Huawei Quidway S3500 Series Operation Manual page 643

Operation Manual - System Management
Quidway S3500 Series Ethernet Switches
The communication process between the server and client include these five stages:
version negotiation stage, key negotiation stage, authentication stage, session request
stage, interactive session stage.
Version negotiation stage: The client sends TCP connection requirement to the
server. When TCP connection is established, both ends begin to negotiate SSH
version. If they can work together in harmony, they enter key algorithm negotiation
stage. Otherwise the server clears the TCP connection.
Key negotiation stage: Both ends negotiate key algorithm and compute session
key. The server randomly generates its RSA key and sends the public key to the
client. The client figures out session key based on the public key from the server
and the random number generated locally. The client encrypts the random number
with the public key from the server and sends the result back to the server. The
server then decrypts the received data with the server private key to get the client
random number. It then uses the same algorithm to work out the session key
based on server public key and the returned random number. Then both ends get
the same key without data transfer over the network, while the key is used at both
ends for encryption and description.
Authentication stage: The server authenticates the user at the client after
obtaining session key. The client sends its username to the server: If the
username has been created and configured as no authentication, authentication
stage is skipped for this user. Otherwise, authentication process continues. SSH
supports two authentication types: password authentication and RSA
authentication. In the first type, the server compare the username and password
received with those configured locally. The user is allowed to log on to the switch if
the usernames and passwords match exactly. RSA authentication works in this
way: The RSA public key of the client user is configured at the server. The client
first sends the member modules of its RSA public key to the server, which checks
its validity. If it is valid, the server generates a random number, which is sent to the
client after being encrypted with RSA public key. Both ends calculate
authentication data based on the random number and session ID. The client
sends the authentication data calculated back to the server, which compares it
with its attention data obtained locally. If they match exactly, the user is allowed to
access the switch. Otherwise, authentication process fails.
Session request stage: The client sends session request messages to the server
which processes the request messages.
Interactive session stage: Both ends exchange data till the session ends.
Session packets are encrypted in transfer and the session key is generated randomly.
Encryption is used in exchanging session key and RSA authentication achieves key
exchange without transfer over the network. SSH can protect server-client data security
to the uttermost. The authentication will also start even if the username received is not
configured at the server, so malicious intruders cannot judge whether a username they
key in exists or not. This is also a way to protect username.
Huawei Technologies Proprietary
8-2
Chapter 8 SSH Terminal Services