How Does SSH Work ?

DEC 2023

Peter Kamel

i
CONTENTS

1. INTRODUCTION....................................................................................................... 1
2. How does SSH works……......................................................................................... 1
2.1 Symmetric encryption… ...................................................................................... 2
2.2 Asymmetric encryption… ..................................................................................... 2
2.3 Hashing… ........................................................................................................... 2
4. Benefits and Limitations of SSH………...................................................................... 3
5. REFERENCES.......................................................................................................... 5

ii
1. INTRODUCTION
Secure Shell (SSH) is a networking protocol that enables systems to communicate over an
unsecured network. It is a part of the application layer of the OSI model. It allows authorized
users to control remote machines via the internet without having physical access.
SSH was introduced in the 1990s. It replaced the Telnet (Teletype Network) network protocol
used by machines to interact with each other. Telnet typically transfers data without encryption.
As a result, the data exchange was susceptible to man-in-the-middle attacks, implying anyone
with a packet sniffer could listen to the conversation between you and the remote machine.
A solution to such a problem is achieved through encryption. It hides the data and makes it
unreadable to attackers. Thus, SSH emerged as a secure way of communication where
encrypted data is transferred through a tunnel to keep the data in transit safe from bad actors.
SSH means you can still see that the data is being exchanged between machines, but it is hard to
determine what the data is.
SSH obeys a client-server model where one system is labeled as the SSH client while the other
machine is called the SSH server or host. When the client connects to the server, the data
communication proceeds through the shells, for example, Linux terminal shell or a Windows
command prompt shell. Such shells allow the execution of commands on machines you are
connected to. With SSH, you can talk to remote and your own operating systems.
2. How Does SSH Work ?
Under SSH, data is broken down into a series of packets. Packet transfer begins by fulfilling a
few mandatory packet fields.
The topmost field is that of „Packet Length,‟ which defines the size of the packet. Next, the field
„Padding Amount‟ reveals the padding present in the packet. After this, the actual data is added
to the field „Payload,‟ followed by another Padding field. This padding has no real significance
but only adds random bytes to the packet. These bytes, when encrypted along with the payload,
make it difficult to detect the actual data. Lastly, a „Message Authentication Code‟ field is added
to ensure the data is not tampered with during the packet transfer process.
Typically, the payload is compressed using standard compression algorithms to accommodate
more data. The entire packet is then encrypted except for the length and authentication code
fields.
The encrypted packet is then sent to the server. The server uses decryption and decompression
methods to retrieve packet data from the payload. A similar procedure is followed for each
packet transferred between the client and server.
Various data manipulation techniques are employed at multiple data transmission points to keep
the SSH connection secure. Some common techniques include:
Symmetrical encryption
Asymmetrical encryption
Hashing

1
Let‟s understand each one in brief.

2.1 Symmetric encryption

In a symmetric type of encryption, a single key is used to encrypt messages sent from the source
to the destination and also decrypt messages received at the destination. It is also referred to as
shared key encryption.
Each SSH session has a specific secret key making it difficult for the attackers to exploit man-in-
the-middle attacks. However, problems may arise if the third party is listening to the
communication when the initial key exchange happens. Such issues can be prevented by
employing key exchange algorithms, which provide a secure way to exchange secret keys by
limiting external interception. It is important to note that implementing key exchange algorithms
demands the usage of asymmetric encryption.
2.2 Asymmetric encryption
Asymmetric encryption uses two separate keys, namely public and private keys, for encryption
and decryption of data. Data encryption is accomplished using a public key stored on the SSH
server, while data decryption is fulfilled using a private key stored locally on the SSH client.
This encryption type is more secure than the symmetric one implying that even if the attackers
access the public key, they may not be able to decrypt the messages as they do not have the
private key. Hence, as long as the private key is securely stored on your local device, your
messages are safe from third-party attacks.
SSH connection uses asymmetric encryption at selective places. For example, the key exchange
algorithm uses asymmetric encryption while exchanging keys in the initial stages.
2.3 Hashing
Hashing refers to a cryptographic method that secures shell connections. It creates a specific
signature, also known as a summary of information for every data transfer. It is typically a one-
way process wherein the generated hashed data cannot be decrypted by a third party.
In common scenarios, if attackers manage to deceive the client and the host, the communications
can be easily tampered with. To tackle this problem, SSH uses Hash-based Message
Authentication Codes (HMAC), which ensures that the data sent is received in its original and
unmodified form.

