpint y) s
+5 536 M
+( Here the p, q, g, and y parameters form the signature key blob.) s
+5 514 M
+( Signing and verifying using this key format is done according to the) s
+5 503 M
+( Digital Signature Standard [FIPS-186] using the SHA-1 hash. A) s
+5 492 M
+( description can also be found in [SCHNEIER].) s
+5 470 M
+( The resulting signature is encoded as follows:) s
+5 448 M
+( string "ssh-dss") s
+5 437 M
+( string dss_signature_blob) s
+5 415 M
+( dss_signature_blob is encoded as a string containing r followed by s) s
+5 404 M
+( \(which are 160 bits long integers, without lengths or padding,) s
+5 393 M
+( unsigned and in network byte order\).) s
+5 371 M
+( The "ssh-rsa" key format has the following specific encoding:) s
+5 349 M
+( string "ssh-rsa") s
+5 338 M
+( mpint e) s
+5 327 M
+( mpint n) s
+5 305 M
+( Here the e and n parameters form the signature key blob.) s
+5 283 M
+( Signing and verifying using this key format is done according to) s
+5 272 M
+( [SCHNEIER] and [PKCS1] using the SHA-1 hash.) s
+5 250 M
+( The resulting signature is encoded as follows:) s
+5 228 M
+( string "ssh-rsa") s
+5 217 M
+( string rsa_signature_blob) s
+5 195 M
+( rsa_signature_blob is encoded as a string containing s \(which is an) s
+5 184 M
+( integer, without lengths or padding, unsigned and in network byte) s
+5 173 M
+( order\).) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 12]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (12,13) 7
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 13 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( The "spki-sign-rsa" method indicates that the certificate blob) s
+5 679 M
+( contains a sequence of SPKI certificates. The format of SPKI) s
+5 668 M
+( certificates is described in [RFC2693]. This method indicates that) s
+5 657 M
+( the key \(or one of the keys in the certificate\) is an RSA-key.) s
+5 635 M
+( The "spki-sign-dss". As above, but indicates that the key \(or one of) s
+5 624 M
+( the keys in the certificate\) is a DSS-key.) s
+5 602 M
+( The "pgp-sign-rsa" method indicates the certificates, the public key,) s
+5 591 M
+( and the signature are in OpenPGP compatible binary format) s
+5 580 M
+( \([RFC2440]\). This method indicates that the key is an RSA-key.) s
+5 558 M
+( The "pgp-sign-dss". As above, but indicates that the key is a) s
+5 547 M
+( DSS-key.) s
+5 525 M
+(6. Key Exchange) s
+5 503 M
+( Key exchange begins by each side sending lists of supported) s
+5 492 M
+( algorithms. Each side has a preferred algorithm in each category, and) s
+5 481 M
+( it is assumed that most implementations at any given time will use) s
+5 470 M
+( the same preferred algorithm. Each side MAY guess which algorithm) s
+5 459 M
+( the other side is using, and MAY send an initial key exchange packet) s
+5 448 M
+( according to the algorithm if appropriate for the preferred method.) s
+5 426 M
+( Guess is considered wrong, if:) s
+5 415 M
+( o the kex algorithm and/or the host key algorithm is guessed wrong) s
+5 404 M
+( \(server and client have different preferred algorithm\), or) s
+5 393 M
+( o if any of the other algorithms cannot be agreed upon \(the) s
+5 382 M
+( procedure is defined below in Section Section 6.1\).) s
+5 360 M
+( Otherwise, the guess is considered to be right and the optimistically) s
+5 349 M
+( sent packet MUST be handled as the first key exchange packet.) s
+5 327 M
+( However, if the guess was wrong, and a packet was optimistically sent) s
+5 316 M
+( by one or both parties, such packets MUST be ignored \(even if the) s
+5 305 M
+( error in the guess would not affect the contents of the initial) s
+5 294 M
+( packet\(s\)\), and the appropriate side MUST send the correct initial) s
+5 283 M
+( packet.) s
+5 261 M
+( Server authentication in the key exchange MAY be implicit. After a) s
+5 250 M
+( key exchange with implicit server authentication, the client MUST) s
+5 239 M
+( wait for response to its service request message before sending any) s
+5 228 M
+( further data.) s
+5 206 M
+(6.1 Algorithm Negotiation) s
+5 184 M
+( Key exchange begins by each side sending the following packet:) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 13]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 14 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( byte SSH_MSG_KEXINIT) s
+5 679 M
+( byte[16] cookie \(random bytes\)) s
+5 668 M
+( string kex_algorithms) s
+5 657 M
+( string server_host_key_algorithms) s
+5 646 M
+( string encryption_algorithms_client_to_server) s
+5 635 M
+( string encryption_algorithms_server_to_client) s
+5 624 M
+( string mac_algorithms_client_to_server) s
+5 613 M
+( string mac_algorithms_server_to_client) s
+5 602 M
+( string compression_algorithms_client_to_server) s
+5 591 M
+( string compression_algorithms_server_to_client) s
+5 580 M
+( string languages_client_to_server) s
+5 569 M
+( string languages_server_to_client) s
+5 558 M
+( boolean first_kex_packet_follows) s
+5 547 M
+( uint32 0 \(reserved for future extension\)) s
+5 525 M
+( Each of the algorithm strings MUST be a comma-separated list of) s
+5 514 M
