Your search keyword '"Secure Shell"' showing total 220 results

151. Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR

Author

Kenneth G. Paterson and Gaven J. Watson

Subjects

Security analysis, Theoretical computer science, Stateful firewall, Network packet, Computer science, Secure Shell, Plaintext, Construct (python library), Computer security model, Computer security, computer.software_genre, computer, Block cipher

Abstract

This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Under reasonable assumptions on the block cipher and MAC algorithms used to construct the SSH Binary Packet Protocol (BPP), we are able to show that the SSH BPP meets a strong and appropriate notion of security: indistinguishability under buffered, stateful chosen-ciphertext attacks. This result helps to bridge the gap between the existing security analysis of the SSH BPP by Bellare et al. and the recently discovered attacks against the SSH BPP by Albrecht et al. which partially invalidate that analysis.

Published

2010

152. The Advanced Encryption Standard (AES)

Author

Christof Paar and Jan Pelzl

Subjects

business.industry, computer.internet_protocol, Computer science, Secure Shell, Advanced Encryption Standard, AES implementations, Encryption, Computer security, computer.software_genre, Symmetric-key algorithm, IPsec, The Internet, Hardware_ARITHMETICANDLOGICSTRUCTURES, business, computer, Block cipher

Abstract

The Advanced Encryption Standard (AES) is the most widely used symmetric cipher today. Even though the term “Standard” in its name only refers to US government applications, the AES block cipher is also mandatory in several industry standards and is used in many commercial systems. Among the commercial standards that include AES are the Internet security standard IPsec, TLS, the Wi-Fi encryption standard IEEE 802.11i, the secure shell network protocol SSH (Secure Shell), the Internet phone Skype and numerous security products around the world. To date, there are no attacks better than brute-force known against AES.

Published

2010

153. Statistical classification of services tunneled into SSH connections by a k-means based learning algorithm

Author

Antonello Rizzi, C. Di Iollo, Gianluca Maiolini, and Andrea Baiocchi

Subjects

Telnet, Traffic analysis, Network packet, computer.internet_protocol, business.industry, Computer science, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, machine learning, secure shell, traffic analysis, traffic analysis, Deep packet inspection, Internet traffic, Remote administration, SSH File Transfer Protocol, business, computer, Computer network

Abstract

Secure SHell is a TCP based protocol designed to enhance with security features telnet and other insecure remote management tools. Due to its versatility, it is often exploited to forward applications (i.e. HTTP, SCP, etc.) into encoded TCP traffic flows. The point which makes challenging the identification of the uses of SSH is that packets are enciphered and instruments based on deep packet inspection (DPI) cannot achieve this task. We approached the problem of early SSH classification with k-means based machine by studying statistical behavior of IP traffic parameters, such as length, arrival time and direction of packets. In this paper we describe tools and networks designed to collect SSH remote administration traffic as well as relevant results obtained for its classification. In particular, our tool identifies remote management traffic out of other SSH encoded applications with accuracy up to 90.34

Published

2010

154. Classifying SSH encrypted traffic with minimum packet header features using genetic programming

Author

Riyad Alshammari, A. Nur Zincir-Heywood, Peter Lichodzijewski, and Malcolm I. Heywood

Subjects

Network packet, Computer science, Secure Shell, Header, Payload (computing), Genetic programming, Throughput, Data mining, computer.software_genre, computer, Port (computer networking)

Abstract

The classification of Encrypted Traffic, namely Secure Shell (SSH), on the fly from network TCP traffic represents a particularly challenging application domain for machine learning. Solutions should ideally be both simple - therefore efficient to deploy - and accurate. Recent advances to teambased Genetic Programming provide the opportunity to decompose the original problem into a subset of classifiers with non-overlapping behaviors, in effect providing further insight into the problem domain and increasing the throughput of solutions. Thus, in this work we have investigated the identification of SSH encrypted traffic based on packet header features without using IP addresses, port numbers and payload data. Evaluation of C4.5 and AdaBoost - representing current best practice - against the Symbiotic Bid-based (SBB) paradigm of team-based Genetic Programming (GP) under data sets common and independent from the training condition indicates that SBB based GP solutions are capable of providing simpler solutions without sacrificing accuracy.

