decrypting ssh sessions
Results 1 to 6 of 6

Thread: decrypting ssh sessions

  1. #1

    decrypting ssh sessions

    A question was recently asked of me that has me kind of baffled. Is it possible to decrypt an ssh session on the network IDS node using a public key? I had no idea and I hate not knowing things. I've done some searching on the web and am still looking for something to enlighten me, but in the meantime, could someone break down how the encryption scheme with ssh works, and how public and private keys come into play with this protocol. To be more specific; if the public keys of servers running the ssh server/daemon were stored on the network ids, could those packets be opened and examined? This being that if an attacker was able to open an ssh session to a server that he/she otherwise wouldn't be able to, how would the net security folks be able to see exactly what the attacker did? I know this might seem like a bunch of jumbled up ideas, but if someone could help or point me in the right direction, that would be cool. Thanks a ton.

    -the eeshman

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002

    Question decrypting ssh?

    There are many exploits for particular versions. You can search for exploits (packetstorm, neworder, etc...) find/patch em' - I'm not sure if that's what you were asking? Anyway- Keep posting :-)
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    When dealing with public and private keys, just remember that nothing can be decrypted with public keys. The only keys that do any decrypting is the private key that no one should ever see. The public key only encrypts data between two points. Ideally, the Public key of the client should be used to encrypt all data to that client (because only the client will have the private key used to decrypt the message). Same goes for the server. All messages to the server should be encrypted with the server's public key (so the server can decrypt them with it's private key). Keys always come in pairs. If a cracker did happen to pick up an encrypted packet stream between to nodes, he wouldn't have the private key of either side to decipher the information. Unless he had the time and the patience to break 1024-3096 bit encryption, the stream would be useless.

    Found a quick couple of links that may be helpful for you to learn about SSH:
    /* You are not expected to understand this. */

  4. #4
    Roswell, much appreciation to ya. That's exactly what I was looking for. Once again, thanx.

    -the eeshman

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Usually though, public/private key (assymetric) encryption is used only for symmetric key exchange as it is more processing intense and thus slower...

    Credit travels up, blame travels down -- The Boss

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Like ammo says, PK encryption is not used to encrypt the data in the session. Symmetric encryption is used for the data (and probably passwords).

    It is the session key you need to obtain to decrypt the messages.

    I don't know if it's possible to obtain this key at all retrospectively as maybe the client / server throw the keys away after one session and never save them anywhere.

    I'm not familiar with the details of the key exchange so I don't know if even knowing the private key of the server would allow you to decrypt the messages.

    Knowing the public key of the server certainly isn't going to get you anywhere (anyone can get that) - the only way I can think of doing it would be to run a modified (weakened) server which stores the session keys somewhere so that you can subsequently decrypt the messages.

    This is however, pointless, as it would be easier to modify the server to record the session.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts