|
|
|
One key advantage of using the SSH-2 protocol for asynchronous terminal connections is the combination of encryption and data integrity mechanisms defined by this protocol. The SSH-2 protocol defines a preliminary negotiation phase, during which the client and server agree upon both the encryption and data integrity algorithms to use for the current connection. After this negotiation phase is complete, all future communications between client and server are encrypted using the negotiated encryption algorithm. In addition, each data segment sent across the TCP/IP network is verified by the recipient to ensure that the contents of the data segment have not changed since the initial creation of the data segment by the original sender. This verification is performed using the data integrity algorithm selected during the initial negotiation phase.
The following encryption protocols are available for selection during the SSH-2 protocol negotiation phase: Blowfish, AES-256, AES-192, AES-128, and Triple DES. The following data integrity algorithms are available for selection during the SSH-2 protocol negotiation phase: HMAC-SHA1, HMAC-MD5, HMAC-SHA1-96, and HMAC-MD5-96. The selection of encryption and data integrity algorithms to use is negotiated between CA Automation Point and the SSH-2 server based upon the preference order of the algorithms listed previously. For example, if the SSH-2 server supports the Blowfish protocol, this protocol will always be selected because it is listed first in the SSH-2 client's (CA Automation Point's) encryption algorithm list. These algorithm lists are not configurable within CA Automation Point. If you wish to connect CA Automation Point to an SSH-2 server using a specific series of protocols, you should define the SSH-2 server to only advertise those protocols you wish to use.
In addition to providing encryption and data integrity mechanisms, CA Automation Point also employs host verification as outlined by the SSH-2 protocol. Each SSH-2 server is responsible for maintaining a public host key that uniquely identifies itself to SSH-2 clients. This public host key is securely sent to each SSH-2 client during the initial protocol negotiation phase. CA Automation Point stores the host key reported during the first connection request for a particular session and uses this stored key to validate the transmitted host key during future connection attempts. If the public host key transmitted by the SSH-2 server does not match the previously stored host key associated with this session, a warning message is displayed, and the user is given a choice whether or not to continue with the current connection attempt. This host verification helps to mitigate potential "man-in-the-middle" (MITM) cryptographic attacks by ensuring the identity of the SSH-2 server before sending any sensitive data.
| Copyright © 2012 CA. All rights reserved. |
|