Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (2): 353-361.doi: 10.11896/jsjkx.231200187

• Information Security • Previous Articles     Next Articles

Improvement of SSH Transport Layer Protocol Based on Chain of Trust

WANG Xingguo1, SUN Yunxiao1, WANG Bailing1,2   

  1. 1 School of Computer Science and Technology,Harbin Institute of Technology,Weihai,Shandong 264209,China
    2 Harbin Institute of Technology Research Institute of Cyberspace Security,Harbin 150001,China
  • Received:2023-12-27 Revised:2024-05-24 Online:2025-02-15 Published:2025-02-17
  • About author:WANG Xingguo,born in 2000,postgraduate.His main research interests include network security communication protocol,computer network and traffic classification.
    WANG Bailing,born in 1978,Ph.D,professor,Ph.D supervisor,is a member of CCF(No.W6689G).His main research interests include industrial Internet security,information security and financial security.

PDF (PC)

96

Abstract: Host keys are identification of SSH servers.Users are required to check host key fingerprints to authenticate SSH servers.However,users often ignore the process of checking fingerprints when using SSH,making man-in-the-middle attacks based on host key replacement possible.In this regard,an improvement scheme of the SSH transport layer protocol is proposed based on the chain of trust.In the scheme,a chain of trust is established by signing the new host key with the old host key.The improved SSH protocol can solve the trust problem of new host keys without the need for users to check fingerprints,so as to achieve identity authentication of servers,which greatly reduces the risk of man-in-the-middle attacks.Finally,using ProVerify to analyze the improved protocol,verification results show that the improved protocol satisfies confidentiality and authentication,and can resist man-in-the-middle attacks.

Key words: Secure shell, Chain of trust, Man-in-the-middle attack, Security protocol, Fromal analysis

CLC Number: 

