path: root/lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps

%!PS-Adobe-3.0
%%BoundingBox: 75 0 595 747
%%Title: Enscript Output
%%For: Magnus Thoang
%%Creator: GNU enscript 1.6.1
%%CreationDate: Fri Oct 31 13:31:26 2003
%%Orientation: Portrait
%%Pages: 15 0
%%DocumentMedia: A4 595 842 0 () ()
%%DocumentNeededResources: (atend)
%%EndComments
%%BeginProlog
%%BeginProcSet: PStoPS 1 15
userdict begin
[/showpage/erasepage/copypage]{dup where{pop dup load
 type/operatortype eq{1 array cvx dup 0 3 index cvx put
 bind def}{pop}ifelse}{pop}ifelse}forall
[/letter/legal/executivepage/a4/a4small/b5/com10envelope
 /monarchenvelope/c5envelope/dlenvelope/lettersmall/note
 /folio/quarto/a5]{dup where{dup wcheck{exch{}put}
 {pop{}def}ifelse}{pop}ifelse}forall
/setpagedevice {pop}bind 1 index where{dup wcheck{3 1 roll put}
 {pop def}ifelse}{def}ifelse
/PStoPSmatrix matrix currentmatrix def
/PStoPSxform matrix def/PStoPSclip{clippath}def
/defaultmatrix{PStoPSmatrix exch PStoPSxform exch concatmatrix}bind def
/initmatrix{matrix defaultmatrix setmatrix}bind def
/initclip[{matrix currentmatrix PStoPSmatrix setmatrix
 [{currentpoint}stopped{$error/newerror false put{newpath}}
 {/newpath cvx 3 1 roll/moveto cvx 4 array astore cvx}ifelse]
 {[/newpath cvx{/moveto cvx}{/lineto cvx}
 {/curveto cvx}{/closepath cvx}pathforall]cvx exch pop}
 stopped{$error/errorname get/invalidaccess eq{cleartomark
 $error/newerror false put cvx exec}{stop}ifelse}if}bind aload pop
 /initclip dup load dup type dup/operatortype eq{pop exch pop}
 {dup/arraytype eq exch/packedarraytype eq or
  {dup xcheck{exch pop aload pop}{pop cvx}ifelse}
  {pop cvx}ifelse}ifelse
 {newpath PStoPSclip clip newpath exec setmatrix} bind aload pop]cvx def
/initgraphics{initmatrix newpath initclip 1 setlinewidth
 0 setlinecap 0 setlinejoin []0 setdash 0 setgray
 10 setmiterlimit}bind def
end
%%EndProcSet
%%BeginResource: procset Enscript-Prolog 1.6 1
%
% Procedures.
%

/_S {	% save current state
  /_s save def
} def
/_R {	% restore from saved state
  _s restore
} def

/S {	% showpage protecting gstate
  gsave
  showpage
  grestore
} bind def

/MF {	% fontname newfontname -> -	make a new encoded font
  /newfontname exch def
  /fontname exch def

  /fontdict fontname findfont def
  /newfont fontdict maxlength dict def

  fontdict {
    exch
    dup /FID eq {
      % skip FID pair
      pop pop
    } {
      % copy to the new font dictionary
      exch newfont 3 1 roll put
    } ifelse
  } forall

  newfont /FontName newfontname put

  % insert only valid encoding vectors
  encoding_vector length 256 eq {
    newfont /Encoding encoding_vector put
  } if

  newfontname newfont definefont pop
} def

/SF { % fontname width height -> -	set a new font
  /height exch def
  /width exch def

  findfont
  [width 0 0 height 0 0] makefont setfont
} def

/SUF { % fontname width height -> -	set a new user font
  /height exch def
  /width exch def

  /F-gs-user-font MF
  /F-gs-user-font width height SF
} def

/M {moveto} bind def
/s {show} bind def

/Box {	% x y w h -> -			define box path
  /d_h exch def /d_w exch def /d_y exch def /d_x exch def
  d_x d_y  moveto
  d_w 0 rlineto
  0 d_h rlineto
  d_w neg 0 rlineto
  closepath
} def

/bgs {	% x y height blskip gray str -> -	show string with bg color
  /str exch def
  /gray exch def
  /blskip exch def
  /height exch def
  /y exch def
  /x exch def

  gsave
    x y blskip sub str stringwidth pop height Box
    gray setgray
    fill
  grestore
  x y M str s
} def

% Highlight bars.
/highlight_bars {	% nlines lineheight output_y_margin gray -> -
  gsave
    setgray
    /ymarg exch def
    /lineheight exch def
    /nlines exch def

    % This 2 is just a magic number to sync highlight lines to text.
    0 d_header_y ymarg sub 2 sub translate

    /cw d_output_w cols div def
    /nrows d_output_h ymarg 2 mul sub lineheight div cvi def

    % for each column
    0 1 cols 1 sub {
      cw mul /xp exch def

      % for each rows
      0 1 nrows 1 sub {
        /rn exch def
        rn lineheight mul neg /yp exch def
        rn nlines idiv 2 mod 0 eq {
	  % Draw highlight bar.  4 is just a magic indentation.
	  xp 4 add yp cw 8 sub lineheight neg Box fill
	} if
      } for
    } for

  grestore
} def

% Line highlight bar.
/line_highlight {	% x y width height gray -> -
  gsave
    /gray exch def
    Box gray setgray fill
  grestore
} def

% Column separator lines.
/column_lines {
  gsave
    .1 setlinewidth
    0 d_footer_h translate
    /cw d_output_w cols div def
    1 1 cols 1 sub {
      cw mul 0 moveto
      0 d_output_h rlineto stroke
    } for
  grestore
} def

% Column borders.
/column_borders {
  gsave
    .1 setlinewidth
    0 d_footer_h moveto
    0 d_output_h rlineto
    d_output_w 0 rlineto
    0 d_output_h neg rlineto
    closepath stroke
  grestore
} def

% Do the actual underlay drawing
/draw_underlay {
  ul_style 0 eq {
    ul_str true charpath stroke
  } {
    ul_str show
  } ifelse
} def

% Underlay
/underlay {	% - -> -
  gsave
    0 d_page_h translate
    d_page_h neg d_page_w atan rotate

    ul_gray setgray
    ul_font setfont
    /dw d_page_h dup mul d_page_w dup mul add sqrt def
    ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
    draw_underlay
  grestore
} def

/user_underlay {	% - -> -
  gsave
    ul_x ul_y translate
    ul_angle rotate
    ul_gray setgray
    ul_font setfont
    0 0 ul_h_ptsize 2 div sub moveto
    draw_underlay
  grestore
} def

% Page prefeed
/page_prefeed {		% bool -> -
  statusdict /prefeed known {
    statusdict exch /prefeed exch put
  } {
    pop
  } ifelse
} def

% Wrapped line markers
/wrapped_line_mark {	% x y charwith charheight type -> -
  /type exch def
  /h exch def
  /w exch def
  /y exch def
  /x exch def

  type 2 eq {
    % Black boxes (like TeX does)
    gsave
      0 setlinewidth
      x w 4 div add y M
      0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
      closepath fill
    grestore
  } {
    type 3 eq {
      % Small arrows
      gsave
        .2 setlinewidth
        x w 2 div add y h 2 div add M
        w 4 div 0 rlineto
        x w 4 div add y lineto stroke

        x w 4 div add w 8 div add y h 4 div add M
        x w 4 div add y lineto
	w 4 div h 8 div rlineto stroke
      grestore
    } {
      % do nothing
    } ifelse
  } ifelse
} def

% EPSF import.

/BeginEPSF {
  /b4_Inc_state save def    		% Save state for cleanup
  /dict_count countdictstack def	% Count objects on dict stack
  /op_count count 1 sub def		% Count objects on operand stack
  userdict begin
  /showpage { } def
  0 setgray 0 setlinecap
  1 setlinewidth 0 setlinejoin
  10 setmiterlimit [ ] 0 setdash newpath
  /languagelevel where {
    pop languagelevel
    1 ne {
      false setstrokeadjust false setoverprint
    } if
  } if
} bind def

/EndEPSF {
  count op_count sub { pos } repeat	% Clean up stacks
  countdictstack dict_count sub { end } repeat
  b4_Inc_state restore
} bind def