+( algorithm names \(see ''Algorithm Naming'' in [SSH-ARCH]\). Each) s
+5 503 M
+( supported \(allowed\) algorithm MUST be listed in order of preference.) s
+5 481 M
+( The first algorithm in each list MUST be the preferred \(guessed\)) s
+5 470 M
+( algorithm. Each string MUST contain at least one algorithm name.) s
+5 437 M
+( cookie) s
+5 426 M
+( The cookie MUST be a random value generated by the sender. Its) s
+5 415 M
+( purpose is to make it impossible for either side to fully) s
+5 404 M
+( determine the keys and the session identifier.) s
+5 382 M
+( kex_algorithms) s
+5 371 M
+( Key exchange algorithms were defined above. The first) s
+5 360 M
+( algorithm MUST be the preferred \(and guessed\) algorithm. If) s
+5 349 M
+( both sides make the same guess, that algorithm MUST be used.) s
+5 338 M
+( Otherwise, the following algorithm MUST be used to choose a key) s
+5 327 M
+( exchange method: iterate over client's kex algorithms, one at a) s
+5 316 M
+( time. Choose the first algorithm that satisfies the following) s
+5 305 M
+( conditions:) s
+5 294 M
+( + the server also supports the algorithm,) s
+5 283 M
+( + if the algorithm requires an encryption-capable host key,) s
+5 272 M
+( there is an encryption-capable algorithm on the server's) s
+5 261 M
+( server_host_key_algorithms that is also supported by the) s
+5 250 M
+( client, and) s
+5 239 M
+( + if the algorithm requires a signature-capable host key,) s
+5 228 M
+( there is a signature-capable algorithm on the server's) s
+5 217 M
+( server_host_key_algorithms that is also supported by the) s
+5 206 M
+( client.) s
+5 195 M
+( + If no algorithm satisfying all these conditions can be) s
+5 184 M
+( found, the connection fails, and both sides MUST disconnect.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 14]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (14,15) 8
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 15 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( server_host_key_algorithms) s
+5 679 M
+( List of the algorithms supported for the server host key. The) s
+5 668 M
+( server lists the algorithms for which it has host keys; the) s
+5 657 M
+( client lists the algorithms that it is willing to accept.) s
+5 646 M
+( \(There MAY be multiple host keys for a host, possibly with) s
+5 635 M
+( different algorithms.\)) s
+5 613 M
+( Some host keys may not support both signatures and encryption) s
+5 602 M
+( \(this can be determined from the algorithm\), and thus not all) s
+5 591 M
+( host keys are valid for all key exchange methods.) s
+5 569 M
+( Algorithm selection depends on whether the chosen key exchange) s
+5 558 M
+( algorithm requires a signature or encryption capable host key.) s
+5 547 M
+( It MUST be possible to determine this from the public key) s
+5 536 M
+( algorithm name. The first algorithm on the client's list that) s
+5 525 M
+( satisfies the requirements and is also supported by the server) s
+5 514 M
+( MUST be chosen. If there is no such algorithm, both sides MUST) s
+5 503 M
+( disconnect.) s
+5 481 M
+( encryption_algorithms) s
+5 470 M
+( Lists the acceptable symmetric encryption algorithms in order) s
+5 459 M
+( of preference. The chosen encryption algorithm to each) s
+5 448 M
+( direction MUST be the first algorithm on the client's list) s
+5 437 M
+( that is also on the server's list. If there is no such) s
+5 426 M
+( algorithm, both sides MUST disconnect.) s
+5 404 M
+( Note that "none" must be explicitly listed if it is to be) s
+5 393 M
+( acceptable. The defined algorithm names are listed in Section) s
+5 382 M
+( Section 5.3.) s
+5 360 M
+( mac_algorithms) s
+5 349 M
+( Lists the acceptable MAC algorithms in order of preference.) s
+5 338 M
+( The chosen MAC algorithm MUST be the first algorithm on the) s
+5 327 M
+( client's list that is also on the server's list. If there is) s
+5 316 M
+( no such algorithm, both sides MUST disconnect.) s
+5 294 M
+( Note that "none" must be explicitly listed if it is to be) s
+5 283 M
+( acceptable. The MAC algorithm names are listed in Section) s
+5 272 M
+( Figure 1.) s
+5 250 M
+( compression_algorithms) s
+5 239 M
+( Lists the acceptable compression algorithms in order of) s
+5 228 M
+( preference. The chosen compression algorithm MUST be the first) s
+5 217 M
+( algorithm on the client's list that is also on the server's) s
+5 206 M
+( list. If there is no such algorithm, both sides MUST) s
+5 195 M
+( disconnect.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 15]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 16 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( Note that "none" must be explicitly listed if it is to be) s
+5 679 M
+( acceptable. The compression algorithm names are listed in) s
+5 668 M
+( Section Section 5.2.) s
+5 646 M
+( languages) s
+5 635 M
+( This is a comma-separated list of language tags in order of) s
+5 624 M
+( preference [RFC3066]. Both parties MAY ignore this list. If) s
+5 613 M
+( there are no language preferences, this list SHOULD be empty.) s
+5 602 M
+( Language tags SHOULD NOT be present unless they are known to be) s
