SSH is a Secure Shell that provides a protocol which highly secures encryption, authentication, and data integrity in order to protect passwords and other security measures among network communications. By using Secure Shell client/ server solutions provides services such as file transfer, data tunnelling, command-shell, and remote access for TCP/IP applications.
Transport Layer Security (TLS) is a cryptographic protocol that provides communication security over the World Wide Web.
Transport Layer Security uses applications like Internet browsing, Web faxing, chat (instant) massages, VoIP, and E-mail. Transport Layer Security provides security services to network connections above Transport layer by using algorithms (symmetric) cryptography in order to ensure privacy and this protocol also uses a keyed MAC (Message Authentication Code) for message reliability.
Secure Shell (SSH) (An Over view)
Internet technology is growing faster and is becoming increasingly inexpensive and available replacing telephones, fax, remote dial-up connection, and traditional couriers in large and small companies. Therefore internet requires high level and maintenance of security due to transmission of critical data over public networks.
Secure Shell was founded by Tatu Ylone a researcher at Helsinki University of Technology in Finland. His goal was to replace the earlier rlogin, TELNET and rsh security protocols which did not provide strong authentication. In 1995, Ylone released his implementation as freeware which quickly gained popularity.
There are two versions of Secure Shell. The first version SSH1 was designed to replace the non-secure UNIX. The second version SSH2 introduced as an Internet Engineering Task Force (IETF) DRAFT IN 1997, providing improved file transfer solution. Secure Shell provides three main functionalities;
Secure File Transfer Protocol (SFTP)
Secure File Transfer Protocol is a separate protocol layered over the Secure Shell protocol to handle file transfers. SFTP encrypts username/ password and the data being transferred. SFTP uses the same port as the Secure Shell server, and this eliminates the need to open another port on the router or firewall. This avoids network address translation (NAT) issues that are often spotted when using File Transfer Protocol (FTP).
Secure File Transfer Protocol creates a secure extranet/ fortify a server (s) outside the firewall accessible by remote partners known as DMZ. Secure extranet share files and documents with customers and as well uploading of files and reports, making an archive of data files available for download thus providing a secure mechanism for remote administration file oriented tasks.
Below is a diagram that demonstrates a secure extranet (DMZ) that allows secure SFTP access to information assets by internal users and partners from Vandyke software that
Secure Command Shell
A secure command shell allows you to edit files, view the contents of directories, and also access custom database applications. Command shells available in UNIX, Linux, and Windows provide the ability to execute programs with character output. Network administrators can start batch jobs remotely without their physical presence and also Systems can start, view, or stop services and processes, edit permissions of files and directories and create a user account.
Below is a diagram that demonstrates execution of remote commands with the Secure Shell as mentioned by Vandyke Software.
Port forwarding is known tunnelling, allows data to be secured from TCP/IP applications. It is a powerful tool that provides security not only to TCP/IP but also to e-mail, databases, and in-house applications. Allow many applications to transmit data over a single multiplexed channel, and thus eliminating additional ports on a router or firewall. The use of graphical remote control is necessary since a secure remote command shell is insufficient in some applications.
Below is a diagram demonstrating Port forwarding that allows multiple TCP/IP applications to share a single secure connection from Vandyke Software.
Advantages of using Secure Shell Protocol
The following are basic security benefits that Secure Shell provides;
Secure shells use mechanism called Ciphers to encrypt and decrypt data being transferred over the wire.
There are different Ciphers but a block cipher is the most common form of symmetric key algorithms such as DES, 3DES, Blowfish, AES, and Two fish. They operate on a fixed size of data uses a single, secret, shared key with multiple rounds of simple, non-linear functions.
At this point the data sent is encrypted and cannot be reversed without using shared key. An agreement is made when a client establishes a connection with a Secure Shell server which cipher will be used to encrypt and decrypt data.
Both the client and the host use the same session/ shared keys which are generated after host authentication is successfully performed) to encrypt and decrypt data although a different key is used for the send and receive channels.