% Check PostScript language level.
/languagelevel where {
  pop /gs_languagelevel languagelevel def
} {
  /gs_languagelevel 1 def
} ifelse
%%EndResource
%%BeginResource: procset Enscript-Encoding-88591 1.6 1
/encoding_vector [
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/space        	/exclam       	/quotedbl     	/numbersign   	
/dollar       	/percent      	/ampersand    	/quoteright   	
/parenleft    	/parenright   	/asterisk     	/plus         	
/comma        	/hyphen       	/period       	/slash        	
/zero         	/one          	/two          	/three        	
/four         	/five         	/six          	/seven        	
/eight        	/nine         	/colon        	/semicolon    	
/less         	/equal        	/greater      	/question     	
/at           	/A            	/B            	/C            	
/D            	/E            	/F            	/G            	
/H            	/I            	/J            	/K            	
/L            	/M            	/N            	/O            	
/P            	/Q            	/R            	/S            	
/T            	/U            	/V            	/W            	
/X            	/Y            	/Z            	/bracketleft  	
/backslash    	/bracketright 	/asciicircum  	/underscore   	
/quoteleft    	/a            	/b            	/c            	
/d            	/e            	/f            	/g            	
/h            	/i            	/j            	/k            	
/l            	/m            	/n            	/o            	
/p            	/q            	/r            	/s            	
/t            	/u            	/v            	/w            	
/x            	/y            	/z            	/braceleft    	
/bar          	/braceright   	/tilde        	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/space        	/exclamdown   	/cent         	/sterling     	
/currency     	/yen          	/brokenbar    	/section      	
/dieresis     	/copyright    	/ordfeminine  	/guillemotleft	
/logicalnot   	/hyphen       	/registered   	/macron       	
/degree       	/plusminus    	/twosuperior  	/threesuperior	
/acute        	/mu           	/paragraph    	/bullet       	
/cedilla      	/onesuperior  	/ordmasculine 	/guillemotright	
/onequarter   	/onehalf      	/threequarters	/questiondown 	
/Agrave       	/Aacute       	/Acircumflex  	/Atilde       	
/Adieresis    	/Aring        	/AE           	/Ccedilla     	
/Egrave       	/Eacute       	/Ecircumflex  	/Edieresis    	
/Igrave       	/Iacute       	/Icircumflex  	/Idieresis    	
/Eth          	/Ntilde       	/Ograve       	/Oacute       	
/Ocircumflex  	/Otilde       	/Odieresis    	/multiply     	
/Oslash       	/Ugrave       	/Uacute       	/Ucircumflex  	
/Udieresis    	/Yacute       	/Thorn        	/germandbls   	
/agrave       	/aacute       	/acircumflex  	/atilde       	
/adieresis    	/aring        	/ae           	/ccedilla     	
/egrave       	/eacute       	/ecircumflex  	/edieresis    	
/igrave       	/iacute       	/icircumflex  	/idieresis    	
/eth          	/ntilde       	/ograve       	/oacute       	
/ocircumflex  	/otilde       	/odieresis    	/divide       	
/oslash       	/ugrave       	/uacute       	/ucircumflex  	
/udieresis    	/yacute       	/thorn        	/ydieresis    	
] def
%%EndResource
%%EndProlog
%%BeginSetup
%%IncludeResource: font Courier-Bold
%%IncludeResource: font Courier
/HFpt_w 10 def
/HFpt_h 10 def
/Courier-Bold /HF-gs-font MF
/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
/Courier /F-gs-font MF
/F-gs-font 10 10 SF
/#copies 1 def
/d_page_w 520 def
/d_page_h 747 def
/d_header_x 0 def
/d_header_y 747 def
/d_header_w 520 def
/d_header_h 0 def
/d_footer_x 0 def
/d_footer_y 0 def
/d_footer_w 520 def
/d_footer_h 0 def
/d_output_w 520 def
/d_output_h 747 def
/cols 1 def
userdict/PStoPSxform PStoPSmatrix matrix currentmatrix
 matrix invertmatrix matrix concatmatrix
 matrix invertmatrix put
%%EndSetup
%%Page: (0,1) 1
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 1 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 701 M
(Network Working Group                                          T. Ylonen) s
5 690 M
(Internet-Draft                          SSH Communications Security Corp) s
5 679 M
(Expires: March 31, 2004                                   D. Moffat, Ed.) s
5 668 M
(                                                   Sun Microsystems, Inc) s
5 657 M
(                                                                Oct 2003) s
5 624 M
(                       SSH Protocol Architecture) s
5 613 M
(                  draft-ietf-secsh-architecture-15.txt) s
5 591 M
(Status of this Memo) s
5 569 M
(   This document is an Internet-Draft and is in full conformance with) s
5 558 M
(   all provisions of Section 10 of RFC2026.) s
5 536 M
(   Internet-Drafts are working documents of the Internet Engineering) s
5 525 M
(   Task Force \(IETF\), its areas, and its working groups. Note that other) s
5 514 M
(   groups may also distribute working documents as Internet-Drafts.) s
5 492 M
(   Internet-Drafts are draft documents valid for a maximum of six months) s
5 481 M
(   and may be updated, replaced, or obsoleted by other documents at any) s
5 470 M
(   time. It is inappropriate to use Internet-Drafts as reference) s
5 459 M
(   material or to cite them other than as "work in progress.") s
5 437 M
(   The list of current Internet-Drafts can be accessed at http://) s
5 426 M
(   www.ietf.org/ietf/1id-abstracts.txt.) s
5 404 M
(   The list of Internet-Draft Shadow Directories can be accessed at) s
5 393 M
(   http://www.ietf.org/shadow.html.) s
5 371 M
(   This Internet-Draft will expire on March 31, 2004.) s
5 349 M
(Copyright Notice) s
5 327 M
(   Copyright \(C\) The Internet Society \(2003\). All Rights Reserved.) s
5 305 M
(Abstract) s
5 283 M
(   SSH is a protocol for secure remote login and other secure network) s
5 272 M
(   services over an insecure network. This document describes the) s
5 261 M
(   architecture of the SSH protocol, as well as the notation and) s
5 250 M
(   terminology used in SSH protocol documents. It also discusses the SSH) s
5 239 M
(   algorithm naming system that allows local extensions. The SSH) s
5 228 M
(   protocol consists of three major components: The Transport Layer) s
5 217 M
(   Protocol provides server authentication, confidentiality, and) s
5 206 M
(   integrity with perfect forward secrecy. The User Authentication) s
5 195 M
(   Protocol authenticates the client to the server. The Connection) s
5 184 M
(   Protocol multiplexes the encrypted tunnel into several logical) s
5 173 M
(   channels. Details of these protocols are described in separate) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 1]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 2 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   documents.) s
5 668 M
(Table of Contents) s
5 646 M
(   1.    Contributors . . . . . . . . . . . . . . . . . . . . . . . .  3) s
5 635 M
(   2.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3) s
5 624 M
(   3.    Specification of Requirements  . . . . . . . . . . . . . . .  3) s
5 613 M
(   4.    Architecture . . . . . . . . . . . . . . . . . . . . . . . .  3) s
5 602 M
(   4.1   Host Keys  . . . . . . . . . . . . . . . . . . . . . . . . .  4) s
5 591 M
(   4.2   Extensibility  . . . . . . . . . . . . . . . . . . . . . . .  5) s
5 580 M
(   4.3   Policy Issues  . . . . . . . . . . . . . . . . . . . . . . .  5) s
5 569 M
(   4.4   Security Properties  . . . . . . . . . . . . . . . . . . . .  6) s
5 558 M
(   4.5   Packet Size and Overhead . . . . . . . . . . . . . . . . . .  6) s
5 547 M
(   4.6   Localization and Character Set Support . . . . . . . . . . .  7) s
5 536 M
(   5.    Data Type Representations Used in the SSH Protocols  . . . .  8) s
5 525 M
(   6.    Algorithm Naming . . . . . . . . . . . . . . . . . . . . . . 10) s
5 514 M
(   7.    Message Numbers  . . . . . . . . . . . . . . . . . . . . . . 11) s
5 503 M
(   8.    IANA Considerations  . . . . . . . . . . . . . . . . . . . . 11) s
5 492 M
(   9.    Security Considerations  . . . . . . . . . . . . . . . . . . 12) s
5 481 M
(   9.1   Pseudo-Random Number Generation  . . . . . . . . . . . . . . 12) s
5 470 M
(   9.2   Transport  . . . . . . . . . . . . . . . . . . . . . . . . . 13) s
5 459 M
(   9.2.1 Confidentiality  . . . . . . . . . . . . . . . . . . . . . . 13) s
5 448 M
(   9.2.2 Data Integrity . . . . . . . . . . . . . . . . . . . . . . . 16) s
5 437 M
(   9.2.3 Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . 16) s
5 426 M
(   9.2.4 Man-in-the-middle  . . . . . . . . . . . . . . . . . . . . . 17) s
5 415 M
(   9.2.5 Denial-of-service  . . . . . . . . . . . . . . . . . . . . . 19) s
5 404 M
(   9.2.6 Covert Channels  . . . . . . . . . . . . . . . . . . . . . . 19) s
5 393 M
(   9.2.7 Forward Secrecy  . . . . . . . . . . . . . . . . . . . . . . 20) s
5 382 M
(   9.3   Authentication Protocol  . . . . . . . . . . . . . . . . . . 20) s
5 371 M
(   9.3.1 Weak Transport . . . . . . . . . . . . . . . . . . . . . . . 21) s
5 360 M
(   9.3.2 Debug messages . . . . . . . . . . . . . . . . . . . . . . . 21) s
5 349 M
(   9.3.3 Local security policy  . . . . . . . . . . . . . . . . . . . 21) s
5 338 M
(   9.3.4 Public key authentication  . . . . . . . . . . . . . . . . . 22) s
5 327 M
(   9.3.5 Password authentication  . . . . . . . . . . . . . . . . . . 22) s
5 316 M
(   9.3.6 Host based authentication  . . . . . . . . . . . . . . . . . 23) s
5 305 M
(   9.4   Connection protocol  . . . . . . . . . . . . . . . . . . . . 23) s
5 294 M
(   9.4.1 End point security . . . . . . . . . . . . . . . . . . . . . 23) s
5 283 M
(   9.4.2 Proxy forwarding . . . . . . . . . . . . . . . . . . . . . . 23) s
5 272 M
(   9.4.3 X11 forwarding . . . . . . . . . . . . . . . . . . . . . . . 24) s
5 261 M
(         Normative References . . . . . . . . . . . . . . . . . . . . 24) s
5 250 M
(         Informative References . . . . . . . . . . . . . . . . . . . 25) s
5 239 M
(         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 27) s
5 228 M
(         Intellectual Property and Copyright Statements . . . . . . . 28) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 2]) s
_R
S
PStoPSsaved restore
%%Page: (2,3) 2
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 3 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(1. Contributors) s
5 668 M
(   The major original contributors of this document were: Tatu Ylonen,) s
5 657 M
(   Tero Kivinen, Timo J. Rinne, Sami Lehtinen \(all of SSH Communications) s
5 646 M
(   Security Corp\), and Markku-Juhani O. Saarinen \(University of) s
5 635 M
(   Jyvaskyla\)) s
5 613 M
(   The document editor is: [email protected].  Comments on this) s
5 602 M
(   internet draft should be sent to the IETF SECSH working group,) s
5 591 M
(   details at: http://ietf.org/html.charters/secsh-charter.html) s
5 569 M
(2. Introduction) s
5 547 M
(   SSH is a protocol for secure remote login and other secure network) s
5 536 M
(   services over an insecure network.  It consists of three major) s
5 525 M
(   components:) s
5 514 M
(   o  The Transport Layer Protocol [SSH-TRANS] provides server) s
5 503 M
(      authentication, confidentiality, and integrity. It may optionally) s
5 492 M
(      also provide compression. The transport layer will typically be) s
5 481 M
(      run over a TCP/IP connection, but might also be used on top of any) s
5 470 M
(      other reliable data stream.) s
5 459 M
(   o  The User Authentication Protocol [SSH-USERAUTH] authenticates the) s
5 448 M
(      client-side user to the server. It runs over the transport layer) s
5 437 M
(      protocol.) s
5 426 M
(   o  The Connection Protocol [SSH-CONNECT] multiplexes the encrypted) s
5 415 M
(      tunnel into several logical channels. It runs over the user) s
5 404 M
(      authentication protocol.) s
5 382 M
(   The client sends a service request once a secure transport layer) s
5 371 M
(   connection has been established. A second service request is sent) s
5 360 M
(   after user authentication is complete. This allows new protocols to) s
5 349 M
(   be defined and coexist with the protocols listed above.) s
5 327 M
(   The connection protocol provides channels that can be used for a wide) s
