Why produce a shared session key before authentication in SSH?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



The author wrote that an SSH session is established in two stages:



  1. Client and server establish encryption to secure the communication

  2. Client authentication

During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




  1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.






ssh security encryption authentication







share|improve this question



























    up vote
    2
    down vote

    favorite












    I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



    The author wrote that an SSH session is established in two stages:



    1. Client and server establish encryption to secure the communication

    2. Client authentication

    During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




    1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



    My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



    It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.






    ssh security encryption authentication







    share|improve this question

























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



      The author wrote that an SSH session is established in two stages:



      1. Client and server establish encryption to secure the communication

      2. Client authentication

      During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




      1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



      My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



      It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.






      ssh security encryption authentication







      share|improve this question















      I wanted to understand how SSH exactly works and I stumbled upon this article: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process



      The author wrote that an SSH session is established in two stages:



      1. Client and server establish encryption to secure the communication

      2. Client authentication

      During the first stage both parties take part in generating a shared session key that would be used to encrypt messages. It is used during the authentication stage:




      1. The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.



      My question is: Why go through the process of generating a shared session key if the authentication process fails? The messages are secured by public key encryption and private key decryption anyway, so is another layer of security really neccessary, or is it just a security measure just to be sure it's safe?



      It would make more sense to me if the client had been first authenticated and after that a shared session key was generated.






      ssh security encryption authentication




      ssh security encryption authentication






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 hours ago

























      asked 5 hours ago









      Adrian Wydmanski

      12516




      12516




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



          Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



          Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






          share|improve this answer
















          • 1




            I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
            – grawity
            2 hours ago










          • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
            – Adrian Wydmanski
            24 mins ago










          • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
            – jakub_d
            10 mins ago











          • As to why - that may be a difficult philosophical question. RSA involves some rather unpleasant math and big primes, while the symmetric ciphers just have to make enough of a mess of the data with simple integer math.
            – jakub_d
            4 mins ago

















          up vote
          1
          down vote













          No. This is the primary layer of encryption. There's no other layer.




          The messages are secured by public key encryption and private key decryption anyway




          They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



          Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



          Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



          Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "3"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1369611%2fwhy-produce-a-shared-session-key-before-authentication-in-ssh%23new-answer', 'question_page');

            );

            Post as a guest

















            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote



            accepted










            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






            share|improve this answer
















            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              24 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              10 mins ago











            • As to why - that may be a difficult philosophical question. RSA involves some rather unpleasant math and big primes, while the symmetric ciphers just have to make enough of a mess of the data with simple integer math.
              – jakub_d
              4 mins ago














            up vote
            3
            down vote



            accepted










            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






            share|improve this answer
















            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              24 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              10 mins ago











            • As to why - that may be a difficult philosophical question. RSA involves some rather unpleasant math and big primes, while the symmetric ciphers just have to make enough of a mess of the data with simple integer math.
              – jakub_d
              4 mins ago












            up vote
            3
            down vote



            accepted







            up vote
            3
            down vote



            accepted






            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.






            share|improve this answer












            It is the asymmetric (public/private) operations that are expensive (the fewer you do, the better), symmetric crypto is cheap. SSH first establishes a full symmetric encryption between the client and server and then it starts discussing authentication methods.



            Multiple keys can be offered and rejected as part of the negotiation (your suggestion would make this more expensive). Then other authentication methods may be tried. You want to let any eavesdroppers know as little as possible about this phase, so it makes sense to have full end-to-end encryption already in place for it.



