CN112738064A - Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm - Google Patents

Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm Download PDF

Info

Publication number
CN112738064A
CN112738064A CN202011559517.6A CN202011559517A CN112738064A CN 112738064 A CN112738064 A CN 112738064A CN 202011559517 A CN202011559517 A CN 202011559517A CN 112738064 A CN112738064 A CN 112738064A
Authority
CN
China
Prior art keywords
ssh
algorithm
modifying
ssh protocol
cipher
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011559517.6A
Other languages
Chinese (zh)
Inventor
单酉
冀天宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Casicloud Co ltd
Original Assignee
Beijing Casicloud Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Casicloud Co ltd filed Critical Beijing Casicloud Co ltd
Priority to CN202011559517.6A priority Critical patent/CN112738064A/en
Publication of CN112738064A publication Critical patent/CN112738064A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/02Protocol performance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of networks, in particular to a method for improving the security of an SSH protocol based on SM2 and SM4 cryptographic algorithm; the symmetric encryption algorithm and the asymmetric encryption algorithm in the SSH protocol are replaced by the SM2 and the SM4, so that the safety of the SSH protocol in a secret-related network is improved, and the safety risk of the SSH protocol in the secret-related network is avoided; the method comprises the following steps: in the SSH connection process, the algorithm of key authentication is replaced by SM2 national cipher algorithm, and in the client-server communication stage, the symmetric encryption algorithm is replaced by SM4 national cipher algorithm, so that the SSH protocol supporting the national cipher algorithm is realized.