5 316 M
(   range of purposes. Standard methods are provided for setting up) s
5 305 M
(   secure interactive shell sessions and for forwarding \("tunneling"\)) s
5 294 M
(   arbitrary TCP/IP ports and X11 connections.) s
5 272 M
(3. Specification of Requirements) s
5 250 M
(   All documents related to the SSH protocols shall use the keywords) s
5 239 M
(   "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",) s
5 228 M
(   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" to describe) s
5 217 M
(   requirements.  They are to be interpreted as described in [RFC2119].) s
5 195 M
(4. Architecture) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 3]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 4 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(4.1 Host Keys) s
5 668 M
(   Each server host SHOULD have a host key.  Hosts MAY have multiple) s
5 657 M
(   host keys using multiple different algorithms.  Multiple hosts MAY) s
5 646 M
(   share the same host key. If a host has keys at all, it MUST have at) s
5 635 M
(   least one key using each REQUIRED public key algorithm \(DSS) s
5 624 M
(   [FIPS-186]\).) s
5 602 M
(   The server host key is used during key exchange to verify that the) s
5 591 M
(   client is really talking to the correct server. For this to be) s
5 580 M
(   possible, the client must have a priori knowledge of the server's) s
5 569 M
(   public host key.) s
5 547 M
(   Two different trust models can be used:) s
5 536 M
(   o  The client has a local database that associates each host name \(as) s
5 525 M
(      typed by the user\) with the corresponding public host key.  This) s
5 514 M
(      method requires no centrally administered infrastructure, and no) s
5 503 M
(      third-party coordination.  The downside is that the database of) s
5 492 M
(      name-to-key associations may become burdensome to maintain.) s
5 481 M
(   o  The host name-to-key association is certified by some trusted) s
5 470 M
(      certification authority.  The client only knows the CA root key,) s
5 459 M
(      and can verify the validity of all host keys certified by accepted) s
5 448 M
(      CAs.) s
5 426 M
(      The second alternative eases the maintenance problem, since) s
5 415 M
(      ideally only a single CA key needs to be securely stored on the) s
5 404 M
(      client.  On the other hand, each host key must be appropriately) s
5 393 M
(      certified by a central authority before authorization is possible.) s
5 382 M
(      Also, a lot of trust is placed on the central infrastructure.) s
5 360 M
(   The protocol provides the option that the server name - host key) s
5 349 M
(   association is not checked when connecting to the host for the first) s
5 338 M
(   time. This allows communication without prior communication of host) s
5 327 M
(   keys or certification. The connection still provides protection) s
5 316 M
(   against passive listening; however, it becomes vulnerable to active) s
5 305 M
(   man-in-the-middle attacks. Implementations SHOULD NOT normally allow) s
5 294 M
(   such connections by default, as they pose a potential security) s
5 283 M
(   problem. However, as there is no widely deployed key infrastructure) s
5 272 M
(   available on the Internet yet, this option makes the protocol much) s
5 261 M
(   more usable during the transition time until such an infrastructure) s
5 250 M
(   emerges, while still providing a much higher level of security than) s
5 239 M
(   that offered by older solutions \(e.g. telnet [RFC-854] and rlogin) s
5 228 M
(   [RFC-1282]\).) s
5 206 M
(   Implementations SHOULD try to make the best effort to check host) s
5 195 M
(   keys.  An example of a possible strategy is to only accept a host key) s
5 184 M
(   without checking the first time a host is connected, save the key in) s
5 173 M
(   a local database, and compare against that key on all future) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 4]) s
_R
S
PStoPSsaved restore
%%Page: (4,5) 3
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 5 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   connections to that host.) s
5 668 M
(   Implementations MAY provide additional methods for verifying the) s
5 657 M
(   correctness of host keys, e.g. a hexadecimal fingerprint derived from) s
5 646 M
(   the SHA-1 hash of the public key. Such fingerprints can easily be) s
5 635 M
(   verified by using telephone or other external communication channels.) s
5 613 M
(   All implementations SHOULD provide an option to not accept host keys) s
5 602 M
(   that cannot be verified.) s
5 580 M
(   We believe that ease of use is critical to end-user acceptance of) s
5 569 M
(   security solutions, and no improvement in security is gained if the) s
5 558 M
(   new solutions are not used.  Thus, providing the option not to check) s
5 547 M
(   the server host key is believed to improve the overall security of) s
5 536 M
(   the Internet, even though it reduces the security of the protocol in) s
5 525 M
(   configurations where it is allowed.) s
5 503 M
(4.2 Extensibility) s
5 481 M
(   We believe that the protocol will evolve over time, and some) s
5 470 M
(   organizations will want to use their own encryption, authentication) s
5 459 M
(   and/or key exchange methods.  Central registration of all extensions) s
5 448 M
(   is cumbersome, especially for experimental or classified features.) s
5 437 M
(   On the other hand, having no central registration leads to conflicts) s
5 426 M
(   in method identifiers, making interoperability difficult.) s
5 404 M
(   We have chosen to identify algorithms, methods, formats, and) s
5 393 M
(   extension protocols with textual names that are of a specific format.) s
5 382 M
(   DNS names are used to create local namespaces where experimental or) s
5 371 M
(   classified extensions can be defined without fear of conflicts with) s
5 360 M
(   other implementations.) s
5 338 M
(   One design goal has been to keep the base protocol as simple as) s
5 327 M
(   possible, and to require as few algorithms as possible.  However, all) s
5 316 M
(   implementations MUST support a minimal set of algorithms to ensure) s
5 305 M
(   interoperability \(this does not imply that the local policy on all) s
5 294 M
(   hosts would necessary allow these algorithms\).  The mandatory) s
5 283 M
(   algorithms are specified in the relevant protocol documents.) s
5 261 M
(   Additional algorithms, methods, formats, and extension protocols can) s
5 250 M
(   be defined in separate drafts.  See Section Algorithm Naming \(Section) s
5 239 M
(   6\) for more information.) s
5 217 M
(4.3 Policy Issues) s
5 195 M
(   The protocol allows full negotiation of encryption, integrity, key) s
5 184 M
(   exchange, compression, and public key algorithms and formats.) s
5 173 M
(   Encryption, integrity, public key, and compression algorithms can be) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 5]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 6 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   different for each direction.) s
5 668 M
(   The following policy issues SHOULD be addressed in the configuration) s
5 657 M
(   mechanisms of each implementation:) s
5 646 M
(   o  Encryption, integrity, and compression algorithms, separately for) s
5 635 M
(      each direction.  The policy MUST specify which is the preferred) s
5 624 M
(      algorithm \(e.g. the first algorithm listed in each category\).) s
5 613 M
(   o  Public key algorithms and key exchange method to be used for host) s
5 602 M
(      authentication.  The existence of trusted host keys for different) s
5 591 M
(      public key algorithms also affects this choice.) s
5 580 M
(   o  The authentication methods that are to be required by the server) s
5 569 M
(      for each user.  The server's policy MAY require multiple) s
5 558 M
(      authentication for some or all users.  The required algorithms MAY) s
5 547 M
(      depend on the location where the user is trying to log in from.) s
5 536 M
(   o  The operations that the user is allowed to perform using the) s
5 525 M
(      connection protocol.  Some issues are related to security; for) s
5 514 M
(      example, the policy SHOULD NOT allow the server to start sessions) s
5 503 M
(      or run commands on the client machine, and MUST NOT allow) s
5 492 M
(      connections to the authentication agent unless forwarding such) s
5 481 M
(      connections has been requested.  Other issues, such as which TCP/) s
5 470 M
(      IP ports can be forwarded and by whom, are clearly issues of local) s
5 459 M
(      policy. Many of these issues may involve traversing or bypassing) s
5 448 M
(      firewalls, and are interrelated with the local security policy.) s
5 426 M
(4.4 Security Properties) s
5 404 M
(   The primary goal of the SSH protocol is improved security on the) s
5 393 M
(   Internet.  It attempts to do this in a way that is easy to deploy,) s
5 382 M
(   even at the cost of absolute security.) s
5 371 M
(   o  All encryption, integrity, and public key algorithms used are) s
5 360 M
(      well-known, well-established algorithms.) s
5 349 M
(   o  All algorithms are used with cryptographically sound key sizes) s
5 338 M
(      that are believed to provide protection against even the strongest) s
5 327 M
(      cryptanalytic attacks for decades.) s
5 316 M
(   o  All algorithms are negotiated, and in case some algorithm is) s
5 305 M
(      broken, it is easy to switch to some other algorithm without) s
5 294 M
(      modifying the base protocol.) s
5 272 M
(   Specific concessions were made to make wide-spread fast deployment) s
5 261 M
(   easier.  The particular case where this comes up is verifying that) s
5 250 M
(   the server host key really belongs to the desired host; the protocol) s
5 239 M
(   allows the verification to be left out \(but this is NOT RECOMMENDED\).) s
5 228 M
(   This is believed to significantly improve usability in the short) s
5 217 M
(   term, until widespread Internet public key infrastructures emerge.) s
5 195 M
(4.5 Packet Size and Overhead) s
5 173 M
(   Some readers will worry about the increase in packet size due to new) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 6]) s
_R
S
PStoPSsaved restore
%%Page: (6,7) 4
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 7 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   headers, padding, and MAC.  The minimum packet size is in the order) s
5 679 M
(   of 28 bytes \(depending on negotiated algorithms\).  The increase is) s
5 668 M
(   negligible for large packets, but very significant for one-byte) s
5 657 M
(   packets \(telnet-type sessions\).  There are, however, several factors) s
5 646 M
(   that make this a non-issue in almost all cases:) s
5 635 M
(   o  The minimum size of a TCP/IP header is 32 bytes.  Thus, the) s
5 624 M
(      increase is actually from 33 to 51 bytes \(roughly\).) s
5 613 M
(   o  The minimum size of the data field of an Ethernet packet is 46) s
5 602 M
(      bytes [RFC-894]. Thus, the increase is no more than 5 bytes. When) s
5 591 M
(      Ethernet headers are considered, the increase is less than 10) s
5 580 M
(      percent.) s
5 569 M
(   o  The total fraction of telnet-type data in the Internet is) s
5 558 M
(      negligible, even with increased packet sizes.) s
5 536 M
(   The only environment where the packet size increase is likely to have) s
5 525 M
(   a significant effect is PPP [RFC-1134] over slow modem lines \(PPP) s
5 514 M
(   compresses the TCP/IP headers, emphasizing the increase in packet) s
5 503 M
(   size\). However, with modern modems, the time needed to transfer is in) s
5 492 M
(   the order of 2 milliseconds, which is a lot faster than people can) s
5 481 M
(   type.) s
5 459 M
(   There are also issues related to the maximum packet size.  To) s
5 448 M
(   minimize delays in screen updates, one does not want excessively) s
5 437 M
(   large packets for interactive sessions.  The maximum packet size is) s
5 426 M
(   negotiated separately for each channel.) s
5 404 M
(4.6 Localization and Character Set Support) s
5 382 M
(   For the most part, the SSH protocols do not directly pass text that) s