+5 591 M
+( needed by the sending party.) s
+5 569 M
+( first_kex_packet_follows) s
+5 558 M
+( Indicates whether a guessed key exchange packet follows. If a) s
+5 547 M
+( guessed packet will be sent, this MUST be TRUE. If no guessed) s
+5 536 M
+( packet will be sent, this MUST be FALSE.) s
+5 514 M
+( After receiving the SSH_MSG_KEXINIT packet from the other side,) s
+5 503 M
+( each party will know whether their guess was right. If the) s
+5 492 M
+( other party's guess was wrong, and this field was TRUE, the) s
+5 481 M
+( next packet MUST be silently ignored, and both sides MUST then) s
+5 470 M
+( act as determined by the negotiated key exchange method. If) s
+5 459 M
+( the guess was right, key exchange MUST continue using the) s
+5 448 M
+( guessed packet.) s
+5 426 M
+( After the KEXINIT packet exchange, the key exchange algorithm is run.) s
+5 415 M
+( It may involve several packet exchanges, as specified by the key) s
+5 404 M
+( exchange method.) s
+5 382 M
+(6.2 Output from Key Exchange) s
+5 360 M
+( The key exchange produces two values: a shared secret K, and an) s
+5 349 M
+( exchange hash H. Encryption and authentication keys are derived from) s
+5 338 M
+( these. The exchange hash H from the first key exchange is) s
+5 327 M
+( additionally used as the session identifier, which is a unique) s
+5 316 M
+( identifier for this connection. It is used by authentication methods) s
+5 305 M
+( as a part of the data that is signed as a proof of possession of a) s
+5 294 M
+( private key. Once computed, the session identifier is not changed,) s
+5 283 M
+( even if keys are later re-exchanged.) s
+5 250 M
+( Each key exchange method specifies a hash function that is used in) s
+5 239 M
+( the key exchange. The same hash algorithm MUST be used in key) s
+5 228 M
+( derivation. Here, we'll call it HASH.) s
+5 195 M
+( Encryption keys MUST be computed as HASH of a known value and K as) s
+5 184 M
+( follows:) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 16]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (16,17) 9
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 17 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( o Initial IV client to server: HASH\(K || H || "A" || session_id\)) s
+5 679 M
+( \(Here K is encoded as mpint and "A" as byte and session_id as raw) s
+5 668 M
+( data."A" means the single character A, ASCII 65\).) s
+5 657 M
+( o Initial IV server to client: HASH\(K || H || "B" || session_id\)) s
+5 646 M
+( o Encryption key client to server: HASH\(K || H || "C" || session_id\)) s
+5 635 M
+( o Encryption key server to client: HASH\(K || H || "D" || session_id\)) s
+5 624 M
+( o Integrity key client to server: HASH\(K || H || "E" || session_id\)) s
+5 613 M
+( o Integrity key server to client: HASH\(K || H || "F" || session_id\)) s
+5 591 M
+( Key data MUST be taken from the beginning of the hash output. 128) s
+5 580 M
+( bits \(16 bytes\) MUST be used for algorithms with variable-length) s
+5 569 M
+( keys. The only variable key length algorithm defined in this document) s
+5 558 M
+( is arcfour\). For other algorithms, as many bytes as are needed are) s
+5 547 M
+( taken from the beginning of the hash value. If the key length needed) s
+5 536 M
+( is longer than the output of the HASH, the key is extended by) s
+5 525 M
+( computing HASH of the concatenation of K and H and the entire key so) s
+5 514 M
+( far, and appending the resulting bytes \(as many as HASH generates\) to) s
+5 503 M
+( the key. This process is repeated until enough key material is) s
+5 492 M
+( available; the key is taken from the beginning of this value. In) s
+5 481 M
+( other words:) s
+5 459 M
+( K1 = HASH\(K || H || X || session_id\) \(X is e.g. "A"\)) s
+5 448 M
+( K2 = HASH\(K || H || K1\)) s
+5 437 M
+( K3 = HASH\(K || H || K1 || K2\)) s
+5 426 M
+( ...) s
+5 415 M
+( key = K1 || K2 || K3 || ...) s
+5 393 M
+( This process will lose entropy if the amount of entropy in K is) s
+5 382 M
+( larger than the internal state size of HASH.) s
+5 360 M
+(6.3 Taking Keys Into Use) s
+5 338 M
+( Key exchange ends by each side sending an SSH_MSG_NEWKEYS message.) s
+5 327 M
+( This message is sent with the old keys and algorithms. All messages) s
+5 316 M
+( sent after this message MUST use the new keys and algorithms.) s
+5 283 M
+( When this message is received, the new keys and algorithms MUST be) s
+5 272 M
+( taken into use for receiving.) s
+5 239 M
+( This message is the only valid message after key exchange, in) s
+5 228 M
+( addition to SSH_MSG_DEBUG, SSH_MSG_DISCONNECT and SSH_MSG_IGNORE) s
+5 217 M
+( messages. The purpose of this message is to ensure that a party is) s
+5 206 M
+( able to respond with a disconnect message that the other party can) s
+5 195 M
+( understand if something goes wrong with the key exchange.) s
+5 184 M
+( Implementations MUST NOT accept any other messages after key exchange) s
+5 173 M
+( before receiving SSH_MSG_NEWKEYS.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 17]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 18 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( byte SSH_MSG_NEWKEYS) s