Description

Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm
Technical Field
The invention relates to the technical field of networks, in particular to a method for improving the security of an SSH protocol based on SM2 and SM4 cryptographic algorithms.
Background
Secure Shell (SSH) is an encrypted network transport protocol, and can provide a Secure transport environment for network services in an insecure network. As shown in fig. 1, a diagram of the SSH connection process is shown. SSH enables a connection between an SSH client and a server by creating a secure tunnel in the network. The most common use of SSH is for telnet systems, where people typically use SSH to transport command line interfaces and execute commands remotely. The most frequently used cases of SSH are Unix-like systems, but Windows operating systems can also use SSH to a limited extent. In 2015, microsoft announced that native SSH protocol support will be provided in future operating systems, and Windows 101803 version has provided the OpenSSH tool.
SSH implements authentication with asymmetric encryption. There are a number of ways of identity verification, for example one of them is simply to encrypt the network connection using an automatically generated public-private key pair, followed by login using password authentication; another method is to manually generate a pair of a public key and a private key, and authenticate through the generated key, so that login can be performed without inputting a password. Anyone can generate the key by himself. The public key needs to be placed in the computer to be accessed, and the corresponding private key needs to be kept by the user. The authentication process is based on the generated private key, but the private key is not transmitted to the network in the whole authentication process.
There are two major versions of the SSH protocol, SSH-1 and SSH-2, respectively. Regardless of the version, it is important to verify the unknown key source, because SSH only verifies that the providing user has the private key that matches the public key, and the key matching server will grant permission once the public key is accepted. Thus, once the public key of a malicious attacker is accepted, the system will also treat the attacker as a legitimate user.
In Unix-like systems, the public key of the licensed login is typically kept in the-/. SSH/authorized _ keys file of the user/home directory, which is used only by SSH. When the remote machine holds the public key and the corresponding private key locally, the login process no longer requires manual entry of a password. In addition, the private key itself can be cryptographically protected for additional security. SSH requires that private key files cannot be accessed by multiple users, which should modify file authority 0600 on Linux; and modifying file rights on Windows, deleting the Inheritance rights, and then granting the unique Full control right to the user. The private key may be stored in a fixed location or may be specified by a command line parameter (e.g., the "-i" option of ssh command). ssh-keygen is one of the tools to generate keys. SSH also supports password-based authentication, where keys are automatically generated. If the client and the server never perform identity authentication and the SSH does not record the key used by the server, the attacker can simulate the server to request and obtain the password, i.e. man-in-the-middle attack. But cryptographic authentication can be disabled and the SSH client will alert the user when a new key or unknown server is discovered.
The classic use of SSH is to log into a remote computer to execute commands. SSH also supports tunneling protocols, port mapping, and X11 connections, among other things. SSH can also transmit files by means of SFTP or SCP protocols. SSH uses a client-server model with a standard port of 22. The server needs to open an SSH daemon to accept the connection from the remote end, and the user needs to create a connection with it using an SSH client. Most modern operating systems (including macOS, most Linux, OpenBSD, FreeBSD, Solaris, etc. systems) provide SSH, including Windows systems, as well as SSH programs (after Windows 101809 version). At the software level, many proprietary software, free software and open source software for SSH are developed, such as: file management software (synchronization, copy, delete, etc.). Such as: WinSCP under PuTTY and Windows, Konquerr under Unix-like system, and the like. From the perspective of cloud computing, SSH can prevent some security problems caused by direct exposure to the internet, and plays an important role in solving connection problems. The SSH tunnel may provide a secure channel between the internet, a firewall, and a virtual machine.
SSH is a replacement for Telnet and non-secure shells in design. Protocols such as Telnet and Berkeley rlogin, rsh, rexec and the like adopt plaintext transmission, use unreliable passwords and are easy to be monitored, sniffed and attacked by a man-in-the-middle. SSH is intended to ensure that information encryption is complete and reliable in an unsecure network environment (e.g., the internet).
The cryptographic algorithm is a core technology for guaranteeing information security, and particularly the most critical banking core field continues to use the international universal cryptographic algorithm systems such as 3DES, SHA-1, RSA, AES and the like and relevant standards for a long time. In the end of 2010, the national cryptology administration publishes an elliptic curve public key cryptographic algorithm (SM2 algorithm) which is independently developed in China. In order to ensure the password application safety of an important economic system, the national password administration publishes 'notice about the completion of public key password algorithm upgrading work' in 2011, and requires that a public key password infrastructure electronic authentication system and a key management system are built and proposed to use a national password algorithm from 3 months and 1 day in 2011. Since 7/1/2011, an SM2 algorithm should be used to launch an information system that uses public key cryptography.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method for improving the security of an SSH protocol based on SM2 and SM4 cryptographic algorithms, which uses the SM2 and SM4 cryptographic algorithms to replace symmetric encryption and asymmetric encryption algorithms in the SSH protocol, improves the security of the SSH protocol in a secret-related network, and avoids the security risk of the SSH protocol in the secret-related network.
The invention discloses a method for improving the security of an SSH protocol based on SM2 and SM4 cryptographic algorithms, which comprises the following steps: in the SSH connection process, the algorithm of key authentication is replaced by SM2 national cipher algorithm, and in the client-server communication stage, the symmetric encryption algorithm is replaced by SM4 national cipher algorithm, so that the SSH protocol supporting the national cipher algorithm is realized.
The invention discloses a method for improving security of an SSH protocol based on SM2 and SM4 cryptographic algorithms, which comprises the following steps:
s1, taking the golang official code as a project root directory;
s2, creating folders SM2 and SM4 in the project root directory, and copying the contents in the folders SM2 and SM4 of the code library into the newly created folders SM2 and SM4 respectively;
s3, modifying ssh/cipher. go file, adding function newSM4CTR (key, iv [ ] byte) (cipher. stream, error) to create SM4 algorithm object; adding an object of 'sm 4128-ctr' in the nepherModes array to provide other method calls;
(S4) modifying a ssh/common. go file, a supported graphs array and an added object 'sm 4128-ctr' in a preferredcontacts array, wherein the added object is used for providing other method calls;
s5, modifying ssh/server. go files, modifying isanceppetablealgo functions, and adding KeyAlgoSM2P256 and KeyAlgoSM4P256 objects;
s6, modifying the ssh/agent/client file, adding a sm2KeyMsg structural body and a sm2CertMsg structural body, and realizing the serialization and deserialization methods of the algorithm, such as parseSM2Key, parseSM2Cert and unmarshalSM 2.
Compared with the prior art, the invention has the beneficial effects that: the SH protocol only supports standard international universal encryption algorithms, such as AES, RSA and the like, which are potential threats to information security of secret-related places in China, the national encryption algorithm is a domestic commercial encryption algorithm identified by the national crypto administration and plays an important role in guaranteeing the information security, the scheme is realized by modifying the standard of an SSH protocol in the golang official code (htps:// githu. com/golang/crypto), the international encryption algorithm is replaced by the national encryption algorithm, the code can be directly compiled into a binary file, a server can easily support a large number of client connections, and the SH protocol has high performance, meanwhile, the code is developed based on golang, has good maintainability, has good support for subsequent function expansion and has excellent maintainability.
Drawings
Fig. 1 is a diagram of SHH connection process in the prior art.
Fig. 2 is a diagram of the SHH connection process of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
The invention discloses a method for improving the security of an SSH protocol based on SM2 and SM4 cryptographic algorithms, which comprises the following steps: in the SSH connection process, the algorithm of key authentication is replaced by SM2 national cipher algorithm, and in the client-server communication stage, the symmetric encryption algorithm is replaced by SM4 national cipher algorithm, so that the SSH protocol supporting the national cipher algorithm is realized.
The invention discloses a method for improving security of an SSH protocol based on SM2 and SM4 cryptographic algorithms, which comprises the following steps:
s1, taking the galang official code (https:// githu. com/galang/crypto) as a project root directory;
s2, creating folders SM2 and SM4 in the project root directory, and copying the contents in the SM2 and SM4 folders of the code library (https:// github. com/tjfoc/gmsm) into the newly created folders SM2 and SM4, respectively;
s3, modifying ssh/cipher. go file, adding function newSM4CTR (key, iv [ ] byte) (cipher. stream, error) to create SM4 algorithm object; adding an object of 'sm 4128-ctr' in the nepherModes array to provide other method calls;
(S4) modifying a ssh/common. go file, a supported graphs array and an added object 'sm 4128-ctr' in a preferredcontacts array, wherein the added object is used for providing other method calls;
s5, modifying ssh/server. go files, modifying isanceppetablealgo functions, and adding KeyAlgoSM2P256 and KeyAlgoSM4P256 objects;
s6, modifying the ssh/agent/client file, adding a sm2KeyMsg structural body and a sm2CertMsg structural body, and realizing the serialization and deserialization methods of the algorithm, such as parseSM2Key, parseSM2Cert and unmarshalSM 2.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (2)