5 371 M
(   would be displayed to the user. However, there are some places where) s
5 360 M
(   such data might be passed. When applicable, the character set for the) s
5 349 M
(   data MUST be explicitly specified. In most places, ISO 10646 with) s
5 338 M
(   UTF-8 encoding is used [RFC-2279]. When applicable, a field is also) s
5 327 M
(   provided for a language tag [RFC-3066].) s
5 305 M
(   One big issue is the character set of the interactive session.  There) s
5 294 M
(   is no clear solution, as different applications may display data in) s
5 283 M
(   different formats.  Different types of terminal emulation may also be) s
5 272 M
(   employed in the client, and the character set to be used is) s
5 261 M
(   effectively determined by the terminal emulation.  Thus, no place is) s
5 250 M
(   provided for directly specifying the character set or encoding for) s
5 239 M
(   terminal session data.  However, the terminal emulation type \(e.g.) s
5 228 M
(   "vt100"\) is transmitted to the remote site, and it implicitly) s
5 217 M
(   specifies the character set and encoding.  Applications typically use) s
5 206 M
(   the terminal type to determine what character set they use, or the) s
5 195 M
(   character set is determined using some external means.  The terminal) s
5 184 M
(   emulation may also allow configuring the default character set.  In) s
5 173 M
(   any case, the character set for the terminal session is considered) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 7]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 8 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   primarily a client local issue.) s
5 668 M
(   Internal names used to identify algorithms or protocols are normally) s
5 657 M
(   never displayed to users, and must be in US-ASCII.) s
5 635 M
(   The client and server user names are inherently constrained by what) s
5 624 M
(   the server is prepared to accept.  They might, however, occasionally) s
5 613 M
(   be displayed in logs, reports, etc.  They MUST be encoded using ISO) s
5 602 M
(   10646 UTF-8, but other encodings may be required in some cases.  It) s
5 591 M
(   is up to the server to decide how to map user names to accepted user) s
5 580 M
(   names.  Straight bit-wise binary comparison is RECOMMENDED.) s
5 558 M
(   For localization purposes, the protocol attempts to minimize the) s
5 547 M
(   number of textual messages transmitted.  When present, such messages) s
5 536 M
(   typically relate to errors, debugging information, or some externally) s
5 525 M
(   configured data.  For data that is normally displayed, it SHOULD be) s
5 514 M
(   possible to fetch a localized message instead of the transmitted) s
5 503 M
(   message by using a numerical code. The remaining messages SHOULD be) s
5 492 M
(   configurable.) s
5 470 M
(5. Data Type Representations Used in the SSH Protocols) s
5 459 M
(   byte) s
5 437 M
(      A byte represents an arbitrary 8-bit value \(octet\) [RFC-1700].) s
5 426 M
(      Fixed length data is sometimes represented as an array of bytes,) s
5 415 M
(      written byte[n], where n is the number of bytes in the array.) s
5 393 M
(   boolean) s
5 371 M
(      A boolean value is stored as a single byte.  The value 0) s
5 360 M
(      represents FALSE, and the value 1 represents TRUE. All non-zero) s
5 349 M
(      values MUST be interpreted as TRUE; however, applications MUST NOT) s
5 338 M
(      store values other than 0 and 1.) s
5 316 M
(   uint32) s
5 294 M
(      Represents a 32-bit unsigned integer.  Stored as four bytes in the) s
5 283 M
(      order of decreasing significance \(network byte order\). For) s
5 272 M
(      example, the value 699921578 \(0x29b7f4aa\) is stored as 29 b7 f4) s
5 261 M
(      aa.) s
5 239 M
(   uint64) s
5 217 M
(      Represents a 64-bit unsigned integer.  Stored as eight bytes in) s
5 206 M
(      the order of decreasing significance \(network byte order\).) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 8]) s
_R
S
PStoPSsaved restore
%%Page: (8,9) 5
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 9 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   string) s
5 668 M
(      Arbitrary length binary string.  Strings are allowed to contain) s
5 657 M
(      arbitrary binary data, including null characters and 8-bit) s
5 646 M
(      characters. They are stored as a uint32 containing its length) s
5 635 M
(      \(number of bytes that follow\) and zero \(= empty string\) or more) s
5 624 M
(      bytes that are the value of the string.  Terminating null) s
5 613 M
(      characters are not used.) s
5 591 M
(      Strings are also used to store text.  In that case, US-ASCII is) s
5 580 M
(      used for internal names, and ISO-10646 UTF-8 for text that might) s
5 569 M
(      be displayed to the user. The terminating null character SHOULD) s
5 558 M
(      NOT normally be stored in the string.) s
5 536 M
(      For example, the US-ASCII string "testing" is represented as 00 00) s
5 525 M
(      00 07 t e s t i n g. The UTF8 mapping does not alter the encoding) s
5 514 M
(      of US-ASCII characters.) s
5 492 M
(   mpint) s
5 470 M
(      Represents multiple precision integers in two's complement format,) s
5 459 M
(      stored as a string, 8 bits per byte, MSB first. Negative numbers) s
5 448 M
(      have the value 1 as the most significant bit of the first byte of) s
5 437 M
(      the data partition. If the most significant bit would be set for a) s
5 426 M
(      positive number, the number MUST be preceded by a zero byte.) s
5 415 M
(      Unnecessary leading bytes with the value 0 or 255 MUST NOT be) s
5 404 M
(      included.  The value zero MUST be stored as a string with zero) s
5 393 M
(      bytes of data.) s
5 371 M
(      By convention, a number that is used in modular computations in) s
5 360 M
(      Z_n SHOULD be represented in the range 0 <= x < n.) s
5 338 M
(       Examples:) s
5 327 M
(       value \(hex\)        representation \(hex\)) s
5 316 M
(       ---------------------------------------------------------------) s
5 305 M
(       0                  00 00 00 00) s
5 294 M
(       9a378f9b2e332a7    00 00 00 08 09 a3 78 f9 b2 e3 32 a7) s
5 283 M
(       80                 00 00 00 02 00 80) s
5 272 M
(       -1234              00 00 00 02 ed cc) s
5 261 M
(       -deadbeef          00 00 00 05 ff 21 52 41 11) s
5 217 M
(   name-list) s
5 195 M
(      A string containing a comma separated list of names. A name list) s
5 184 M
(      is represented as a uint32 containing its length \(number of bytes) s
5 173 M
(      that follow\) followed by a comma-separated list of zero or more) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                 [Page 9]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 10 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(      names. A name MUST be non-zero length, and it MUST NOT contain a) s
5 679 M
(      comma \(','\). Context may impose additional restrictions on the) s
5 668 M
(      names; for example, the names in a list may have to be valid) s
5 657 M
(      algorithm identifier \(see Algorithm Naming below\), or [RFC-3066]) s
5 646 M
(      language tags. The order of the names in a list may or may not be) s
5 635 M
(      significant, also depending on the context where the list is is) s
5 624 M
(      used. Terminating NUL characters are not used, neither for the) s
5 613 M
(      individual names, nor for the list as a whole.) s
5 591 M
(       Examples:) s
5 580 M
(       value              representation \(hex\)) s
5 569 M
(       ---------------------------------------) s
5 558 M
(       \(\), the empty list 00 00 00 00) s
5 547 M
(       \("zlib"\)           00 00 00 04 7a 6c 69 62) s
5 536 M
(       \("zlib", "none"\)   00 00 00 09 7a 6c 69 62 2c 6e 6f 6e 65) s
5 481 M
(6. Algorithm Naming) s
5 459 M
(   The SSH protocols refer to particular hash, encryption, integrity,) s
5 448 M
(   compression, and key exchange algorithms or protocols by names.) s
5 437 M
(   There are some standard algorithms that all implementations MUST) s
5 426 M
(   support. There are also algorithms that are defined in the protocol) s
5 415 M
(   specification but are OPTIONAL.  Furthermore, it is expected that) s
5 404 M
(   some organizations will want to use their own algorithms.) s
5 382 M
(   In this protocol, all algorithm identifiers MUST be printable) s
5 371 M
(   US-ASCII non-empty strings no longer than 64 characters. Names MUST) s
5 360 M
(   be case-sensitive.) s
5 338 M
(   There are two formats for algorithm names:) s
5 327 M
(   o  Names that do not contain an at-sign \(@\) are reserved to be) s
5 316 M
(      assigned by IETF consensus \(RFCs\).  Examples include `3des-cbc',) s
5 305 M
(      `sha-1', `hmac-sha1', and `zlib' \(the quotes are not part of the) s
5 294 M
(      name\).  Names of this format MUST NOT be used without first) s
5 283 M
(      registering them.  Registered names MUST NOT contain an at-sign) s
5 272 M
(      \(@\) or a comma \(,\).) s
5 261 M
(   o  Anyone can define additional algorithms by using names in the) s
5 250 M
(      format name@domainname, e.g. "[email protected]". The) s
5 239 M
(      format of the part preceding the at sign is not specified; it MUST) s
5 228 M
(      consist of US-ASCII characters except at-sign and comma. The part) s
5 217 M
(      following the at-sign MUST be a valid fully qualified internet) s
5 206 M
(      domain name [RFC-1034] controlled by the person or organization) s
5 195 M
(      defining the name. It is up to each domain how it manages its) s
5 184 M
(      local namespace.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 10]) s
_R
S
PStoPSsaved restore
%%Page: (10,11) 6
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 11 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(7. Message Numbers) s
5 668 M
(   SSH packets have message numbers in the range 1 to 255. These numbers) s
5 657 M
(   have been allocated as follows:) s
5 624 M
(     Transport layer protocol:) s
5 602 M
(       1 to 19    Transport layer generic \(e.g. disconnect, ignore, debug,) s
5 591 M
(                  etc.\)) s
5 580 M
(       20 to 29   Algorithm negotiation) s
5 569 M
(       30 to 49   Key exchange method specific \(numbers can be reused for) s
5 558 M
(                  different authentication methods\)) s
5 536 M
(     User authentication protocol:) s
5 514 M
(       50 to 59   User authentication generic) s
5 503 M
(       60 to 79   User authentication method specific \(numbers can be) s
5 492 M
(                  reused for different authentication methods\)) s
5 470 M
(     Connection protocol:) s
5 448 M
(       80 to 89   Connection protocol generic) s
5 437 M
(       90 to 127  Channel related messages) s
5 415 M
(     Reserved for client protocols:) s
5 393 M
(       128 to 191 Reserved) s
5 371 M
(     Local extensions:) s
5 349 M
(       192 to 255 Local extensions) s
5 305 M
(8. IANA Considerations) s
5 283 M
(   The initial state of the IANA registry is detailed in [SSH-NUMBERS].) s
5 261 M
(   Allocation of the following types of names in the SSH protocols is) s
5 250 M
(   assigned by IETF consensus:) s
5 239 M
(   o  SSH encryption algorithm names,) s
5 228 M
(   o  SSH MAC algorithm names,) s
5 217 M
(   o  SSH public key algorithm names \(public key algorithm also implies) s
5 206 M
(      encoding and signature/encryption capability\),) s
5 195 M
(   o  SSH key exchange method names, and) s
5 184 M
(   o  SSH protocol \(service\) names.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 11]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 12 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   These names MUST be printable US-ASCII strings, and MUST NOT contain) s
5 679 M
(   the characters at-sign \('@'\), comma \(','\), or whitespace or control) s
5 668 M
(   characters \(ASCII codes 32 or less\).  Names are case-sensitive, and) s
5 657 M
(   MUST NOT be longer than 64 characters.) s
5 635 M
(   Names with the at-sign \('@'\) in them are allocated by the owner of) s
5 624 M
(   DNS name after the at-sign \(hierarchical allocation in [RFC-2343]\),) s
5 613 M
(   otherwise the same restrictions as above.) s