  • TN915.04
[1]YLONEN T.SSH key management challenges and requirements[C]//2019 10th IFIP International Conference on New Technologies,Mobility and Security(NTMS).IEEE,2019:1-5.
[2]GARIMELLA A,KUMAR D R.Secure Shell-Its Significance in Networking(SSH)[J].International Journal of Application or Innovation in Engineering & Management,2015,4(3):187-196.
[3]GUTMANN P.Do users verify SSH keys[J].Login,2011,36:35-36.
[4]DECHAND S,SCHÜRMANN D,BUSSE K,et al.An Empirical Study of Textual Key-Fingerprint Represen-tations[C]//25th USENIX Security Symposium(USENIX Security 16).2016:193-208.
[5]ANDREWS R,HAHN D A,BARDAS A G.Measuring theprevalence of the password authentication vulnerability in SSH[C]//2020 IEEE International Conference on Communications(ICC).IEEE,2020:1-7.
[6]YLONEN T,LONVICK C.The secure shell(SSH) protocol ar-chitecture[S].RFC 4251,2006.
[7]JONES J P,BERGER D F,RAVISHANKAR C V.Layeringpublic key distribution over secure DNS using authenticated dele-gation[C]//21st Annual Computer Security Applications Conference(ACSAC'05).IEEE,2005:409-418.
[8]NEEF S,WISIOL N.Oh SSH-it,What's My Fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS[C]//International Conference on Cryptology and Network Security.Cham:Springer International Publi-shing,2022:71-88.
[9]SCHLYTER J,GRIFFIN W.Using DNS to securely publish se-cure shell(SSH) key fingerprints[S].RFC 4255,2006.
[10]WENDLANDT D,PERRIG A.Perspectives:Improving SSH-style Host Authentication with Multi-Path Probing[C]//2008 USENIX Annual Technical Conference(USENIX ATC 08).2008.
[11]ALICHERRY M,KEROMYTIS A D.Doublecheck:Multi-path verification against man-in-the-middle attacks[C]//2009 IEEE Symposium on Computers and Communications.IEEE,2009:557-563.
[12]STÖCKLIN T T.Evaluating SSH for Modern Deployments[EB/OL].(2022-05-25) [2023-10-19].https://thaulow.co/noroff/ssh.pdf.
[13]HERATH P.Azure Virtual Machine Security[J].Azure Cloud Security for Absolute Beginners:Enabling Cloud Infrastructure Security with Multi-Level Security Options,2022:167-188.
[14]M'RAIHI D,MACHANI S,PEI M,et al.Totp:Time-basedone-time password algorithm[S].RFC 6238,2011.
[15]LI W,CHENG H,WANG P,et al.Practical threshold multi-factor authentication[J].IEEE Transactions on Information Forensics and Security,2021,16:3573-3588.
[16]FENG X,LI Q,SUN K,et al.Off-Path Network Traffic Mani-pulation via Revitalized ICMP Redirect Attacks[C]//31st USENIX Security Symposium(USENIX Security 22).2022:2619-2636.
[17]RIECK K.Fuzzy Fingerprints Attacking Vulnerabilities in the Human Brain[J/OL].http://freeworld.thc.org/papers/ffp.pdf.
[18]YAO J,XU C,LI D,et al.Formal Verification of Security Protocols:ProVerif and Extensions[C]//International Conference on Artificial Intelligence and Security.Cham:Springer International Publishing,2022:500-512.
[19]BASIN D,CREMERS C,DREIER J,et al.Tamarin:verification of large-scale,real-world,cryptographic protocols[J].IEEE Security & Privacy,2022,20(3):24-32.
[20]XI C,SIQI L.Research on semantics and algorithm of formalanalysis tool Scyther[C]//2022 IEEE 4th International Confe-rence on Civil Aviation Safety and Information Technology(ICCASIT).IEEE,2022:1058-1074.
[21]YOGESH P R.Formal verification of secure evidence collection protocol using BAN logic and AVISPA[J].Procedia Computer Science,2020,167:1334-1344.
[1] JIAN Qi-rui, CHEN Ze-mao, WU Xiao-kang. Authentication and Key Agreement Protocol for UAV Communication [J]. Computer Science, 2022, 49(8): 306-313.
[2] NI Liang, WANG Nian-ping, GU Wei-li, ZHANG Qian, LIU Ji-zhao, SHAN Fang-fang. Research on Lattice-based Quantum-resistant Authenticated Key Agreement Protocols:A Survey [J]. Computer Science, 2020, 47(9): 293-303.
[3] DONG Qi-ying, SHAN Xuan, JIA Chun-fu. Impact of Zipf's Law on Password-related Security Protocols [J]. Computer Science, 2020, 47(11): 42-47.
[4] LI Sen-sen, HUANG Yi-cai, YU Bin. Bluetooth Key Agreement Scheme with Zero Secret Storage in Slave Device [J]. Computer Science, 2019, 46(4): 151-157.
[5] LIAO Yong, FAN Zhuo-chen and ZHAO Ming. Survey on Security Protocol of Space Information Networks [J]. Computer Science, 2017, 44(4): 202-206.
[6] WANG Jie-hua, LIU Hui-ping, SHAO Hao-ran and XIA Hai-yan. Novel Two-way Security Authentication Wireless Scheme Based on Hash Function [J]. Computer Science, 2016, 43(11): 205-209.
[7] FENG Wei-ning, ZHANG Zhi-yong and ZHAO Chang-wei. Delegation Authorization Protocol Based on Remote Attestation Applied in Multimedia DRM [J]. Computer Science, 2015, 42(4): 132-135.
[8] SONG Wei-tao and HU Bin. One Strong Authentication Test Suitable for Analysis of Nested Encryption Protocols [J]. Computer Science, 2015, 42(1): 149-154.
[9] LI Ling,DU Xue-hui and BAO Yi-bao. Research on Optimization Technology of Reconfigurable Security Protocols Based on Reconfigurable Component [J]. Computer Science, 2014, 41(Z11): 245-249.
[10] LI Lei,CHEN Jing and ZHANG Zhi-hong. Analysis and Improvement of Remote Bitstream Update Protocol Preventing Replay Attacks on FPGA [J]. Computer Science, 2013, 40(8): 149-150.
[11] GU Xiang,ZHANG Zhen, QIU Jian-lin. Research on Wireless Security Protocol Design [J]. Computer Science, 2011, 38(9): 103-107.
[12] SI Li-min CAI Mian CHEN Yin-jing GUO Ying. Research of a Trust Chain Transfer Model [J]. Computer Science, 2011, 38(9): 79-81.
[13] GNU Xue-wen,NIU Wen-sheng,MA Jian-feng,SHENU Li-jie. Security Extension on Strand Space Model for Ad-hoc Routing Protocols [J]. Computer Science, 2011, 38(7): 51-54.
[14] LU Yao,LIAO Ming-hong,LI Gui-lin. Research of Security Authentication Protocol of the RFID Based on the Multi-prover Model [J]. Computer Science, 2011, 38(5): 74-78.
[15] HAN Jin,XIE Jun-yuan. New Security Protocol Verification Approach Based on Attack Sequence Solving [J]. Computer Science, 2010, 37(9): 32-35.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.