October 15th, 2002, 01:21 PM
decrypting ssh sessions
A question was recently asked of me that has me kind of baffled. Is it possible to decrypt an ssh session on the network IDS node using a public key? I had no idea and I hate not knowing things. I've done some searching on the web and am still looking for something to enlighten me, but in the meantime, could someone break down how the encryption scheme with ssh works, and how public and private keys come into play with this protocol. To be more specific; if the public keys of servers running the ssh server/daemon were stored on the network ids, could those packets be opened and examined? This being that if an attacker was able to open an ssh session to a server that he/she otherwise wouldn't be able to, how would the net security folks be able to see exactly what the attacker did? I know this might seem like a bunch of jumbled up ideas, but if someone could help or point me in the right direction, that would be cool. Thanks a ton.
October 15th, 2002, 01:38 PM
There are many exploits for particular versions. You can search for exploits (packetstorm, neworder, etc...) find/patch em' - I'm not sure if that's what you were asking? Anyway- Keep posting :-)
yeah, I\'m gonna need that by friday...
October 15th, 2002, 02:04 PM
When dealing with public and private keys, just remember that nothing can be decrypted with public keys. The only keys that do any decrypting is the private key that no one should ever see. The public key only encrypts data between two points. Ideally, the Public key of the client should be used to encrypt all data to that client (because only the client will have the private key used to decrypt the message). Same goes for the server. All messages to the server should be encrypted with the server's public key (so the server can decrypt them with it's private key). Keys always come in pairs. If a cracker did happen to pick up an encrypted packet stream between to nodes, he wouldn't have the private key of either side to decipher the information. Unless he had the time and the patience to break 1024-3096 bit encryption, the stream would be useless.
Found a quick couple of links that may be helpful for you to learn about SSH:
/* You are not expected to understand this. */
October 15th, 2002, 04:11 PM
Roswell, much appreciation to ya. That's exactly what I was looking for. Once again, thanx.
October 15th, 2002, 05:35 PM
Usually though, public/private key (assymetric) encryption is used only for symmetric key exchange as it is more processing intense and thus slower...
Credit travels up, blame travels down -- The Boss
October 15th, 2002, 10:29 PM
Like ammo says, PK encryption is not used to encrypt the data in the session. Symmetric encryption is used for the data (and probably passwords).
It is the session key you need to obtain to decrypt the messages.
I don't know if it's possible to obtain this key at all retrospectively as maybe the client / server throw the keys away after one session and never save them anywhere.
I'm not familiar with the details of the key exchange so I don't know if even knowing the private key of the server would allow you to decrypt the messages.
Knowing the public key of the server certainly isn't going to get you anywhere (anyone can get that) - the only way I can think of doing it would be to run a modified (weakened) server which stores the session keys somewhere so that you can subsequently decrypt the messages.
This is however, pointless, as it would be easier to modify the server to record the session.