            Bonus argument: your suggestion makes failed attempts cheaper, we don't actually want that, they should be at least as expensive as successful ones.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 2 hours ago









            jakub_d

            1562




            1562







            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              24 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              10 mins ago











            • As to why - that may be a difficult philosophical question. RSA involves some rather unpleasant math and big primes, while the symmetric ciphers just have to make enough of a mess of the data with simple integer math.
              – jakub_d
              4 mins ago












            • 1




              I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
              – grawity
              2 hours ago










            • Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
              – Adrian Wydmanski
              24 mins ago










            • @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
              – jakub_d
              10 mins ago











            • As to why - that may be a difficult philosophical question. RSA involves some rather unpleasant math and big primes, while the symmetric ciphers just have to make enough of a mess of the data with simple integer math.
              – jakub_d
              4 mins ago







            1




            1




            I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
            – grawity
            2 hours ago




            I think the OP is referring to the key-exchange process (which is asymmetric and therefore expensive), and asking why that's not delayed until after authentication.
            – grawity
            2 hours ago












            Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
            – Adrian Wydmanski
            24 mins ago




            Thanks for your response. Could you provide me any sources explaining why symmetric encryption is faster than asymmetric?
            – Adrian Wydmanski
            24 mins ago












            @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
            – jakub_d
            10 mins ago





            @AdrianWydmanski - if you have a Linux machine on hand, try openssl speed rsa2048 vs. openssl speed aes-256-cbc ; the symmetric aes can encrypt something like 40 MB/s on my machine, whereas the asymmetric part can only do ~300 RSA signatures per second.
            – jakub_d
            10 mins ago













            As to why - that may be a difficult philosophical question. RSA involves some rather unpleasant math and big primes, while the symmetric ciphers just have to make enough of a mess of the data with simple integer math.
            – jakub_d
            4 mins ago




            As to why - that may be a difficult philosophical question. RSA involves some rather unpleasant math and big primes, while the symmetric ciphers just have to make enough of a mess of the data with simple integer math.
            – jakub_d
            4 mins ago












            up vote
            1
            down vote













            No. This is the primary layer of encryption. There's no other layer.




            The messages are secured by public key encryption and private key decryption anyway




            They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



            Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



            Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



            Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






            share|improve this answer


























              up vote
              1
              down vote













              No. This is the primary layer of encryption. There's no other layer.




              The messages are secured by public key encryption and private key decryption anyway




              They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



              Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



              Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



              Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






              share|improve this answer
























                up vote
                1
                down vote










                up vote
                1
                down vote









                No. This is the primary layer of encryption. There's no other layer.




                The messages are secured by public key encryption and private key decryption anyway




                They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



                Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



                Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



                Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).






                share|improve this answer














                No. This is the primary layer of encryption. There's no other layer.




                The messages are secured by public key encryption and private key decryption anyway




                They aren't. Public-key encryption/decryption is never used to protect all traffic, for various reasons (e.g. considerably worse performance of asymmetric algorithms versus symmetric encryption, or lack of forward secrecy, or simply the protocol using algorithms suitable for signing but not encryption).



                Instead, both SSH and TLS/SSL use a "hybrid" model where the public/private keypairs are only used to negotiate a session key (or more commonly, just to secure the negotiation) and not used at all afterwards.



                Besides, how would the server encrypt data if the client didn't have a keypair at all? Remember that SSH has a variety of client (user) authentication methods – such as simple password, which needs to be encrypted somehow. (And for comparison, in general TLS/SSL usage the client isn't authenticated at all.) Ideally, the authentication process wouldn't reveal to outsiders who is currently authenticating.



                Having one encryption layer just for the authentication details, and switching to another for the rest of the session, would be possible but unnecessarily complex – because after all it wouldn't even avoid the 'issue' you mention (of having to do a key exchange before authentication).







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 hours ago

























                answered 2 hours ago









                grawity

                223k33456520




                223k33456520



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1369611%2fwhy-produce-a-shared-session-key-before-authentication-in-ssh%23new-answer', 'question_page');

                    );

                    Post as a guest
































































                    Comments

                    Post a Comment

                    Popular posts from this blog

                    Long meetings (6-7 hours a day): Being “babysat” by supervisor

                    Image
                    Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
                    Read more

                    Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
                    Read more

                    Confectionery

                    Image
                    Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
                    Read more