Learning About SSH2

When you connect with SSH2 there are three components or layers involved: the Transport, Authentication and SSH Connection layer Protocols.

Transport Layer

When you first attempt to connect to an SSH2 site, Deva xFTP client and the server determine whether the transmission should be encrypted or clear, compressed or uncompressed, what Method Authentication Code (MAC) to use, and what kind of encryption (cipher) to use.

Once the encryption method is chosen the following happens:

1. Deva xFTP generates a random number x (1 < x < q) and computes e = g^x mod p. and then sends e to the sever.

2. Server generates a random number y (0 < y < q) and computes f = g^y mod p. Server receives e. compute the Hash value and send it to Deva xFTP.

3. Deva xFTP verify the server's host key. Compute the session ID and verify the Hash value sent from the server. From that time all transmitted data is encrypted with the session key.

Authentication Layer

After the Transport Layer is established, the server attempts to authenticate the client.

Common methods for establishing user authentication include:

• Public Key Authentication Method: public key

• To use this method, you will need your private key and your public key, which is passed to the server. The server encrypts a random number with your public key and sends it to you.

1. If you have not already entered your passphrase in SSH2 security settings, Deva xFTP asks you for your passphrase to activate the private key.

2. The private key decrypts the number and sends it back to the server.

3. The server recognizes the number as correct and allows the connection.

• Password Authentication Method: password

• Using this method, the client sends its password to server. The client does not need to explicitly encrypt the password, because the SSH2 Transport layer automatically encrypts it. This is the default in Deva xFTP. With this type of authentication, the connection fails if the Transport Layer cannot encrypt the data.

• Host Based Authentication Method:

• This method works by having the client send a signature created with the private key of the client host, which the server checks with that host's public key. Once the client host's identity is established, authorization (but no further authentication) is performed based on the user names on the server and the client, and the client host name.

After the encryption method is established and authentication is complete, the two systems are ready to exchange secure data. On the connection layer, Deva xFTP start a SFTP encrypted Session channel. from that time, you can begin transferring files securely.

Transport Layer settings

To select Message Authentication Codes (MAC)

Message Authentication Codes are algorithms used to confirm data has not been altered between the client and server.

1. From the Deva xFTP menu, select Tools > Options.

2. Select SSH2 Security.

3. Select at least one Message Authentication Code from the MAC list. There are four to choose from:

• MD5

• SHA1

• SHA1-96

• MD5-96

5. Select OK. Deva xFTP tries each selected MAC with the server starting with the top method in the MAC list.

To select encryption methods (ciphers)

1. From the Deva xFTP menu, select Tools > Options.

2. Select SSH2 Security.

3. Select at least one encryption method from the Cipher list. There are five available encryption types:

• AES256

• AES192

• AES128

• IDEA

• Cast128

• Triple DES (3DES)

• Twofish

• Blowfish    

• DES

5. Select OK. Deva xFTP tries each selected encryption method with the server starting with the top method in the Cipher list.

Available encryption algorithms

ARCFOUR: Arcfour is intended to be compatible with the RC4 cipher trademarked by RSA Data Security, makers of the famous PGP program. It uses a 128-bit key and provides good security.

CAST128: This cipher is the CAST-128 cipher in CBC mode, with 128 bit keys.

Triple DES (3DES): This algorithm uses a 24-bit “triple key” to encrypt data 3 times. The 24-bit key is split into 3 8-bit segments and each is used for encryption. Triple DES is fast, but not as strong as the other algorithms.

Blowfish: The Blowfish algorithm is a public-domain method using a 128-bit key. Blowfish was intended to be a replacement for 3DES. It provides good security.

Twofish: Twofish is an improved version of Blowfish using a 256-bit key. It provides the strongest security available in Deva xFTP Professional and should protect your data in most transfers.

Authentication layer settings

To use public key authentication

If you want to use public key authentication, you will need to send your public key to the server administrator before you will be able to make an SSH2 connection.  

1. From the Deva xFTP menu, select Tools > Options.

2. Select SSH2 Security.

3. Select the Use public key authentication check box. You are using public key authentication whenever the check box is selected, even if the box and check are dimmed.

4. Select OK.

To use password authentication

1. From the Deva xFTP menu, select Tools > Options.

2. Expand the Security function.

3. Select SSH2 Security.

4. Select the Use password authentication check box. You are using password authentication whenever the check box is selected, even if the box and check are dimmed.

5. Select OK.

To use Host Based authentication

1. From the Deva xFTP menu, select Tools > Options.

2. Select SSH2 security.

3. Make sure the Use Host Based authentication check box is selected. You are using Host Based authentication whenever the check box is selected, even if the box and check are dimmed.

4. Click OK.

Note:

Host Based authentication depends on the connecting SSH server feature.

Note:

You have to use at least one authentication method for an SSH2 connection. You can use all the three methods for the same SSH2 connection.