5 591 M
(   Each category of names listed above has a separate namespace.) s
5 580 M
(   However, using the same name in multiple categories SHOULD be avoided) s
5 569 M
(   to minimize confusion.) s
5 547 M
(   Message numbers \(see Section Message Numbers \(Section 7\)\) in the) s
5 536 M
(   range of 0..191 are allocated via IETF consensus; message numbers in) s
5 525 M
(   the 192..255 range \(the "Local extensions" set\) are reserved for) s
5 514 M
(   private use.) s
5 492 M
(9. Security Considerations) s
5 470 M
(   In order to make the entire body of Security Considerations more) s
5 459 M
(   accessible, Security Considerations for the transport,) s
5 448 M
(   authentication, and connection documents have been gathered here.) s
5 426 M
(   The transport protocol [1] provides a confidential channel over an) s
5 415 M
(   insecure network.  It performs server host authentication, key) s
5 404 M
(   exchange, encryption, and integrity protection.  It also derives a) s
5 393 M
(   unique session id that may be used by higher-level protocols.) s
5 371 M
(   The authentication protocol [2] provides a suite of mechanisms which) s
5 360 M
(   can be used to authenticate the client user to the server.) s
5 349 M
(   Individual mechanisms specified in the in authentication protocol use) s
5 338 M
(   the session id provided by the transport protocol and/or depend on) s
5 327 M
(   the security and integrity guarantees of the transport protocol.) s
5 305 M
(   The connection protocol [3] specifies a mechanism to multiplex) s
5 294 M
(   multiple streams [channels] of data over the confidential and) s
5 283 M
(   authenticated transport. It also specifies channels for accessing an) s
5 272 M
(   interactive shell, for 'proxy-forwarding' various external protocols) s
5 261 M
(   over the secure transport \(including arbitrary TCP/IP protocols\), and) s
5 250 M
(   for accessing secure 'subsystems' on the server host.) s
5 228 M
(9.1 Pseudo-Random Number Generation) s
5 206 M
(   This protocol binds each session key to the session by including) s
5 195 M
(   random, session specific data in the hash used to produce session) s
5 184 M
(   keys.  Special care should be taken to ensure that all of the random) s
5 173 M
(   numbers are of good quality.  If the random data here \(e.g., DH) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 12]) s
_R
S
PStoPSsaved restore
%%Page: (12,13) 7
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 13 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   parameters\) are pseudo-random then the pseudo-random number generator) s
5 679 M
(   should be cryptographically secure \(i.e., its next output not easily) s
5 668 M
(   guessed even when knowing all previous outputs\) and, furthermore,) s
5 657 M
(   proper entropy needs to be added to the pseudo-random number) s
5 646 M
(   generator.  RFC 1750 [1750] offers suggestions for sources of random) s
5 635 M
(   numbers and entropy.  Implementors should note the importance of) s
5 624 M
(   entropy and the well-meant, anecdotal warning about the difficulty in) s
5 613 M
(   properly implementing pseudo-random number generating functions.) s
5 591 M
(   The amount of entropy available to a given client or server may) s
5 580 M
(   sometimes be less than what is required.  In this case one must) s
5 569 M
(   either resort to pseudo-random number generation regardless of) s
5 558 M
(   insufficient entropy or refuse to run the protocol.  The latter is) s
5 547 M
(   preferable.) s
5 525 M
(9.2 Transport) s
5 503 M
(9.2.1 Confidentiality) s
5 481 M
(   It is beyond the scope of this document and the Secure Shell Working) s
5 470 M
(   Group to analyze or recommend specific ciphers other than the ones) s
5 459 M
(   which have been established and accepted within the industry.  At the) s
5 448 M
(   time of this writing, ciphers commonly in use include 3DES, ARCFOUR,) s
5 437 M
(   twofish, serpent and blowfish.  AES has been accepted by The) s
5 426 M
(   published as a US Federal Information Processing Standards [FIPS-197]) s
5 415 M
(   and the cryptographic community as being acceptable for this purpose) s
5 404 M
(   as well has accepted AES.  As always, implementors and users should) s
5 393 M
(   check current literature to ensure that no recent vulnerabilities) s
5 382 M
(   have been found in ciphers used within products.  Implementors should) s
5 371 M
(   also check to see which ciphers are considered to be relatively) s
5 360 M
(   stronger than others and should recommend their use to users over) s
5 349 M
(   relatively weaker ciphers.  It would be considered good form for an) s
5 338 M
(   implementation to politely and unobtrusively notify a user that a) s
5 327 M
(   stronger cipher is available and should be used when a weaker one is) s
5 316 M
(   actively chosen.) s
5 294 M
(   The "none" cipher is provided for debugging and SHOULD NOT be used) s
5 283 M
(   except for that purpose.  It's cryptographic properties are) s
5 272 M
(   sufficiently described in RFC 2410, which will show that its use does) s
5 261 M
(   not meet the intent of this protocol.) s
5 239 M
(   The relative merits of these and other ciphers may also be found in) s
5 228 M
(   current literature.  Two references that may provide information on) s
5 217 M
(   the subject are [SCHNEIER] and [KAUFMAN,PERLMAN,SPECINER].  Both of) s
5 206 M
(   these describe the CBC mode of operation of certain ciphers and the) s
5 195 M
(   weakness of this scheme.  Essentially, this mode is theoretically) s
5 184 M
(   vulnerable to chosen cipher-text attacks because of the high) s
5 173 M
(   predictability of the start of packet sequence.  However, this attack) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 13]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 14 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   is still deemed difficult and not considered fully practicable) s
5 679 M
(   especially if relatively longer block sizes are used.) s
5 657 M
(   Additionally, another CBC mode attack may be mitigated through the) s
5 646 M
(   insertion of packets containing SSH_MSG_IGNORE.  Without this) s
5 635 M
(   technique, a specific attack may be successful.  For this attack) s
5 624 M
(   \(commonly known as the Rogaway attack) s
5 613 M
(   [ROGAWAY],[DAI],[BELLARE,KOHNO,NAMPREMPRE]\) to work, the attacker) s
5 602 M
(   would need to know the IV of the next block that is going to be) s
5 591 M
(   encrypted.  In CBC mode that is the output of the encryption of the) s
5 580 M
(   previous block. If the attacker does not have any way to see the) s
5 569 M
(   packet yet \(i.e it is in the internal buffers of the ssh) s
5 558 M
(   implementation or even in the kernel\) then this attack will not work.) s
5 547 M
(   If the last packet has been sent out to the network \(i.e the attacker) s
5 536 M
(   has access to it\) then he can use the attack.) s
5 514 M
(   In the optimal case an implementor would need to add an extra packet) s
5 503 M
(   only if the packet has been sent out onto the network and there are) s
5 492 M
(   no other packets waiting for transmission. Implementors may wish to) s
5 481 M
(   check to see if there are any unsent packets awaiting transmission,) s
5 470 M
(   but unfortunately it is not normally easy to obtain this information) s
5 459 M
(   from the kernel or buffers.  If there are not, then a packet) s
5 448 M
(   containing SSH_MSG_IGNORE SHOULD be sent.  If a new packet is added) s
5 437 M
(   to the stream every time the attacker knows the IV that is supposed) s
5 426 M
(   to be used for the next packet, then the attacker will not be able to) s
5 415 M
(   guess the correct IV, thus the attack will never be successfull.) s
5 393 M
(   As an example, consider the following case:) s
5 360 M
(         Client                                                  Server) s
5 349 M
(         ------                                                  ------) s
5 338 M
(         TCP\(seq=x, len=500\)            ->) s
5 327 M
(         contains Record 1) s
5 305 M
(                             [500 ms passes, no ACK]) s
5 283 M
(        TCP\(seq=x, len=1000\)            ->) s
5 272 M
(         contains Records 1,2) s
5 250 M
(                                                                   ACK) s
5 217 M
(   1.  The Nagle algorithm + TCP retransmits mean that the two records) s
5 206 M
(       get coalesced into a single TCP segment) s
5 195 M
(   2.  Record 2 is *not* at the beginning of the TCP segment and never) s
5 184 M
(       will be, since it gets ACKed.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 14]) s
_R
S
PStoPSsaved restore
%%Page: (14,15) 8
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 15 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   3.  Yet, the attack is possible because Record 1 has already been) s
5 679 M
(       seen.) s
5 657 M
(   As this example indicates, it's totally unsafe to use the existence) s
5 646 M
(   of unflushed data in the TCP buffers proper as a guide to whether you) s
5 635 M
(   need an empty packet, since when you do the second write\(\), the) s
5 624 M
(   buffers will contain the un-ACKed Record 1.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 15]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 16 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   On the other hand, it's perfectly safe to have the following) s
5 679 M
(   situation:) s
5 646 M
(         Client                                                  Server) s
5 635 M
(         ------                                                  ------) s
5 624 M
(         TCP\(seq=x, len=500\)           ->) s
5 613 M
(            contains SSH_MSG_IGNORE) s
5 591 M
(         TCP\(seq=y, len=500\)           ->) s
5 580 M
(            contains Data) s
5 558 M
(      Provided that the IV for second SSH Record is fixed after the data for) s
5 547 M
(      the Data packet is determined -i.e. you do:) s
5 536 M
(           read from user) s
5 525 M
(           encrypt null packet) s
5 514 M
(           encrypt data packet) s
5 481 M
(9.2.2 Data Integrity) s
5 459 M
(   This protocol does allow the Data Integrity mechanism to be disabled.) s
5 448 M
(   Implementors SHOULD be wary of exposing this feature for any purpose) s
5 437 M
(   other than debugging.  Users and administrators SHOULD be explicitly) s
5 426 M
(   warned anytime the "none" MAC is enabled.) s
5 404 M
(   So long as the "none" MAC is not used, this protocol provides data) s
5 393 M
(   integrity.) s
5 371 M
(   Because MACs use a 32 bit sequence number, they might start to leak) s
5 360 M
(   information after 2**32 packets have been sent.  However, following) s
5 349 M
(   the rekeying recommendations should prevent this attack.  The) s
5 338 M
(   transport protocol [1] recommends rekeying after one gigabyte of) s
5 327 M
(   data, and the smallest possible packet is 16 bytes. Therefore,) s
5 316 M
(   rekeying SHOULD happen after 2**28 packets at the very most.) s
5 294 M
(9.2.3 Replay) s
5 272 M
(   The use of a MAC other than 'none' provides integrity and) s
5 261 M
(   authentication.  In addition, the transport protocol provides a) s
5 250 M
(   unique session identifier \(bound in part to pseudo-random data that) s
5 239 M
(   is part of the algorithm and key exchange process\) that can be used) s
5 228 M
(   by higher level protocols to bind data to a given session and prevent) s
5 217 M
(   replay of data from prior sessions. For example, the authentication) s
5 206 M
(   protocol uses this to prevent replay of signatures from previous) s
5 195 M
(   sessions.  Because public key authentication exchanges are) s
5 184 M
(   cryptographically bound to the session \(i.e., to the initial key) s
5 173 M
(   exchange\) they cannot be successfully replayed in other sessions.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 16]) s
_R
S
PStoPSsaved restore
%%Page: (16,17) 9
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 17 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   Note that the session ID can be made public without harming the) s
5 679 M
(   security of the protocol.) s
5 657 M