+5 657 M
+(7. Diffie-Hellman Key Exchange) s
+5 635 M
+( The Diffie-Hellman key exchange provides a shared secret that can not) s
+5 624 M
+( be determined by either party alone. The key exchange is combined) s
+5 613 M
+( with a signature with the host key to provide host authentication.) s
+5 580 M
+( In the following description \(C is the client, S is the server; p is) s
+5 569 M
+( a large safe prime, g is a generator for a subgroup of GF\(p\), and q) s
+5 558 M
+( is the order of the subgroup; V_S is S's version string; V_C is C's) s
+5 547 M
+( version string; K_S is S's public host key; I_C is C's KEXINIT) s
+5 536 M
+( message and I_S S's KEXINIT message which have been exchanged before) s
+5 525 M
+( this part begins\):) s
+5 492 M
+( 1. C generates a random number x \(1 < x < q\) and computes e = g^x) s
+5 481 M
+( mod p. C sends "e" to S.) s
+5 459 M
+( 2. S generates a random number y \(0 < y < q\) and computes f = g^y) s
+5 448 M
+( mod p. S receives "e". It computes K = e^y mod p, H = hash\(V_C) s
+5 437 M
+( || V_S || I_C || I_S || K_S || e || f || K\) \(these elements are) s
+5 426 M
+( encoded according to their types; see below\), and signature s on) s
+5 415 M
+( H with its private host key. S sends "K_S || f || s" to C. The) s
+5 404 M
+( signing operation may involve a second hashing operation.) s
+5 382 M
+( 3. C verifies that K_S really is the host key for S \(e.g. using) s
+5 371 M
+( certificates or a local database\). C is also allowed to accept) s
+5 360 M
+( the key without verification; however, doing so will render the) s
+5 349 M
+( protocol insecure against active attacks \(but may be desirable) s
+5 338 M
+( for practical reasons in the short term in many environments\). C) s
+5 327 M
+( then computes K = f^x mod p, H = hash\(V_C || V_S || I_C || I_S ||) s
+5 316 M
+( K_S || e || f || K\), and verifies the signature s on H.) s
+5 294 M
+( Either side MUST NOT send or accept e or f values that are not in the) s
+5 283 M
+( range [1, p-1]. If this condition is violated, the key exchange) s
+5 272 M
+( fails.) s
+5 239 M
+( This is implemented with the following messages. The hash algorithm) s
+5 228 M
+( for computing the exchange hash is defined by the method name, and is) s
+5 217 M
+( called HASH. The public key algorithm for signing is negotiated with) s
+5 206 M
+( the KEXINIT messages.) s
+5 184 M
+( First, the client sends the following:) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 18]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (18,19) 10
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 19 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( byte SSH_MSG_KEXDH_INIT) s
+5 679 M
+( mpint e) s
+5 646 M
+( The server responds with the following:) s
+5 624 M
+( byte SSH_MSG_KEXDH_REPLY) s
+5 613 M
+( string server public host key and certificates \(K_S\)) s
+5 602 M
+( mpint f) s
+5 591 M
+( string signature of H) s
+5 569 M
+( The hash H is computed as the HASH hash of the concatenation of the) s
+5 558 M
+( following:) s
+5 536 M
+( string V_C, the client's version string \(CR and NL excluded\)) s
+5 525 M
+( string V_S, the server's version string \(CR and NL excluded\)) s
+5 514 M
+( string I_C, the payload of the client's SSH_MSG_KEXINIT) s
+5 503 M
+( string I_S, the payload of the server's SSH_MSG_KEXINIT) s
+5 492 M
+( string K_S, the host key) s
+5 481 M
+( mpint e, exchange value sent by the client) s
+5 470 M
+( mpint f, exchange value sent by the server) s
+5 459 M
+( mpint K, the shared secret) s
+5 437 M
+( This value is called the exchange hash, and it is used to) s
+5 426 M
+( authenticate the key exchange. The exchange hash SHOULD be kept) s
+5 415 M
+( secret.) s
+5 382 M
+( The signature algorithm MUST be applied over H, not the original) s
+5 371 M
+( data. Most signature algorithms include hashing and additional) s
+5 360 M
+( padding. For example, "ssh-dss" specifies SHA-1 hashing; in that) s
+5 349 M
+( case, the data is first hashed with HASH to compute H, and H is then) s
+5 338 M
+( hashed with SHA-1 as part of the signing operation.) s
+5 316 M
+(7.1 diffie-hellman-group1-sha1) s
+5 294 M
+( The "diffie-hellman-group1-sha1" method specifies Diffie-Hellman key) s
+5 283 M
+( exchange with SHA-1 as HASH, and Oakley group 14 [RFC3526] \(2048-bit) s
+5 272 M
+( MODP Group\). It is included below in hexadecimal and decimal.) s
+5 250 M
+( The prime p is equal to 2^1024 - 2^960 - 1 + 2^64 * floor\( 2^894 Pi +) s
+5 239 M
+( 129093 \). Its hexadecimal value is:) s
+5 217 M
+( FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1) s
+5 206 M
+( 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD) s
+5 195 M
+( EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245) s
+5 184 M
+( E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED) s
+5 173 M
+( EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 19]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 20 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( FFFFFFFF FFFFFFFF.) s
+5 668 M
