mancha mancha1 at hush.com
Fri Mar 7 06:08:36 EST 2014

Tomas Kuthan <tomas.kuthan <at> oracle.com> writes:

> On 03/ 6/14 04:02 PM, Stephen Harris wrote:
> > Am I correct in assuming that the user and host public/private keys used
> > in openSSH are only used for authentication (is the remote server known to
> > be X, is this Harry trying to login), and have no role in the encryption?
> >
> > I was under the assumption that each connection used a newly generated
> > key (using DH for key exchange) so each session was unique.
> >
> > (I believe this because the transport layer needs to be set up before
> >   user keys are even presented, and rfc4253 #6.3 doesn't mention the host
> >   key).
> >
> > I'm being asked to provide private keys to allow network sniffing
> > (problem analysis) but I'm not sure this is the right thing to do
> > because I'm not convinced these keys are used as part of the encryption!
> >
> > Thanks...
> >
> Hi Stephen,
> your understanding is correct.
> In DH key exchange, server's private key is used by the server to create 
> a signature of exchange hash and the public key is used by the client to 
> verify this signature.
> To eavesdropper these keys have no value, because they are not able to 
> deduce the session key, nor the exchange hash.
> Tomas

I am glad people are curious about the role things like host keys have
(or don't have) in kexinit, transport, etc. Especially timely given
recent (and not so recent) descriptions of side-channel attacks against
algorithms such as OpenSSL ECDSA signing.

A detailed flow diagram might speak a thousand words. Anyone have
something like that handy?

Note: these terms can get a little tricky but OpenSSH distinguishes
between "host" keys and ephemeral "server" keys used in SSH1 mode.
Excuse the pedantry.


More information about the openssh-unix-dev mailing list