(   If two session happen to have the same session ID [hash of key) s
5 646 M
(   exchanges] then packets from one can be replayed against the other.) s
5 635 M
(   It must be stressed that the chances of such an occurrence are,) s
5 624 M
(   needless to say, minimal when using modern cryptographic methods.) s
5 613 M
(   This is all the more so true when specifying larger hash function) s
5 602 M
(   outputs and DH parameters.) s
5 580 M
(   Replay detection using monotonically increasing sequence numbers as) s
5 569 M
(   input to the MAC, or HMAC in some cases, is described in [RFC2085] />) s
5 558 M
(   [RFC2246], [RFC2743], [RFC1964], [RFC2025], and [RFC1510].  The) s
5 547 M
(   underlying construct is discussed in [RFC2104].  Essentially a) s
5 536 M
(   different sequence number in each packet ensures that at least this) s
5 525 M
(   one input to the MAC function will be unique and will provide a) s
5 514 M
(   nonrecurring MAC output that is not predictable to an attacker.  If) s
5 503 M
(   the session stays active long enough, however, this sequence number) s
5 492 M
(   will wrap.  This event may provide an attacker an opportunity to) s
5 481 M
(   replay a previously recorded packet with an identical sequence number) s
5 470 M
(   but only if the peers have not rekeyed since the transmission of the) s
5 459 M
(   first packet with that sequence number.  If the peers have rekeyed,) s
5 448 M
(   then the replay will be detected as the MAC check will fail.  For) s
5 437 M
(   this reason, it must be emphasized that peers MUST rekey before a) s
5 426 M
(   wrap of the sequence numbers.  Naturally, if an attacker does attempt) s
5 415 M
(   to replay a captured packet before the peers have rekeyed, then the) s
5 404 M
(   receiver of the duplicate packet will not be able to validate the MAC) s
5 393 M
(   and it will be discarded.  The reason that the MAC will fail is) s
5 382 M
(   because the receiver will formulate a MAC based upon the packet) s
5 371 M
(   contents, the shared secret, and the expected sequence number.  Since) s
5 360 M
(   the replayed packet will not be using that expected sequence number) s
5 349 M
(   \(the sequence number of the replayed packet will have already been) s
5 338 M
(   passed by the receiver\) then the calculated MAC will not match the) s
5 327 M
(   MAC received with the packet.) s
5 305 M
(9.2.4 Man-in-the-middle) s
5 283 M
(   This protocol makes no assumptions nor provisions for an) s
5 272 M
(   infrastructure or means for distributing the public keys of hosts. It) s
5 261 M
(   is expected that this protocol will sometimes be used without first) s
5 250 M
(   verifying the association between the server host key and the server) s
5 239 M
(   host name.  Such usage is vulnerable to man-in-the-middle attacks.) s
5 228 M
(   This section describes this and encourages administrators and users) s
5 217 M
(   to understand the importance of verifying this association before any) s
5 206 M
(   session is initiated.) s
5 184 M
(   There are three cases of man-in-the-middle attacks to consider.  The) s
5 173 M
(   first is where an attacker places a device between the client and the) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 17]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 18 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   server before the session is initiated.  In this case, the attack) s
5 679 M
(   device is trying to mimic the legitimate server and will offer its) s
5 668 M
(   public key to the client when the client initiates a session.  If it) s
5 657 M
(   were to offer the public key of the server, then it would not be able) s
5 646 M
(   to decrypt or sign the transmissions between the legitimate server) s
5 635 M
(   and the client unless it also had access to the private-key of the) s
5 624 M
(   host.  The attack device will also, simultaneously to this, initiate) s
5 613 M
(   a session to the legitimate server masquerading itself as the client.) s
5 602 M
(   If the public key of the server had been securely distributed to the) s
5 591 M
(   client prior to that session initiation, the key offered to the) s
5 580 M
(   client by the attack device will not match the key stored on the) s
5 569 M
(   client.  In that case, the user SHOULD be given a warning that the) s
5 558 M
(   offered host key does not match the host key cached on the client.) s
5 547 M
(   As described in Section 3.1 of [ARCH], the user may be free to accept) s
5 536 M
(   the new key and continue the session.  It is RECOMMENDED that the) s
5 525 M
(   warning provide sufficient information to the user of the client) s
5 514 M
(   device so they may make an informed decision.  If the user chooses to) s
5 503 M
(   continue the session with the stored public-key of the server \(not) s
5 492 M
(   the public-key offered at the start of the session\), then the session) s
5 481 M
(   specific data between the attacker and server will be different) s
5 470 M
(   between the client-to-attacker session and the attacker-to-server) s
5 459 M
(   sessions due to the randomness discussed above.  From this, the) s
5 448 M
(   attacker will not be able to make this attack work since the attacker) s
5 437 M
(   will not be able to correctly sign packets containing this session) s
5 426 M
(   specific data from the server since he does not have the private key) s
5 415 M
(   of that server.) s
5 393 M
(   The second case that should be considered is similar to the first) s
5 382 M
(   case in that it also happens at the time of connection but this case) s
5 371 M
(   points out the need for the secure distribution of server public) s
5 360 M
(   keys.  If the server public keys are not securely distributed then) s
5 349 M
(   the client cannot know if it is talking to the intended server.  An) s
5 338 M
(   attacker may use social engineering techniques to pass off server) s
5 327 M
(   keys to unsuspecting users and may then place a man-in-the-middle) s
5 316 M
(   attack device between the legitimate server and the clients.  If this) s
5 305 M
(   is allowed to happen then the clients will form client-to-attacker) s
5 294 M
(   sessions and the attacker will form attacker-to-server sessions and) s
5 283 M
(   will be able to monitor and manipulate all of the traffic between the) s
5 272 M
(   clients and the legitimate servers.  Server administrators are) s
5 261 M
(   encouraged to make host key fingerprints available for checking by) s
5 250 M
(   some means whose security does not rely on the integrity of the) s
5 239 M
(   actual host keys.  Possible mechanisms are discussed in Section 3.1) s
5 228 M
(   of [SSH-ARCH] and may also include secured Web pages, physical pieces) s
5 217 M
(   of paper, etc. Implementors SHOULD provide recommendations on how) s
5 206 M
(   best to do this with their implementation.  Because the protocol is) s
5 195 M
(   extensible, future extensions to the protocol may provide better) s
5 184 M
(   mechanisms for dealing with the need to know the server's host key) s
5 173 M
(   before connecting.  For example, making the host key fingerprint) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 18]) s
_R
S
PStoPSsaved restore
%%Page: (18,19) 10
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 19 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   available through a secure DNS lookup, or using kerberos over gssapi) s
5 679 M
(   during key exchange to authenticate the server are possibilities.) s
5 657 M
(   In the third man-in-the-middle case, attackers may attempt to) s
5 646 M
(   manipulate packets in transit between peers after the session has) s
5 635 M
(   been established.  As described in the Replay part of this section, a) s
5 624 M
(   successful attack of this nature is very improbable.  As in the) s
5 613 M
(   Replay section, this reasoning does assume that the MAC is secure and) s
5 602 M
(   that it is infeasible to construct inputs to a MAC algorithm to give) s
5 591 M
(   a known output.  This is discussed in much greater detail in Section) s
5 580 M
(   6 of RFC 2104.  If the MAC algorithm has a vulnerability or is weak) s
5 569 M
(   enough, then the attacker may be able to specify certain inputs to) s
5 558 M
(   yield a known MAC.  With that they may be able to alter the contents) s
5 547 M
(   of a packet in transit.  Alternatively the attacker may be able to) s
5 536 M
(   exploit the algorithm vulnerability or weakness to find the shared) s
5 525 M
(   secret by reviewing the MACs from captured packets.  In either of) s
5 514 M
(   those cases, an attacker could construct a packet or packets that) s
5 503 M
(   could be inserted into an SSH stream.  To prevent that, implementors) s
5 492 M
(   are encouraged to utilize commonly accepted MAC algorithms and) s
5 481 M
(   administrators are encouraged to watch current literature and) s
5 470 M
(   discussions of cryptography to ensure that they are not using a MAC) s
5 459 M
(   algorithm that has a recently found vulnerability or weakness.) s
5 437 M
(   In summary, the use of this protocol without a reliable association) s
5 426 M
(   of the binding between a host and its host keys is inherently) s
5 415 M
(   insecure and is NOT RECOMMENDED.  It may however be necessary in) s
5 404 M
(   non-security critical environments, and will still provide protection) s
5 393 M
(   against passive attacks.  Implementors of protocols and applications) s
5 382 M
(   running on top of this protocol should keep this possibility in mind.) s
5 360 M
(9.2.5 Denial-of-service) s
5 338 M
(   This protocol is designed to be used over a reliable transport.  If) s
5 327 M
(   transmission errors or message manipulation occur, the connection is) s
5 316 M
(   closed.  The connection SHOULD be re-established if this occurs.) s
5 305 M
(   Denial of service attacks of this type \("wire cutter"\) are almost) s
5 294 M
(   impossible to avoid.) s
5 272 M
(   In addition, this protocol is vulnerable to Denial of Service attacks) s
5 261 M
(   because an attacker can force the server to go through the CPU and) s
5 250 M
(   memory intensive tasks of connection setup and key exchange without) s
5 239 M
(   authenticating.  Implementors SHOULD provide features that make this) s
5 228 M
(   more difficult.  For example, only allowing connections from a subset) s
5 217 M
(   of IPs known to have valid users.) s
5 195 M
(9.2.6 Covert Channels) s
5 173 M
(   The protocol was not designed to eliminate covert channels.  For) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 19]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 20 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   example, the padding, SSH_MSG_IGNORE messages, and several other) s
5 679 M
(   places in the protocol can be used to pass covert information, and) s
5 668 M
(   the recipient has no reliable way to verify whether such information) s
5 657 M
(   is being sent.) s
5 635 M
(9.2.7 Forward Secrecy) s
5 613 M
(   It should be noted that the Diffie-Hellman key exchanges may provide) s
5 602 M
(   perfect forward secrecy \(PFS\).  PFS is essentially defined as the) s
5 591 M
(   cryptographic property of a key-establishment protocol in which the) s
5 580 M
(   compromise of a session key or long-term private key after a given) s
5 569 M
(   session does not cause the compromise of any earlier session. [ANSI) s
5 558 M
(   T1.523-2001]  SSHv2 sessions resulting from a key exchange using) s
5 547 M
(   diffie-hellman-group1-sha1 are secure even if private keying/) s
5 536 M
(   authentication material is later revealed, but not if the session) s
5 525 M
(   keys are revealed. So, given this definition of PFS, SSHv2 does have) s
5 514 M
(   PFS.  It is hoped that all other key exchange mechanisms proposed and) s
5 503 M
(   used in the future will also provide PFS.  This property is not) s
5 492 M
(   commuted to any of the applications or protocols using SSH as a) s
5 481 M
(   transport however.  The transport layer of SSH provides) s
5 470 M
(   confidentiality for password authentication and other methods that) s
5 459 M
(   rely on secret data.) s
5 437 M
(   Of course, if the DH private parameters for the client and server are) s