1. A method for improving SSH protocol security based on SM2 and SM4 cryptographic algorithm is characterized by comprising the following steps: in the SSH connection process, the algorithm of key authentication is replaced by SM2 national cipher algorithm, and in the client-server communication stage, the symmetric encryption algorithm is replaced by SM4 national cipher algorithm, so that the SSH protocol supporting the national cipher algorithm is realized.
2. The method for improving the security of the SSH protocol based on SM2 and SM4 cryptographic algorithms as claimed in claim 1, comprising the following steps:
s1, taking the golang official code as a project root directory;
s2, creating folders SM2 and SM4 in the project root directory, and copying the contents in the folders SM2 and SM4 of the code library into the newly created folders SM2 and SM4 respectively;
s3, modifying ssh/cipher. go file, adding function newSM4CTR (key, iv [ ] byte) (cipher. stream, error) to create SM4 algorithm object; adding an object of 'sm 4128-ctr' in the nepherModes array to provide other method calls;
(S4) modifying a ssh/common. go file, a supported graphs array and an added object 'sm 4128-ctr' in a preferredcontacts array, wherein the added object is used for providing other method calls;
s5, modifying ssh/server. go files, modifying isanceppetablealgo functions, and adding KeyAlgoSM2P256 and KeyAlgoSM4P256 objects;
s6, modifying the ssh/agent/client file, adding a sm2KeyMsg structural body and a sm2CertMsg structural body, and realizing the serialization and deserialization methods of the algorithm, such as parseSM2Key, parseSM2Cert and unmarshalSM 2.
CN202011559517.6A 2020-12-25 2020-12-25 Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm Pending CN112738064A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011559517.6A CN112738064A (en) 2020-12-25 2020-12-25 Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011559517.6A CN112738064A (en) 2020-12-25 2020-12-25 Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm

Publications (1)

Publication Number Publication Date
CN112738064A true CN112738064A (en) 2021-04-30

