Analysis of the Key Exchange method of SSH using Elliptic Curve Cryptography and a Public Key Infrastructure
No Thumbnail Available
Date
2008-02
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
SSH, Secure Shell, is a protocol that allows user to log into another computer, to execute
commands in a remote machine, and to move files from one machine to another securely
over an insecure network. It provides cryptographic authentication, encryption and data
integrity to secure network communications. Negotiation of the security parameters and
authentication of the peers require using public key cryptosystems. Public key operations
are generally slow. In order to improve the performance of the protocol and make it
applicable in both powerful and resource constrained environments Elliptic Curve
Cryptography is used.
In addition, since SSH uses plain public keys to authenticate a remote server, always the
first time authentication is vulnerable to the Man-in-the-Middle attack. Using a public
key certificate as a host key will eliminate the above vulnerability. And it requires a PKI,
Public Key Infrastructure to support the certificate approach. PKI may potentially impact
the performance of the security protocol. And PKI path validation techniques (certificate
revocation status checking) need more storage capacity, more communication cost and
more processing time. This seems to have a problem to scale with large communicating
nodes.
In this thesis, SSH’s key exchange handshake is implemented using java and bouncy
castle cryptographic api.
Performance with RSA (Rivest-Shamir-Adleman) and ECDH_ECDSA (Elliptic Curve
Diffie-Hellman Elliptic Curve Digital Signature Algorithm) key exchange suites have
been compared for both PKI and non-PKI authentication. Client waiting time (key
exchange latency), server key exchange throughput, and revocation status message size
have been measured for each key exchange suite.
Simulation results show that ECC has better processing time performance and better
throughput than RSA. Response time and revocation status message size are minimum
when Authenticated Directories are used as a certificate status responder.
Keywords used: SSH, PKI, Elliptic Curve Cryptography, ECDH, ECDSA, certificate,
certificate path validation, certificate revocation status checking, key exchange
handshake, authentication, Authenticated Dictionaries and RSA.
Description
Keywords
Ssh, Pki, Elliptic Curve Cryptography, Ecdh, Ecdsa, Certificate, ertificate Path Validation, Certificate Revocation Status Checking, Key Exchange Handshake, Authentication, Authenticated Dictionaries and Rsa