5 426 M
(   revealed then the session key is revealed, but these items can be) s
5 415 M
(   thrown away after the key exchange completes.  It's worth pointing) s
5 404 M
(   out that these items should not be allowed to end up on swap space) s
5 393 M
(   and that they should be erased from memory as soon as the key) s
5 382 M
(   exchange completes.) s
5 360 M
(9.3 Authentication Protocol) s
5 338 M
(   The purpose of this protocol is to perform client user) s
5 327 M
(   authentication. It assumes that this run over a secure transport) s
5 316 M
(   layer protocol, which has already authenticated the server machine,) s
5 305 M
(   established an encrypted communications channel, and computed a) s
5 294 M
(   unique session identifier for this session.) s
5 272 M
(   Several authentication methods with different security) s
5 261 M
(   characteristics are allowed.  It is up to the server's local policy) s
5 250 M
(   to decide which methods \(or combinations of methods\) it is willing to) s
5 239 M
(   accept for each user.  Authentication is no stronger than the weakest) s
5 228 M
(   combination allowed.) s
5 206 M
(   The server may go into a "sleep" period after repeated unsuccessful) s
5 195 M
(   authentication attempts to make key search more difficult for) s
5 184 M
(   attackers.  Care should be taken so that this doesn't become a) s
5 173 M
(   self-denial of service vector.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 20]) s
_R
S
PStoPSsaved restore
%%Page: (20,21) 11
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 21 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(9.3.1 Weak Transport) s
5 668 M
(   If the transport layer does not provide confidentiality,) s
5 657 M
(   authentication methods that rely on secret data SHOULD be disabled.) s
5 646 M
(   If it does not provide strong integrity protection, requests to) s
5 635 M
(   change authentication data \(e.g. a password change\) SHOULD be) s
5 624 M
(   disabled to prevent an attacker from  modifying the ciphertext) s
5 613 M
(   without being noticed, or rendering the new authentication data) s
5 602 M
(   unusable \(denial of service\).) s
5 580 M
(   The assumption as stated above that the Authentication Protocol only) s
5 569 M
(   run over a secure transport that has previously authenticated the) s
5 558 M
(   server is very important to note.  People deploying SSH are reminded) s
5 547 M
(   of the consequences of man-in-the-middle attacks if the client does) s
5 536 M
(   not have a very strong a priori association of the server with the) s
5 525 M
(   host key of that server.  Specifically for the case of the) s
5 514 M
(   Authentication Protocol the client may form a session to a) s
5 503 M
(   man-in-the-middle attack device and divulge user credentials such as) s
5 492 M
(   their username and password.  Even in the cases of authentication) s
5 481 M
(   where no user credentials are divulged, an attacker may still gain) s
5 470 M
(   information they shouldn't have by capturing key-strokes in much the) s
5 459 M
(   same way that a honeypot works.) s
5 437 M
(9.3.2 Debug messages) s
5 415 M
(   Special care should be taken when designing debug messages.  These) s
5 404 M
(   messages may reveal surprising amounts of information about the host) s
5 393 M
(   if not properly designed.  Debug messages can be disabled \(during) s
5 382 M
(   user authentication phase\) if high security is required.) s
5 371 M
(   Administrators of host machines should make all attempts to) s
5 360 M
(   compartmentalize all event notification messages and protect them) s
5 349 M
(   from unwarranted observation.  Developers should be aware of the) s
5 338 M
(   sensitive nature of some of the normal event messages and debug) s
5 327 M
(   messages and may want to provide guidance to administrators on ways) s
5 316 M
(   to keep this information away from unauthorized people.  Developers) s
5 305 M
(   should consider minimizing the amount of sensitive information) s
5 294 M
(   obtainable by users during the authentication phase in accordance) s
5 283 M
(   with the local policies.  For this reason, it is RECOMMENDED that) s
5 272 M
(   debug messages be initially disabled at the time of deployment and) s
5 261 M
(   require an active decision by an administrator to allow them to be) s
5 250 M
(   enabled.  It is also RECOMMENDED that a message expressing this) s
5 239 M
(   concern be presented to the administrator of a system when the action) s
5 228 M
(   is taken to enable debugging messages.) s
5 206 M
(9.3.3 Local security policy) s
5 184 M
(   Implementer MUST ensure that the credentials provided validate the) s
5 173 M
(   professed user and also MUST ensure that the local policy of the) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 21]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 22 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   server permits the user the access requested.  In particular, because) s
5 679 M
(   of the flexible nature of the SSH connection protocol, it may not be) s
5 668 M
(   possible to determine the local security policy, if any, that should) s
5 657 M
(   apply at the time of authentication because the kind of service being) s
5 646 M
(   requested is not clear at that instant. For example, local policy) s
5 635 M
(   might allow a user to access files on the server, but not start an) s
5 624 M
(   interactive shell. However, during the authentication protocol, it is) s
5 613 M
(   not known whether the user will be accessing files or attempting to) s
5 602 M
(   use an interactive shell, or even both.  In any event, where local) s
5 591 M
(   security policy for the server host exists, it MUST be applied and) s
5 580 M
(   enforced correctly.) s
5 558 M
(   Implementors are encouraged to provide a default local policy and) s
5 547 M
(   make its parameters known to administrators and users.  At the) s
5 536 M
(   discretion of the implementors, this default policy may be along the) s
5 525 M
(   lines of 'anything goes' where there are no restrictions placed upon) s
5 514 M
(   users, or it may be along the lines of 'excessively restrictive' in) s
5 503 M
(   which case the administrators will have to actively make changes to) s
5 492 M
(   this policy to meet their needs.  Alternatively, it may be some) s
5 481 M
(   attempt at providing something practical and immediately useful to) s
5 470 M
(   the administrators of the system so they don't have to put in much) s
5 459 M
(   effort to get SSH working.  Whatever choice is made MUST be applied) s
5 448 M
(   and enforced as required above.) s
5 426 M
(9.3.4 Public key authentication) s
5 404 M
(   The use of public-key authentication assumes that the client host has) s
5 393 M
(   not been compromised.  It also assumes that the private-key of the) s
5 382 M
(   server host has not been compromised.) s
5 360 M
(   This risk can be mitigated by the use of passphrases on private keys;) s
5 349 M
(   however, this is not an enforceable policy.  The use of smartcards,) s
5 338 M
(   or other technology to make passphrases an enforceable policy is) s
5 327 M
(   suggested.) s
5 305 M
(   The server could require both password and public-key authentication,) s
5 294 M
(   however, this requires the client to expose its password to the) s
5 283 M
(   server \(see section on password authentication below.\)) s
5 261 M
(9.3.5 Password authentication) s
5 239 M
(   The password mechanism as specified in the authentication protocol) s
5 228 M
(   assumes that the server has not been compromised.  If the server has) s
5 217 M
(   been compromised, using password authentication will reveal a valid) s
5 206 M
(   username / password combination to the attacker, which may lead to) s
5 195 M
(   further compromises.) s
5 173 M
(   This vulnerability can be mitigated by using an alternative form of) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 22]) s
_R
S
PStoPSsaved restore
%%Page: (22,23) 12
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 23 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   authentication.  For example, public-key authentication makes no) s
5 679 M
(   assumptions about security on the server.) s
5 657 M
(9.3.6 Host based authentication) s
5 635 M
(   Host based authentication assumes that the client has not been) s
5 624 M
(   compromised.  There are no mitigating strategies, other than to use) s
5 613 M
(   host based authentication in combination with another authentication) s
5 602 M
(   method.) s
5 580 M
(9.4 Connection protocol) s
5 558 M
(9.4.1 End point security) s
5 536 M
(   End point security is assumed by the connection protocol.  If the) s
5 525 M
(   server has been compromised, any terminal sessions, port forwarding,) s
5 514 M
(   or systems accessed on the host are compromised.  There are no) s
5 503 M
(   mitigating factors for this.) s
5 481 M
(   If the client end point has been compromised, and the server fails to) s
5 470 M
(   stop the attacker at the authentication protocol, all services) s
5 459 M
(   exposed \(either as subsystems or through forwarding\) will be) s
5 448 M
(   vulnerable to attack.  Implementors SHOULD provide mechanisms for) s
5 437 M
(   administrators to control which services are exposed to limit the) s
5 426 M
(   vulnerability of other services.) s
5 404 M
(   These controls might include controlling which machines and ports can) s
5 393 M
(   be target in 'port-forwarding' operations, which users are allowed to) s
5 382 M
(   use interactive shell facilities, or which users are allowed to use) s
5 371 M
(   exposed subsystems.) s
5 349 M
(9.4.2 Proxy forwarding) s
5 327 M
(   The SSH connection protocol allows for proxy forwarding of other) s
5 316 M
(   protocols such as SNMP, POP3, and HTTP.  This may be a concern for) s
5 305 M
(   network administrators who wish to control the access of certain) s
5 294 M
(   applications by users located outside of their physical location.) s
5 283 M
(   Essentially, the forwarding of these protocols may violate site) s
5 272 M
(   specific security policies as they may be undetectably tunneled) s
5 261 M
(   through a firewall.  Implementors SHOULD provide an administrative) s
5 250 M
(   mechanism to control the proxy forwarding functionality so that site) s
5 239 M
(   specific security policies may be upheld.) s
5 217 M
(   In addition, a reverse proxy forwarding functionality is available,) s
5 206 M
(   which again can be used to bypass firewall controls.) s
5 184 M
(   As indicated above, end-point security is assumed during proxy) s
5 173 M
(   forwarding operations.  Failure of end-point security will compromise) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 23]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 24 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   all data passed over proxy forwarding.) s
5 668 M
(9.4.3 X11 forwarding) s
5 646 M
(   Another form of proxy forwarding provided by the ssh connection) s
5 635 M
(   protocol is the forwarding of the X11 protocol.  If end-point) s
5 624 M
(   security has been compromised, X11 forwarding may allow attacks) s
5 613 M
(   against the X11 server.  Users and administrators should, as a matter) s
5 602 M
(   of course, use appropriate X11 security mechanisms to prevent) s
5 591 M
(   unauthorized use of the X11 server.  Implementors, administrators and) s
5 580 M
(   users who wish to further explore the security mechanisms of X11 are) s
5 569 M
(   invited to read [SCHEIFLER] and analyze previously reported problems) s
5 558 M
(   with the interactions between SSH forwarding and X11 in CERT) s
5 547 M
(   vulnerabilities VU#363181 and VU#118892 [CERT].) s
5 525 M
(   X11 display forwarding with SSH, by itself, is not sufficient to) s
5 514 M
(   correct well known problems with X11 security [VENEMA].  However, X11) s
5 503 M
(   display forwarding in SSHv2 \(or other, secure protocols\), combined) s
5 492 M
(   with actual and pseudo-displays which accept connections only over) s
5 481 M
(   local IPC mechanisms authorized by permissions or ACLs, does correct) s
5 470 M
(   many X11 security problems as long as the "none" MAC is not used.  It) s
