Analysis of the Key Exchange method of SSH using Elliptic Curve Cryptography and a Public Key Infrastructure

No Thumbnail Available

Date

2008-02

Journal Title

Journal ISSN

Volume Title

Publisher

Addis Ababa University

Abstract

SSH, Secure Shell, is a protocol that allows user to log into another computer, to execute commands in a remote machine, and to move files from one machine to another securely over an insecure network. It provides cryptographic authentication, encryption and data integrity to secure network communications. Negotiation of the security parameters and authentication of the peers require using public key cryptosystems. Public key operations are generally slow. In order to improve the performance of the protocol and make it applicable in both powerful and resource constrained environments Elliptic Curve Cryptography is used. In addition, since SSH uses plain public keys to authenticate a remote server, always the first time authentication is vulnerable to the Man-in-the-Middle attack. Using a public key certificate as a host key will eliminate the above vulnerability. And it requires a PKI, Public Key Infrastructure to support the certificate approach. PKI may potentially impact the performance of the security protocol. And PKI path validation techniques (certificate revocation status checking) need more storage capacity, more communication cost and more processing time. This seems to have a problem to scale with large communicating nodes. In this thesis, SSH’s key exchange handshake is implemented using java and bouncy castle cryptographic api. Performance with RSA (Rivest-Shamir-Adleman) and ECDH_ECDSA (Elliptic Curve Diffie-Hellman Elliptic Curve Digital Signature Algorithm) key exchange suites have been compared for both PKI and non-PKI authentication. Client waiting time (key exchange latency), server key exchange throughput, and revocation status message size have been measured for each key exchange suite. Simulation results show that ECC has better processing time performance and better throughput than RSA. Response time and revocation status message size are minimum when Authenticated Directories are used as a certificate status responder. Keywords used: SSH, PKI, Elliptic Curve Cryptography, ECDH, ECDSA, certificate, certificate path validation, certificate revocation status checking, key exchange handshake, authentication, Authenticated Dictionaries and RSA.

Description

Keywords

Ssh, Pki, Elliptic Curve Cryptography, Ecdh, Ecdsa, Certificate, ertificate Path Validation, Certificate Revocation Status Checking, Key Exchange Handshake, Authentication, Authenticated Dictionaries and Rsa

Citation