HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 188

Key and algorithm negotiation, Authentication

Page 188 highlights

either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use. 5. The server compares the version number carried in the packet with that of its own. If the server supports the version, the negotiation succeeds and the server and the client proceed with key and algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection. NOTE: All the packets involved in the preceding steps are transferred in plain text. Key and algorithm negotiation IMPORTANT: Before the key and algorithm negotiation, the server must have already generated a DSA or RSA key pair, which is used in generating the session key and session ID, and by the client to authenticate the identity of the server. For more information about DSA and RSA key pairs, see "Managing public keys." The server and the client send algorithm negotiation packets to each other, notifying the peer of the supported public key algorithms, encryption algorithms, Message Authentication Code (MAC) algorithms, and compression algorithms. Based on the received algorithm negotiation packets, the server and the client figure out the algorithms to be used. If the negotiation of any type of algorithm fails, the algorithm negotiation fails and the server tears down the connection with the client. The server and the client use the DH key exchange algorithm and parameters such as the host key pair to generate the session key and session ID, and the client authenticates the identity of the server. Through the steps, the server and the client get the same session key and session ID. The session key will be used to encrypt and decrypt data exchanged between the server and client later. The session ID will be used to identify the session established between the server and client and will be used in the authentication stage. Authentication SSH supports the following authentication methods: • Password authentication-The SSH server uses AAA for authentication of the client. During password authentication, the SSH client encrypts its username and password, encapsulates them into a password authentication request, and sends the request to the server. After receiving the request, the SSH server decrypts the username and password, checks the validity of the username and password locally or by a remote AAA server, and then informs the client of the authentication result. If the remote AAA server requires the user for a password re-authentication, it carries a prompt in the authentication response sent to the client. The prompt is transparently transmitted to the client, and displayed on the client to notify the user to enter a specified password. After the user enters the correct password and passes validity check on the remote AAA server, the server returns an authentication success message to the client. • Publickey authentication-The server authenticates the client by the digital signature. During publickey authentication, the client sends the server a publickey authentication request that contains its username, public key, and publickey algorithm information. The server checks whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature. Finally, the server sends a message to the client to inform it of the authentication result. The switch supports using the publickey algorithms RSA and DSA for digital signature. 178

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285

178
either case, the client sends a packet to the server to notify the server of the protocol version that
it decides to use.
5.
The server compares the version number carried in the packet with that of its own. If the server
supports the version, the negotiation succeeds and the server and the client proceed with key and
algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection.
NOTE:
All the packets involved in the preceding steps are transferred in plain text.
Key and algorithm negotiation
IMPORTANT:
Before the key and algorithm negotiation, the server must have already generated a DSA or RSA key pair,
which is used in generating the session key and session ID, and by the client to authenticate the identity of
the server. For more information about DSA and RSA key pairs, see "
Managing public keys
."
The server and the client send algorithm negotiation packets to each other, notifying the peer of the
supported public key algorithms, encryption algorithms, Message Authentication Code (MAC)
algorithms, and compression algorithms.
Based on the received algorithm negotiation packets, the server and the client figure out the algorithms
to be used. If the negotiation of any type of algorithm fails, the algorithm negotiation fails and the server
tears down the connection with the client.
The server and the client use the DH key exchange algorithm and parameters such as the host key pair
to generate the session key and session ID, and the client authenticates the identity of the server.
Through the steps, the server and the client get the same session key and session ID. The session key will
be used to encrypt and decrypt data exchanged between the server and client later. The session ID will
be used to identify the session established between the server and client and will be used in the
authentication stage.
Authentication
SSH supports the following authentication methods:
Password authentication
—The SSH server uses AAA for authentication of the client. During
password authentication, the SSH client encrypts its username and password, encapsulates them
into a password authentication request, and sends the request to the server. After receiving the
request, the SSH server decrypts the username and password, checks the validity of the username
and password locally or by a remote AAA server, and then informs the client of the authentication
result. If the remote AAA server requires the user for a password re-authentication, it carries a
prompt in the authentication response sent to the client. The prompt is transparently transmitted to
the client, and displayed on the client to notify the user to enter a specified password. After the user
enters the correct password and passes validity check on the remote AAA server, the server returns
an authentication success message to the client.
Publickey authentication
—The server authenticates the client by the digital signature. During
publickey authentication, the client sends the
server a publickey authentication request that contains
its username, public key, and publickey algorithm information. The server checks whether the public
key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates
the client by the digital signature. Finally, the server sends a message to the client to inform it of the
authentication result. The switch supports using the publickey algorithms RSA and DSA for digital
signature.