5 459 M
(   is RECOMMENDED that X11 display implementations default to allowing) s
5 448 M
(   display opens only over local IPC.  It is RECOMMENDED that SSHv2) s
5 437 M
(   server implementations that support X11 forwarding default to) s
5 426 M
(   allowing display opens only over local IPC.  On single-user systems) s
5 415 M
(   it might be reasonable to default to allowing local display opens) s
5 404 M
(   over TCP/IP.) s
5 382 M
(   Implementors of the X11 forwarding protocol SHOULD implement the) s
5 371 M
(   magic cookie access checking spoofing mechanism as described in) s
5 360 M
(   [ssh-connect] as an additional mechanism to prevent unauthorized use) s
5 349 M
(   of the proxy.) s
5 327 M
(Normative References) s
5 305 M
(   [SSH-ARCH]) s
5 294 M
(              Ylonen, T., "SSH Protocol Architecture", I-D) s
5 283 M
(              draft-ietf-architecture-15.txt, Oct 2003.) s
5 261 M
(   [SSH-TRANS]) s
5 250 M
(              Ylonen, T., "SSH Transport Layer Protocol", I-D) s
5 239 M
(              draft-ietf-transport-17.txt, Oct 2003.) s
5 217 M
(   [SSH-USERAUTH]) s
5 206 M
(              Ylonen, T., "SSH Authentication Protocol", I-D) s
5 195 M
(              draft-ietf-userauth-18.txt, Oct 2003.) s
5 173 M
(   [SSH-CONNECT]) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 24]) s
_R
S
PStoPSsaved restore
%%Page: (24,25) 13
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 25 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(              Ylonen, T., "SSH Connection Protocol", I-D) s
5 679 M
(              draft-ietf-connect-18.txt, Oct 2003.) s
5 657 M
(   [SSH-NUMBERS]) s
5 646 M
(              Lehtinen, S. and D. Moffat, "SSH Protocol Assigned) s
5 635 M
(              Numbers", I-D draft-ietf-secsh-assignednumbers-05.txt, Oct) s
5 624 M
(              2003.) s
5 602 M
(   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate) s
5 591 M
(              Requirement Levels", BCP 14, RFC 2119, March 1997.) s
5 569 M
(Informative References) s
5 547 M
(   [FIPS-186]) s
5 536 M
(              Federal Information Processing Standards Publication,) s
5 525 M
(              "FIPS PUB 186, Digital Signature Standard", May 1994.) s
5 503 M
(   [FIPS-197]) s
5 492 M
(              National Institue of Standards and Technology, "FIPS 197,) s
5 481 M
(              Specification for the Advanced Encryption Standard",) s
5 470 M
(              November 2001.) s
5 448 M
(   [ANSI T1.523-2001]) s
5 437 M
(              American National Standards Insitute, Inc., "Telecom) s
5 426 M
(              Glossary 2000", February 2001.) s
5 404 M
(   [SCHEIFLER]) s
5 393 M
(              Scheifler, R., "X Window System : The Complete Reference) s
5 382 M
(              to Xlib, X Protocol, Icccm, Xlfd, 3rd edition.", Digital) s
5 371 M
(              Press ISBN 1555580882, Feburary 1992.) s
5 349 M
(   [RFC0854]  Postel, J. and J. Reynolds, "Telnet Protocol) s
5 338 M
(              Specification", STD 8, RFC 854, May 1983.) s
5 316 M
(   [RFC0894]  Hornig, C., "Standard for the transmission of IP datagrams) s
5 305 M
(              over Ethernet networks", STD 41, RFC 894, April 1984.) s
5 283 M
(   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",) s
5 272 M
(              STD 13, RFC 1034, November 1987.) s
5 250 M
(   [RFC1134]  Perkins, D., "Point-to-Point Protocol: A proposal for) s
5 239 M
(              multi-protocol transmission of datagrams over) s
5 228 M
(              Point-to-Point links", RFC 1134, November 1989.) s
5 206 M
(   [RFC1282]  Kantor, B., "BSD Rlogin", RFC 1282, December 1991.) s
5 184 M
(   [RFC1510]  Kohl, J. and B. Neuman, "The Kerberos Network) s
5 173 M
(              Authentication Service \(V5\)", RFC 1510, September 1993.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 25]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 26 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   [RFC1700]  Reynolds, J. and J. Postel, "Assigned Numbers", RFC 1700,) s
5 679 M
(              October 1994.) s
5 657 M
(   [RFC1750]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness) s
5 646 M
(              Recommendations for Security", RFC 1750, December 1994.) s
5 624 M
(   [RFC3066]  Alvestrand, H., "Tags for the Identification of) s
5 613 M
(              Languages", BCP 47, RFC 3066, January 2001.) s
5 591 M
(   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC) s
5 580 M
(              1964, June 1996.) s
5 558 M
(   [RFC2025]  Adams, C., "The Simple Public-Key GSS-API Mechanism) s
5 547 M
(              \(SPKM\)", RFC 2025, October 1996.) s
5 525 M
(   [RFC2085]  Oehler, M. and R. Glenn, "HMAC-MD5 IP Authentication with) s
5 514 M
(              Replay Prevention", RFC 2085, February 1997.) s
5 492 M
(   [RFC2104]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:) s
5 481 M
(              Keyed-Hashing for Message Authentication", RFC 2104,) s
5 470 M
(              February 1997.) s
5 448 M
(   [RFC2246]  Dierks, T., Allen, C., Treese, W., Karlton, P., Freier, A.) s
5 437 M
(              and P. Kocher, "The TLS Protocol Version 1.0", RFC 2246,) s
5 426 M
(              January 1999.) s
5 404 M
(   [RFC2279]  Yergeau, F., "UTF-8, a transformation format of ISO) s
5 393 M
(              10646", RFC 2279, January 1998.) s
5 371 M
(   [RFC2410]  Glenn, R. and S. Kent, "The NULL Encryption Algorithm and) s
5 360 M
(              Its Use With IPsec", RFC 2410, November 1998.) s
5 338 M
(   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an) s
5 327 M
(              IANA Considerations Section in RFCs", BCP 26, RFC 2434,) s
5 316 M
(              October 1998.) s
5 294 M
(   [RFC2743]  Linn, J., "Generic Security Service Application Program) s
5 283 M
(              Interface Version 2, Update 1", RFC 2743, January 2000.) s
5 261 M
(   [SCHNEIER]) s
5 250 M
(              Schneier, B., "Applied Cryptography Second Edition:) s
5 239 M
(              protocols algorithms and source in code in C", 1996.) s
5 217 M
(   [KAUFMAN,PERLMAN,SPECINER]) s
5 206 M
(              Kaufman, C., Perlman, R. and M. Speciner, "Network) s
5 195 M
(              Security: PRIVATE Communication in a PUBLIC World", 1995.) s
5 173 M
(   [CERT]     CERT Coordination Center, The., "http://www.cert.org/nav/) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 26]) s
_R
S
PStoPSsaved restore
%%Page: (26,27) 14
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 27 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(              index_red.html".) s
5 668 M
(   [VENEMA]   Venema, W., "Murphy's Law and Computer Security",) s
5 657 M
(              Proceedings of 6th USENIX Security Symposium, San Jose CA) s
5 646 M
(              http://www.usenix.org/publications/library/proceedings/) s
5 635 M
(              sec96/venema.html, July 1996.) s
5 613 M
(   [ROGAWAY]  Rogaway, P., "Problems with Proposed IP Cryptography",) s
5 602 M
(              Unpublished paper http://www.cs.ucdavis.edu/~rogaway/) s
5 591 M
(              papers/draft-rogaway-ipsec-comments-00.txt, 1996.) s
5 569 M
(   [DAI]      Dai, W., "An attack against SSH2 protocol", Email to the) s
5 558 M
(              SECSH Working Group [email protected] ftp://) s
5 547 M
(              ftp.ietf.org/ietf-mail-archive/secsh/2002-02.mail, Feb) s
5 536 M
(              2002.) s
5 514 M
(   [BELLARE,KOHNO,NAMPREMPRE]) s
5 503 M
(              Bellaire, M., Kohno, T. and C. Namprempre, "Authenticated) s
5 492 M
(              Encryption in SSH: Fixing the SSH Binary Packet Protocol",) s
5 481 M
(              , Sept 2002.) s
5 448 M
(Authors' Addresses) s
5 426 M
(   Tatu Ylonen) s
5 415 M
(   SSH Communications Security Corp) s
5 404 M
(   Fredrikinkatu 42) s
5 393 M
(   HELSINKI  FIN-00100) s
5 382 M
(   Finland) s
5 360 M
(   EMail: [email protected]) s
5 327 M
(   Darren J. Moffat \(editor\)) s
5 316 M
(   Sun Microsystems, Inc) s
5 305 M
(   17 Network Circle) s
5 294 M
(   Menlo Park  CA 94025) s
5 283 M
(   USA) s
5 261 M
(   EMail: [email protected]) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 27]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 28 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(Intellectual Property Statement) s
5 668 M
(   The IETF takes no position regarding the validity or scope of any) s
5 657 M
(   intellectual property or other rights that might be claimed to) s
5 646 M
(   pertain to the implementation or use of the technology described in) s
5 635 M
(   this document or the extent to which any license under such rights) s
5 624 M
(   might or might not be available; neither does it represent that it) s
5 613 M
(   has made any effort to identify any such rights. Information on the) s
5 602 M
(   IETF's procedures with respect to rights in standards-track and) s
5 591 M
(   standards-related documentation can be found in BCP-11. Copies of) s
5 580 M
(   claims of rights made available for publication and any assurances of) s
5 569 M
(   licenses to be made available, or the result of an attempt made to) s
5 558 M
(   obtain a general license or permission for the use of such) s
5 547 M
(   proprietary rights by implementors or users of this specification can) s
5 536 M
(   be obtained from the IETF Secretariat.) s
5 514 M
(   The IETF invites any interested party to bring to its attention any) s
5 503 M
(   copyrights, patents or patent applications, or other proprietary) s
5 492 M
(   rights which may cover technology that may be required to practice) s
5 481 M
(   this standard. Please address the information to the IETF Executive) s
5 470 M
(   Director.) s
5 448 M
(   The IETF has been notified of intellectual property rights claimed in) s
5 437 M
(   regard to some or all of the specification contained in this) s
5 426 M
(   document. For more information consult the online list of claimed) s
5 415 M
(   rights.) s
5 382 M
(Full Copyright Statement) s
5 360 M
(   Copyright \(C\) The Internet Society \(2003\). All Rights Reserved.) s
5 338 M
(   This document and translations of it may be copied and furnished to) s
5 327 M
(   others, and derivative works that comment on or otherwise explain it) s
5 316 M
(   or assist in its implementation may be prepared, copied, published) s
5 305 M
(   and distributed, in whole or in part, without restriction of any) s
5 294 M
(   kind, provided that the above copyright notice and this paragraph are) s
5 283 M
(   included on all such copies and derivative works. However, this) s
5 272 M
(   document itself may not be modified in any way, such as by removing) s
5 261 M
(   the copyright notice or references to the Internet Society or other) s
5 250 M
(   Internet organizations, except as needed for the purpose of) s
5 239 M
(   developing Internet standards in which case the procedures for) s
5 228 M
(   copyrights defined in the Internet Standards process must be) s
5 217 M
(   followed, or as required to translate it into languages other than) s
5 206 M
(   English.) s
5 184 M
(   The limited permissions granted above are perpetual and will not be) s
5 173 M
(   revoked by the Internet Society or its successors or assignees.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 28]) s
_R
S
PStoPSsaved restore
%%Page: (28,29) 15
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 29 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft         SSH Protocol Architecture                Oct 2003) s
5 690 M
(   This document and the information contained herein is provided on an) s
5 679 M
(   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING) s
5 668 M
(   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING) s
5 657 M
(   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION) s
5 646 M
(   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF) s
5 635 M
(   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.) s
5 602 M
(Acknowledgment) s
5 580 M
(   Funding for the RFC Editor function is currently provided by the) s
5 569 M
(   Internet Society.) s
5 129 M
(Ylonen & Moffat          Expires March 31, 2004                [Page 29]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
showpage
PStoPSsaved restore
%%Trailer
%%Pages: 29
%%DocumentNeededResources: font Courier-Bold Courier 
%%EOF