Published

2009

155. Machine learning based encrypted traffic classification: Identifying SSH and Skype

Author

A. Nur Zincir-Heywood and Riyad Alshammari

Subjects

business.industry, Computer science, Secure Shell, Machine learning, computer.software_genre, Encryption, Support vector machine, Traffic classification, Robustness (computer science), Artificial intelligence, AdaBoost, Data mining, business, computer

Abstract

The objective of this work is to assess the robustness of machine learning based traffic classification for classifying encrypted traffic where SSH and Skype are taken as good representatives of encrypted traffic. Here what we mean by robustness is that the classifiers are trained on data from one network but tested on data from an entirely different network. To this end, five learning algorithms — AdaBoost, Support Vector Machine, Naie Bayesian, RIPPER and C4.5 — are evaluated using flow based features, where IP addresses, source/destination ports and payload information are not employed. Results indicate the C4.5 based approach performs much better than other algorithms on the identification of both SSH and Skype traffic on totally different networks.

Published

2009

156. Session resumption for the secure shell protocol

Author

Jürgen Schönwälder, Elchin Asgarov, Georgi Chulkov, and Mihai Cretu

Subjects

NETCONF, computer.internet_protocol, Computer science, business.industry, Secure Shell, Session ID, Simple Network Management Protocol, computer.software_genre, ssh-agent, Network management, Operating system, Session Description Protocol, SSH File Transfer Protocol, business, computer, Computer network

Abstract

The secure shell protocol (SSH) is widely deployed to access command line interfaces of network devices and host systems over an insecure network. Recently, the IETF has produced specifications how to run network management protocols such as NETCONF or SNMP over SSH. SSH computes new session keys whenever a new SSH session is established. This computationally expensive operation causes significant latency and processor load on low end devices and thus makes short-lived connections very expensive. To address this problem, we describe a session resumption feature that allows clients to resume sessions without having to compute new session keys.

Published

2009

157. SSH-Enabled ParaView

Author

Rhonda J. Vickery, Sean Ziegeler, Joel Martin, and Rick Angelini

Subjects

business.industry, Computer science, Secure Shell, Supercomputer, Login, computer.software_genre, Job queue, Shared memory, Server, Node (computer science), Operating system, business, computer, Port forwarding, Computer network

Abstract

ParaView is a very powerful visualization tool used by many in the Department of Defense (DoD) high performance computing (HPC) community. It is both fast and flexible. It performs well on a user’s desktop, but it can also scale to take advantage of clusters and large shared memory machines. Recently, ParaView has been adapted to run on the Linux clusters at the US Army Research Laboratory DoD Supercomputing Resource Center (ARL DSRC) using the Load Sharing Facility (LSF) batch queues. This method makes heavy use of Secure Shell (SSH) port forwarding to move data between the cluster nodes and the user’s desktop. The method is fast, convenient, and secure. Unfortunately, not everyone can use SSH port forwarding. For example, some users may not have access to servers that allow port-forwarded traffic. Also, there are users that are specifically banned from initiating a port forward from their desktop. To solve this problem, we have developed a version of ParaView that does not use TCP/IP sockets between the client and the server. Instead, the data is passed through the SSH standard in/out. If the user wishes to use a batch queue, a helper script handles the communication between the login node and the nodes that are allocated to the user. This paper describes the implementation of an SSHenabled ParaView. It then empirically compares our version to various other methods of running ParaView in the DoD HPC environment. Finally, it helps guide HPC users to determine the method that best fits their needs. This work benefits the DoD HPC community by making ParaView client/server available to users that have been previously unable to use it.