+( In decimal, this value is:) s
+5 646 M
+( 179769313486231590770839156793787453197860296048756011706444) s
+5 635 M
+( 423684197180216158519368947833795864925541502180565485980503) s
+5 624 M
+( 646440548199239100050792877003355816639229553136239076508735) s
+5 613 M
+( 759914822574862575007425302077447712589550957937778424442426) s
+5 602 M
+( 617334727629299387668709205606050270810842907692932019128194) s
+5 591 M
+( 467627007.) s
+5 569 M
+( The generator used with this prime is g = 2. The group order q is \(p) s
+5 558 M
+( - 1\) / 2.) s
+5 536 M
+(8. Key Re-Exchange) s
+5 514 M
+( Key re-exchange is started by sending an SSH_MSG_KEXINIT packet when) s
+5 503 M
+( not already doing a key exchange \(as described in Section Section) s
+5 492 M
+( 6.1\). When this message is received, a party MUST respond with its) s
+5 481 M
+( own SSH_MSG_KEXINIT message except when the received SSH_MSG_KEXINIT) s
+5 470 M
+( already was a reply. Either party MAY initiate the re-exchange, but) s
+5 459 M
+( roles MUST NOT be changed \(i.e., the server remains the server, and) s
+5 448 M
+( the client remains the client\).) s
+5 415 M
+( Key re-exchange is performed using whatever encryption was in effect) s
+5 404 M
+( when the exchange was started. Encryption, compression, and MAC) s
+5 393 M
+( methods are not changed before a new SSH_MSG_NEWKEYS is sent after) s
+5 382 M
+( the key exchange \(as in the initial key exchange\). Re-exchange is) s
+5 371 M
+( processed identically to the initial key exchange, except for the) s
+5 360 M
+( session identifier that will remain unchanged. It is permissible to) s
+5 349 M
+( change some or all of the algorithms during the re-exchange. Host) s
+5 338 M
+( keys can also change. All keys and initialization vectors are) s
+5 327 M
+( recomputed after the exchange. Compression and encryption contexts) s
+5 316 M
+( are reset.) s
+5 283 M
+( It is recommended that the keys are changed after each gigabyte of) s
+5 272 M
+( transmitted data or after each hour of connection time, whichever) s
+5 261 M
+( comes sooner. However, since the re-exchange is a public key) s
+5 250 M
+( operation, it requires a fair amount of processing power and should) s
+5 239 M
+( not be performed too often.) s
+5 206 M
+( More application data may be sent after the SSH_MSG_NEWKEYS packet) s
+5 195 M
+( has been sent; key exchange does not affect the protocols that lie) s
+5 184 M
+( above the SSH transport layer.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 20]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (20,21) 11
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 21 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+(9. Service Request) s
+5 668 M
+( After the key exchange, the client requests a service. The service is) s
+5 657 M
+( identified by a name. The format of names and procedures for defining) s
+5 646 M
+( new names are defined in [SSH-ARCH].) s
+5 613 M
+( Currently, the following names have been reserved:) s
+5 591 M
+( ssh-userauth) s
+5 580 M
+( ssh-connection) s
+5 558 M
+( Similar local naming policy is applied to the service names, as is) s
+5 547 M
+( applied to the algorithm names; a local service should use the) s
+5 536 M
+( "servicename@domain" syntax.) s
+5 514 M
+( byte SSH_MSG_SERVICE_REQUEST) s
+5 503 M
+( string service name) s
+5 481 M
+( If the server rejects the service request, it SHOULD send an) s
+5 470 M
+( appropriate SSH_MSG_DISCONNECT message and MUST disconnect.) s
+5 437 M
+( When the service starts, it may have access to the session identifier) s
+5 426 M
+( generated during the key exchange.) s
+5 393 M
+( If the server supports the service \(and permits the client to use) s
+5 382 M
+( it\), it MUST respond with the following:) s
+5 360 M
+( byte SSH_MSG_SERVICE_ACCEPT) s
+5 349 M
+( string service name) s
+5 327 M
+( Message numbers used by services should be in the area reserved for) s
+5 316 M
+( them \(see Section 6 in [SSH-ARCH]\). The transport level will) s
+5 305 M
+( continue to process its own messages.) s
+5 272 M
+( Note that after a key exchange with implicit server authentication,) s
+5 261 M
+( the client MUST wait for response to its service request message) s
+5 250 M
+( before sending any further data.) s
+5 228 M
+(10. Additional Messages) s
+5 206 M
+( Either party may send any of the following messages at any time.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 21]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 22 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+(10.1 Disconnection Message) s
+5 668 M
+( byte SSH_MSG_DISCONNECT) s
+5 657 M
+( uint32 reason code) s
+5 646 M
+( string description [RFC2279]) s
+5 635 M
+( string language tag [RFC3066]) s
+5 613 M
+( This message causes immediate termination of the connection. All) s
+5 602 M
+( implementations MUST be able to process this message; they SHOULD be) s
+5 591 M
+( able to send this message.) s
+5 569 M
+( The sender MUST NOT send or receive any data after this message, and) s
+5 558 M
+( the recipient MUST NOT accept any data after receiving this message.) s