Version 2 of SSH uses MAC (Message Authentication Code) algorithms to improve on SSH version 1 simple 32-bit CRC data integrity checking method. Data integrity guarantees data transferred across the wire is not changed at the other end.
Host keys are persistent and are asymmetric. A server uses a host key to provide identity to a client and by a client to conform that known host. If a machine runs multiple SSH servers, it may have either multiple host keys or use a single key for multiple servers where as if it is running a one SSH server, a single host key serves to identify both the machine and the server.
User authentication means user identity which a system verifies and access is granted to intended users and prevented/ denied to unknown users. Most Secure Shell implementations include password and public key authentication methods. SSH protocols flexibility allows new authentication methods to be incorporated into the system as they become available.
Below is a diagram showing authentication, encryption, and integrity from Vandyke Software
Disadvantages of Secure Shell Protocol
SSH is not a true shell such as csh, ksh, sh. It does not protect against viruses, Trojans to mention but a few. And also it is not a command interpreter. SSH will not protect against incorrect configuration or usage and insecure directories example if a hacker manages to modify files in your home directory via NFS, SSH would not prevent him. In case of a compromised root account example, if an attacker has access on root on either side, your session can be invaded through pseudo-terminal device if you log in from a host to a server.
Transport Layer Security (TLS) (An overview)
Transport Layer Security is a predecessor of Secure Sockets Layer (SSL) which was developed by an American independent company Netscape Corporation. TLS uses different protocols such as Extensible Messaging and Presence Protocol (XMPP), Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), and Network News Transfer Protocol (NNTP). TLS was implemented with datagram oriented transport protocols to suit User Data Protocol
(UDP), and Datagram Congestion Control Protocol (DCCP) but was primarily used for Transport Control Protocol (TCP).
TLS is used to provide standard authentication and encryption of the Session Initiation Protocol (SIP) which is application signalling associated with VoIP and other SIP based applications.
This security protocol uses firewall and Network Address Translation (NAT) which simplifies administering remote access populations and can also create Virtual Private Network (VPN).
TLS Handshake Protocol
There is an exchange of records within TLS protocols which uses Message Authentication Code (MAC) to encapsulate the data. As suggested by wikipedia website, each record has a TLS version field, and a content type field. The following below defines handshake messages as defined by Microsoft;
Cipher suite negotiation
There is an agreement made between a client and a server to choose the cipher suite to be utilised throughout their message exchange.
Authentication of the server or the client
A server introduces its identity to the client or vice versa. This authentication is determined by the cipher suite negotiated and uses Public/ Private Key pairs (PKI).
Using a secure session
A secure session contains applications that create secure parameters for use in Record Layer when protecting the data. Many applications can be initiated using the same session through the resumption feature of the Handshake protocol.
Resuming a secure session
This is where a flag indicates whether the session can be used to start new connections.
Advantage of TLS
The main advantage of using TLS is its application protocol is independent.
Disadvantages of TLS
TLS standards do not specify how protocols add security, designers and implementers of protocols that run above TLS level decide on how to start TLS Handshake and how to interpret the authentication.
I will describe how SSH and TLS protocols differ and also how these security protocols provide security using different applications;
FTP (File Transfer Protocol, originally designed to suit private scientific and research networks) does not have any secure measures. By using FTPS which refers to secure FTP, utilisation TLS or (SSL) security protocols for encryption of data, while using SFTP which refers to Secure Shell network protocol (SSH) allowing data to be exchanged using a secure channel.
TLS encrypts data so that it can not be sniffed and checks for certificates through an insecure channel. TLS is widely used in https:// webs sites but many applications fail to use TLS or make partial or incomplete use of this protocol thus malicious attacks can still be possible. SSH tunnel is easy and safe for all traffic using Open SSH Software.
As technology expands everyday for home use and small to large businesses in Cyberspace, communication channel is demanding more complex high level of privacy and security on ones data! My research shows that SSH protocol provides high level of security than using TLS on encryption and authentication of data. Therefore, I think SSH secure protocol is suitable for large organisations or businesses.
Vandyke Software White Paper