Family

ID=75615987

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011559517.6A Pending CN112738064A (en) 2020-12-25 2020-12-25 Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN112738064A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242136A (en) * 2021-05-24 2021-08-10 中交信通网络科技有限公司 Safe white box network device based on state secret authentication
CN113572819A (en) * 2021-06-30 2021-10-29 深圳市证通云计算有限公司 SM3 cryptographic algorithm-based SFTP file transmission summary verification method
CN113572741A (en) * 2021-06-30 2021-10-29 深圳市证通云计算有限公司 Method for realizing safe data transmission based on SM2-SM3-SM4 algorithm
CN114124559A (en) * 2021-11-23 2022-03-01 杭州默安科技有限公司 Host identification method based on public key fingerprint

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338215A (en) * 2013-07-26 2013-10-02 中金金融认证中心有限公司 Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
US20170338958A1 (en) * 2016-05-19 2017-11-23 Arris Enterprises Llc Implicit rsa certificates
CN110995414A (en) * 2019-12-23 2020-04-10 中金金融认证中心有限公司 Method for establishing channel in TLS1_3 protocol based on cryptographic algorithm
CN112003843A (en) * 2020-08-12 2020-11-27 中电科技(北京)有限公司 SSL authentication method and device for domestic BMC server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338215A (en) * 2013-07-26 2013-10-02 中金金融认证中心有限公司 Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
US20170338958A1 (en) * 2016-05-19 2017-11-23 Arris Enterprises Llc Implicit rsa certificates
CN110995414A (en) * 2019-12-23 2020-04-10 中金金融认证中心有限公司 Method for establishing channel in TLS1_3 protocol based on cryptographic algorithm
CN112003843A (en) * 2020-08-12 2020-11-27 中电科技(北京)有限公司 SSL authentication method and device for domestic BMC server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
蔡成杭: "支持国产密码算法的OpenSSL设计实现及应用", 《信息安全研究》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242136A (en) * 2021-05-24 2021-08-10 中交信通网络科技有限公司 Safe white box network device based on state secret authentication
CN113572819A (en) * 2021-06-30 2021-10-29 深圳市证通云计算有限公司 SM3 cryptographic algorithm-based SFTP file transmission summary verification method
CN113572741A (en) * 2021-06-30 2021-10-29 深圳市证通云计算有限公司 Method for realizing safe data transmission based on SM2-SM3-SM4 algorithm
CN114124559A (en) * 2021-11-23 2022-03-01 杭州默安科技有限公司 Host identification method based on public key fingerprint
CN114124559B (en) * 2021-11-23 2024-04-02 杭州默安科技有限公司 Host recognition method based on public key fingerprint

Similar Documents

Publication Publication Date Title
CN110249332B (en) Addressing trusted execution environments using encryption keys
CN111416807B (en) Data acquisition method, device and storage medium
KR101130415B1 (en) A method and system for recovering password protected private data via a communication network without exposing the private data
RU2718689C2 (en) Confidential communication control
US9847882B2 (en) Multiple factor authentication in an identity certificate service
US9330245B2 (en) Cloud-based data backup and sync with secure local storage of access keys
US9461820B1 (en) Method and apparatus for providing a conditional single sign on
JP4222834B2 (en) Method and apparatus for storing a cryptographic key that authenticates a key server by obtaining and securely distributing the stored key
US8452954B2 (en) Methods and systems to bind a device to a computer system
CN110249336B (en) Addressing trusted execution environments using signing keys
JP5564453B2 (en) Information processing system and information processing method
CN112738064A (en) Method for improving security of SSH protocol based on SM2 and SM4 cryptographic algorithm
CN110784491A (en) Internet of things safety management system
CN116490868A (en) System and method for secure and fast machine learning reasoning in trusted execution environments
EP4096147A1 (en) Secure enclave implementation of proxied cryptographic keys
US11777721B2 (en) Method and apparatus for two-step data signing
KR102591826B1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
EP4096160A1 (en) Shared secret implementation of proxied cryptographic keys
CN111600948B (en) Cloud platform application and data security processing method, system, storage medium and program based on identification password
EP4145763A1 (en) Exporting remote cryptographic keys
CN115378740A (en) Method for realizing bidirectional authentication login based on trusted opennsh
KR102288444B1 (en) Firmware updating method, apparatus and program of authentication module
KR102539418B1 (en) Apparatus and method for mutual authentication based on physical unclonable function
CA3210990C (en) End to end encryption with roaming capabilities
WO2023151427A1 (en) Quantum key transmission method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210430

RJ01 Rejection of invention patent application after publication