+5 547 M
+( The description field gives a more specific explanation in a) s
+5 536 M
+( human-readable form. The error code gives the reason in a more) s
+5 525 M
+( machine-readable format \(suitable for localization\), and can have the) s
+5 514 M
+( following values:) s
+5 492 M
+( #define SSH_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT 1) s
+5 481 M
+( #define SSH_DISCONNECT_PROTOCOL_ERROR 2) s
+5 470 M
+( #define SSH_DISCONNECT_KEY_EXCHANGE_FAILED 3) s
+5 459 M
+( #define SSH_DISCONNECT_RESERVED 4) s
+5 448 M
+( #define SSH_DISCONNECT_MAC_ERROR 5) s
+5 437 M
+( #define SSH_DISCONNECT_COMPRESSION_ERROR 6) s
+5 426 M
+( #define SSH_DISCONNECT_SERVICE_NOT_AVAILABLE 7) s
+5 415 M
+( #define SSH_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED 8) s
+5 404 M
+( #define SSH_DISCONNECT_HOST_KEY_NOT_VERIFIABLE 9) s
+5 393 M
+( #define SSH_DISCONNECT_CONNECTION_LOST 10) s
+5 382 M
+( #define SSH_DISCONNECT_BY_APPLICATION 11) s
+5 371 M
+( #define SSH_DISCONNECT_TOO_MANY_CONNECTIONS 12) s
+5 360 M
+( #define SSH_DISCONNECT_AUTH_CANCELLED_BY_USER 13) s
+5 349 M
+( #define SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE 14) s
+5 338 M
+( #define SSH_DISCONNECT_ILLEGAL_USER_NAME 15) s
+5 316 M
+( If the description string is displayed, control character filtering) s
+5 305 M
+( discussed in [SSH-ARCH] should be used to avoid attacks by sending) s
+5 294 M
+( terminal control characters.) s
+5 272 M
+(10.2 Ignored Data Message) s
+5 250 M
+( byte SSH_MSG_IGNORE) s
+5 239 M
+( string data) s
+5 217 M
+( All implementations MUST understand \(and ignore\) this message at any) s
+5 206 M
+( time \(after receiving the protocol version\). No implementation is) s
+5 195 M
+( required to send them. This message can be used as an additional) s
+5 184 M
+( protection measure against advanced traffic analysis techniques.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 22]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (22,23) 12
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 23 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+(10.3 Debug Message) s
+5 668 M
+( byte SSH_MSG_DEBUG) s
+5 657 M
+( boolean always_display) s
+5 646 M
+( string message [RFC2279]) s
+5 635 M
+( string language tag [RFC3066]) s
+5 613 M
+( All implementations MUST understand this message, but they are) s
+5 602 M
+( allowed to ignore it. This message is used to pass the other side) s
+5 591 M
+( information that may help debugging. If always_display is TRUE, the) s
+5 580 M
+( message SHOULD be displayed. Otherwise, it SHOULD NOT be displayed) s
+5 569 M
+( unless debugging information has been explicitly requested by the) s
+5 558 M
+( user.) s
+5 525 M
+( The message doesn't need to contain a newline. It is, however,) s
+5 514 M
+( allowed to consist of multiple lines separated by CRLF \(Carriage) s
+5 503 M
+( Return - Line Feed\) pairs.) s
+5 470 M
+( If the message string is displayed, terminal control character) s
+5 459 M
+( filtering discussed in [SSH-ARCH] should be used to avoid attacks by) s
+5 448 M
+( sending terminal control characters.) s
+5 426 M
+(10.4 Reserved Messages) s
+5 404 M
+( An implementation MUST respond to all unrecognized messages with an) s
+5 393 M
+( SSH_MSG_UNIMPLEMENTED message in the order in which the messages were) s
+5 382 M
+( received. Such messages MUST be otherwise ignored. Later protocol) s
+5 371 M
+( versions may define other meanings for these message types.) s
+5 349 M
+( byte SSH_MSG_UNIMPLEMENTED) s
+5 338 M
+( uint32 packet sequence number of rejected message) s
+5 305 M
+(11. Summary of Message Numbers) s
+5 283 M
+( The following message numbers have been defined in this protocol:) s
+5 261 M
+( #define SSH_MSG_DISCONNECT 1) s
+5 250 M
+( #define SSH_MSG_IGNORE 2) s
+5 239 M
+( #define SSH_MSG_UNIMPLEMENTED 3) s
+5 228 M
+( #define SSH_MSG_DEBUG 4) s
+5 217 M
+( #define SSH_MSG_SERVICE_REQUEST 5) s
+5 206 M
+( #define SSH_MSG_SERVICE_ACCEPT 6) s
+5 184 M
+( #define SSH_MSG_KEXINIT 20) s
+5 173 M
+( #define SSH_MSG_NEWKEYS 21) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 23]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 24 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( /* Numbers 30-49 used for kex packets.) s
+5 679 M
+( Different kex methods may reuse message numbers in) s
+5 668 M
+( this range. */) s
+5 646 M
+( #define SSH_MSG_KEXDH_INIT 30) s
+5 635 M
+( #define SSH_MSG_KEXDH_REPLY 31) s
+5 602 M
+(12. IANA Considerations) s
+5 580 M
+( This document is part of a set, the IANA considerations for the SSH) s
+5 569 M
+( protocol as defined in [SSH-ARCH], [SSH-TRANS], [SSH-USERAUTH],) s
+5 558 M
+( [SSH-CONNECT] are detailed in [SSH-NUMBERS].) s
+5 536 M
+(13. Security Considerations) s
+5 514 M
+( This protocol provides a secure encrypted channel over an insecure) s
+5 503 M
+( network. It performs server host authentication, key exchange,) s
+5 492 M
+( encryption, and integrity protection. It also derives a unique) s
+5 481 M
+( session id that may be used by higher-level protocols.) s
+5 459 M
+( Full security considerations for this protocol are provided in) s