2
The hash function ensures that each data transfer between the source and destination has an
additional MAC component. MAC is the hash generated from a series of elements, such as the
symmetric key, the sequence number of the packet, and the data content to be transmitted. The
three information units are given as inputs to the hash function, which generates a random string.
This generated string is sent to the host as a signature.
Once the host receives the signature, it can validate and verify whether the message being sent
was tampered with while in transit. As the host already has the same information (i.e., the
symmetric key, the sequence number of the packet, and the data content), it can use the same
hash function to generate its own hash.
The generated hash is then matched with the one received during the data transfer. If the hash
matches, the client‟s signature gets verified, and the host can be sure that the data is not tampered
with by a third party. The hashing technique works because even the slightest change in a
message, such as capitalizing a letter, completely changes the hash (string/signature).
Using the above data manipulation techniques, SSH shells ensure that data packets are securely
transferred between the client and the server.
3. Benefits and Limitations of SSH
SSH replaced the conventional remote shell protocols like Telnet, FTP, rsh (remote shell), rlogin
(remote login), and rexec (remote execution) that exchanged information, including passwords in
plain text. These older protocols were insecure and prone to security breaches. It led to the
adoption of more secure SSH protocols.

3
Let‟s take a look at some of the key advantages of SSH.
Secure protocol: SSH uses data encryption to ensure secure communication between the client
and the server.
Management of remote computer: SSH supports the execution of shell commands on remote
machines, much like giving instructions to a physical computer. SSH commands and scripts are
useful for administrators as they can remotely view, remove, move, and manage files, folders,
and directories.
Multiplexing: SSH supports multiplexing where multiple data streams are in operation through
one TCP connection. As a result, SSH makes resource sharing possible with minimum TCP
connections.
Tunneling: SSH has the inherent ability to use port tunneling and forwarding, wherein arbitrary
data is transferred through an encrypted secure connection. Such a method can be employed
when you intend to bypass restrictive firewalls.
User access: SSH enables network administrators to control and limit user access to a network
remotely.
User authentication: Users can rely on SSH keys to authenticate themselves and log in to a
system rather than using usernames and passwords. Typically, SSH keys are tougher to
decrypt/crack than regular passwords. Thus, SSH keys protect systems from brute-force
password attacks.
Security in cloud computing: SSH shells/tunnels, when deployed in cloud settings, tend to
solve connectivity problems. Moreover, they protect cloud-based virtual machines from security
vulnerabilities as they are continually exposed to the internet.
Let‟s now understand some of the limitations of SSH.
Security vulnerabilities: SSH is a secure cryptographic network protocol. However, it has its
own share of security vulnerabilities. For example, cybercriminals use SSH keys to create
backdoors to sneak into corporate networks laterally. Upon successful network intrusion, the
attackers launch brute force and malware attacks. SSH session hijacking and unauthorized access
is another security vulnerability of the SSH protocol.
Tunneling effects: Network administrators use SSH-enabled tunnels to enter a network from
remote places. But outbound SSH transactions sometimes cause serious security vulnerabilities
as they are generally unrestricted. Moreover, tunneling gives hackers a backdoor entry and, in
some cases, violates security regulations like PCI and HIPAA. Compared to outbound SSH
transactions, inbound SSH transactions are easy to control. For example, you can easily redirect
port 22 (SSH) connections to a specific IP address.
SSH keys: SSH keys are an alternative to passwords that users use to log in to the system. The
SSH keys do not usually expire. In large enterprises, multiple SSH keys reside on several
servers. SSH keys demand proper user key management. If not, it can cause a severe key sprawl
which can allow hackers to exploit organizational networks. Moreover, SSH tunneling can also
give attackers an opportunity to bypass firewalls and target network systems.
Private key issues: Some servers share the same keys as they are preconfigured in a device.
These devices can be accessed with the help of private keys that can be obtained through reverse

4
engineering. Moreover, shorter and older keys imply that attackers can derive the values of
private keys through trial and error.
Slow connections: SSH can slow down its response speed to high-bandwidth commands or
instructions due to slow connections.
SSH mismanagement: Research studies suggest the primary reason for SSH security failures is
SSH mismanagement by the IT departments.
4. References
1
1. “What Is SSH (Secure ShelI)? Meaning, Working, Benefits and Limitations” . Available:
https://www.spiceworks.com/it-security/network-security/articles/what-is-ssh/