Originally designed as a secure replacement for the existing remote shell tools (rsh, telnet)
It now also permits file transfers, port forwarding, carrying forward keys for onward connections and even has a built-in VPN!
You can mount an SFTP location into your Linux File System with SSHFS
Protocol 8: SSH
How does it work?
Transport layer establishes a TOFU TLS-Like tunnel, without a CA chain
User authentication layer confirms credentials
Password (also referred to as keyboard-interactive)
Public Key (RSA/DSA/EC/x509)
Connection Layer provides the shell, port forwarding and execution of any commands
Protocol 9: IPsec
Internet Protocol Security
Protocol 9: IPsec
What is it for?
To provide an authenticated tunnel between
Network-to-Network
Host-to-Network
Optionally, also to encrypt that tunnel
Protocol 9: IPsec
How does it work? 1/3
There are technically two modes, AH and ESP
AH (Authentication Header) provides authentication of origin and prevents replay attacks
ESP (Encapsulation Security Payloads) adds encryption to the tunnel.
These both rely on IKE (Internet Key Exchange) to define the SA (Security Association) that the AH or ESP modes use
Protocol 9: IPsec
How does it work? 2/3
IKE operates on UDP 500 or 4500 and starts by initializing a Diffie-Hellman key exchange to create a shared key
This key is used to create the Phase 1 SA, that is then authenticated with either a shared secret or x509 Certificates
The SA is also encrypted with a designated cipher and hashing algorithm
Protocol 9: IPsec
How does it work? 3/3
Create Phase 2 SA for AH or ESP using Phase 1 SA
AH adds a sequence number to the IP packet, with the Phase 2 SA and Destination IP
ESP encrypts the entire IPv4 or IPv6 packet using the values from the IKE Phase 2 SA, adds the ESP headers and a hash to confirm it’s not been modified in transit
Take a shared secret key, add the current unix epoch timestamp divided by the “timestep”, SHA1 both, truncate it to 4 bytes (6 digits), compare to the server
If you’ve already seen that TOTP value or it isn’t more recent than the last known timestamp, reject it as used.
The server calculates a number of “windows” either side of the current timestamp, if it matches one of those, store that timestamp as the last used.