+5 448 M
+( Section 8 of [SSH-ARCH]) s
+5 426 M
+(14. Intellectual Property) s
+5 404 M
+( The IETF takes no position regarding the validity or scope of any) s
+5 393 M
+( intellectual property or other rights that might be claimed to) s
+5 382 M
+( pertain to the implementation or use of the technology described in) s
+5 371 M
+( this document or the extent to which any license under such rights) s
+5 360 M
+( might or might not be available; neither does it represent that it) s
+5 349 M
+( has made any effort to identify any such rights. Information on the) s
+5 338 M
+( IETF's procedures with respect to rights in standards-track and) s
+5 327 M
+( standards-related documentation can be found in BCP-11. Copies of) s
+5 316 M
+( claims of rights made available for publication and any assurances of) s
+5 305 M
+( licenses to be made available, or the result of an attempt made to) s
+5 294 M
+( obtain a general license or permission for the use of such) s
+5 283 M
+( proprietary rights by implementers or users of this specification can) s
+5 272 M
+( be obtained from the IETF Secretariat.) s
+5 250 M
+( The IETF has been notified of intellectual property rights claimed in) s
+5 239 M
+( regard to some or all of the specification contained in this) s
+5 228 M
+( document. For more information consult the online list of claimed) s
+5 217 M
+( rights.) s
+5 195 M
+(15. Additional Information) s
+5 173 M
+( The current document editor is: [email protected]. Comments on) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 24]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (24,25) 13
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 25 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( this internet draft should be sent to the IETF SECSH working group,) s
+5 679 M
+( details at: http://ietf.org/html.charters/secsh-charter.html) s
+5 657 M
+(Normative) s
+5 635 M
+( [SSH-ARCH]) s
+5 624 M
+( Ylonen, T., "SSH Protocol Architecture", I-D) s
+5 613 M
+( draft-ietf-architecture-15.txt, Oct 2003.) s
+5 591 M
+( [SSH-TRANS]) s
+5 580 M
+( Ylonen, T., "SSH Transport Layer Protocol", I-D) s
+5 569 M
+( draft-ietf-transport-17.txt, Oct 2003.) s
+5 547 M
+( [SSH-USERAUTH]) s
+5 536 M
+( Ylonen, T., "SSH Authentication Protocol", I-D) s
+5 525 M
+( draft-ietf-userauth-18.txt, Oct 2003.) s
+5 503 M
+( [SSH-CONNECT]) s
+5 492 M
+( Ylonen, T., "SSH Connection Protocol", I-D) s
+5 481 M
+( draft-ietf-connect-18.txt, Oct 2003.) s
+5 459 M
+( [SSH-NUMBERS]) s
+5 448 M
+( Lehtinen, S. and D. Moffat, "SSH Protocol Assigned) s
+5 437 M
+( Numbers", I-D draft-ietf-secsh-assignednumbers-05.txt, Oct) s
+5 426 M
+( 2003.) s
+5 404 M
+( [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate) s
+5 393 M
+( Requirement Levels", BCP 14, RFC 2119, March 1997.) s
+5 371 M
+(Informative) s
+5 349 M
+( [FIPS-186]) s
+5 338 M
+( Federal Information Processing Standards Publication,) s
+5 327 M
+( "FIPS PUB 186, Digital Signature Standard", May 1994.) s
+5 305 M
+( [FIPS-197]) s
+5 294 M
+( NIST, "FIPS PUB 197 Advanced Encryption Standard \(AES\)",) s
+5 283 M
+( November 2001.) s
+5 261 M
+( [FIPS-46-3]) s
+5 250 M
+( U.S. Dept. of Commerce, "FIPS PUB 46-3, Data Encryption) s
+5 239 M
+( Standard \(DES\)", October 1999.) s
+5 217 M
+( [RFC2459] Housley, R., Ford, W., Polk, T. and D. Solo, "Internet) s
+5 206 M
+( X.509 Public Key Infrastructure Certificate and CRL) s
+5 195 M
+( Profile", RFC 2459, January 1999.) s
+5 173 M
+( [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 25]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 26 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( STD 13, RFC 1034, November 1987.) s
+5 668 M
+( [RFC3066] Alvestrand, H., "Tags for the Identification of) s
+5 657 M
+( Languages", BCP 47, RFC 3066, January 2001.) s
+5 635 M
+( [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format) s
+5 624 M
+( Specification version 3.3", RFC 1950, May 1996.) s
+5 602 M
+( [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification) s
+5 591 M
+( version 1.3", RFC 1951, May 1996.) s
+5 569 M
+( [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO) s
+5 558 M
+( 10646", RFC 2279, January 1998.) s
+5 536 M
+( [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:) s
+5 525 M
+( Keyed-Hashing for Message Authentication", RFC 2104,) s
+5 514 M
+( February 1997.) s
+5 492 M
+( [RFC2144] Adams, C., "The CAST-128 Encryption Algorithm", RFC 2144,) s
+5 481 M
+( May 1997.) s
+5 459 M
+( [RFC2440] Callas, J., Donnerhacke, L., Finney, H. and R. Thayer,) s
+5 448 M
+( "OpenPGP Message Format", RFC 2440, November 1998.) s
+5 426 M
+( [RFC2693] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas,) s
+5 415 M
+( B. and T. Ylonen, "SPKI Certificate Theory", RFC 2693,) s
+5 404 M
+( September 1999.) s
+5 382 M
+( [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential \(MODP\)) s
+5 371 M
+( Diffie-Hellman groups for Internet Key Exchange \(IKE\)",) s
+5 360 M
+( RFC 3526, May 2003.) s
+5 338 M
+( [SCHNEIER]) s
+5 327 M
+( Schneier, B., "Applied Cryptography Second Edition:) s
+5 316 M
+( protocols algorithms and source in code in C", 1996.) s
+5 294 M
+( [TWOFISH] Schneier, B., "The Twofish Encryptions Algorithm: A) s
+5 283 M
+( 128-Bit Block Cipher, 1st Edition", March 1999.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 26]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (26,27) 14
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 27 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+(Authors' Addresses) s
+5 668 M
+( Tatu Ylonen) s
+5 657 M
+( SSH Communications Security Corp) s
+5 646 M
+( Fredrikinkatu 42) s
+5 635 M
+( HELSINKI FIN-00100) s
+5 624 M
+( Finland) s
+5 602 M
+( EMail: [email protected]) s
+5 569 M
+( Darren J. Moffat \(editor\)) s
+5 558 M
+( Sun Microsystems, Inc) s
+5 547 M
+( 17 Network Circle) s
+5 536 M
+( Menlo Park 95025) s
+5 525 M
+( USA) s
+5 503 M
+( EMail: [email protected]) s
+5 481 M
+(Appendix A. Contibutors) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 27]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 28 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+(Intellectual Property Statement) s
+5 668 M
+( The IETF takes no position regarding the validity or scope of any) s
+5 657 M
+( intellectual property or other rights that might be claimed to) s
+5 646 M
+( pertain to the implementation or use of the technology described in) s
+5 635 M
+( this document or the extent to which any license under such rights) s
+5 624 M
+( might or might not be available; neither does it represent that it) s
+5 613 M
+( has made any effort to identify any such rights. Information on the) s
+5 602 M
+( IETF's procedures with respect to rights in standards-track and) s
+5 591 M
+( standards-related documentation can be found in BCP-11. Copies of) s
+5 580 M
+( claims of rights made available for publication and any assurances of) s
+5 569 M
+( licenses to be made available, or the result of an attempt made to) s
+5 558 M
+( obtain a general license or permission for the use of such) s
+5 547 M
+( proprietary rights by implementors or users of this specification can) s
+5 536 M
+( be obtained from the IETF Secretariat.) s
+5 514 M
+( The IETF invites any interested party to bring to its attention any) s
+5 503 M
+( copyrights, patents or patent applications, or other proprietary) s
+5 492 M
+( rights which may cover technology that may be required to practice) s
+5 481 M
+( this standard. Please address the information to the IETF Executive) s
+5 470 M
+( Director.) s
+5 448 M
+( The IETF has been notified of intellectual property rights claimed in) s
+5 437 M
+( regard to some or all of the specification contained in this) s
+5 426 M
+( document. For more information consult the online list of claimed) s
+5 415 M
+( rights.) s
+5 382 M
+(Full Copyright Statement) s
+5 360 M
+( Copyright \(C\) The Internet Society \(2003\). All Rights Reserved.) s
+5 338 M
+( This document and translations of it may be copied and furnished to) s
+5 327 M
+( others, and derivative works that comment on or otherwise explain it) s
+5 316 M
+( or assist in its implementation may be prepared, copied, published) s
+5 305 M
+( and distributed, in whole or in part, without restriction of any) s
+5 294 M
+( kind, provided that the above copyright notice and this paragraph are) s
+5 283 M
+( included on all such copies and derivative works. However, this) s
+5 272 M
+( document itself may not be modified in any way, such as by removing) s
+5 261 M
+( the copyright notice or references to the Internet Society or other) s
+5 250 M
+( Internet organizations, except as needed for the purpose of) s
+5 239 M
+( developing Internet standards in which case the procedures for) s
+5 228 M
+( copyrights defined in the Internet Standards process must be) s
+5 217 M
+( followed, or as required to translate it into languages other than) s
+5 206 M
+( English.) s
+5 184 M
+( The limited permissions granted above are perpetual and will not be) s
+5 173 M
+( revoked by the Internet Society or its successors or assignees.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 28]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (28,29) 15
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 29 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Transport Layer Protocol Oct 2003) s
+5 690 M
+( This document and the information contained herein is provided on an) s
+5 679 M
+( "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING) s
+5 668 M
+( TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING) s
+5 657 M
+( BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION) s
+5 646 M
+( HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF) s
+5 635 M
+( MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.) s
+5 602 M
+(Acknowledgment) s
+5 580 M
+( Funding for the RFC Editor function is currently provided by the) s
+5 569 M
+( Internet Society.) s
+5 129 M
+(Ylonen & Moffat, Editor Expires March 31, 2004 [Page 29]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+showpage
+PStoPSsaved restore
+%%Trailer
+%%Pages: 29
+%%DocumentNeededResources: font Courier-Bold Courier
+%%EOF