Published

2009

158. Collecting the Non-Volatile Data from a Router

Author

Dale Liu

Subjects

Telnet, Router, Hypertext Transfer Protocol, Computer science, computer.internet_protocol, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, computer.software_genre, Port triggering, Core router, One-armed router, Bridge router, Hardware_INTEGRATEDCIRCUITS, Operating system, computer

Abstract

This chapter discusses how nonvolatile data from a router can be collected for digital forensic investigation. Performing a forensic analysis on nonvolatile data on a router can reveal valuable information, but one must understand that the nonvolatile data may not represent the actual running configuration that was in operation at the time of the incident. If the router was rebooted since the incident occurred, the running configuration was overwritten by the startup configuration. Before connecting to the Cisco Router, one should interview the POC (Point of Contact) to gain an understanding of the incident, define incident response plan, examine the copies of collected evidence, and analyze them. One can connect to a Cisco router to collect its nonvolatile data through the console or AUX port and over the network using Telnet, Secure Shell (SSH), Hypertext Transfer Protocol (HTTP), or Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS). While collecting nonvolatile data from a router, one should first gather data such as time, file system layout, and version information. An MD5 hash should be created using the router's MD5 command to verify that the copied files are exact duplicates of those that exist on the router. All printed copies should be authenticated with the date, time, and signature. The chapter explains how nonvolatile router data gathered from a Cisco router can be analyzed.

Published

2009

159. Proposal and Implementation of SSH Client System Using Ajax

Author

Ryoichi Sasaki and Yusuke Kosuda

Subjects

Web server, Ajax, business.industry, Computer science, Secure Shell, computer.software_genre, JavaScript, ssh-agent, Mobile phone, Embedded system, Operating system, Web application, business, SSH File Transfer Protocol, computer, computer.programming_language

Abstract

Technology called Ajax gives web applications the functionality and operability of desktop applications. In this study, we propose and implement a Secure Shell (SSH) client system using Ajax, independent of the OS or Java execution environment. In this system, SSH packets are generated on a web browser by using JavaScript and a web server works as a proxy in communication with an SSH server to realize end-to-end SSH communication. We implemented a prototype program and confirmed by experiment that it runs on several web browsers and mobile phones. This system has enabled secure SSH communication from a PC at an Internet cafe or any mobile phone. By measuring the processing performance, we verified satisfactory performance for emergency use, although the speed was unsatisfactory in some cases with mobile phone. The system proposed in this study will be effective in various fields of E-Business.

Published

2009

160. Using GMM and SVM-based Techniques for the Classification of SSH-Encrypted Traffic

Author

Maurizio Dusi, Francesco Gringoli, Luca Salgarelli, and Alice Este

Subjects

Information privacy, Traffic analysis, business.industry, Computer science, Secure Shell, Cryptography, Cryptographic protocol, computer.software_genre, Encryption, Support vector machine, Server, Data mining, business, computer

Abstract

When employing cryptographic tunnels such as the ones provided by Secure Shell (SSH) to protect their privacy on the Internet, users expect two forms of protection. First, they aim at preserving the privacy of their data. Second, they expect that their behavior, e.g., the type of applications they use, also remains private. In this paper we report on two statistical traffic analysis techniques that can be used to break the second type of protection when applied to SSH tunnels, at least under some restricting hypothesis. Experimental results show how current implementations of SSH can be susceptible to this type of analysis, and illustrate the effectiveness of our two classifiers both in terms of their capabilities in analyzing encrypted traffic and in terms of their relative computational complexity.

Published

2009

161. Pluggable Encryption Algorithm In Secure Shell(SSH) Protocol

Author

N. Geetha, P. Iyappan, K. S. Arvind, and S. Vanitha

Subjects

Cryptographic primitive, computer.internet_protocol, business.industry, Computer science, Secure Shell, Cryptographic protocol, Tunneling protocol, Computer security, computer.software_genre, Internet security, ssh-agent, Internet protocol suite, business, SSH File Transfer Protocol, computer, Computer network

Abstract

System security is a crucial constraint for Secure Transfer of data. Because of the nature of the SSH Protocol, anyone with access to the central server can manipulate files, it is imperative that only authorized users be able to access the central server. Secure Transfer has taken steps that will discourage several common attempts to forcefully gain access to the system. These steps include implementing a port knocking protocol, limiting access to only authorized machines and users, and keeping persistent logs. The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Secure Shell Protocol (SSH) uses the standard algorithms namely DES, AES and the RSA. Any user normally can use these algorithms which is being specified by the SSH protocol. As it is an OpenSSH, it is possible for the hackers to break the security during transmission of data. The idea behind the paper was when we allow the users to specify their own encryption techniques, which is not known to others can improve their security and also from hackers breaking the code. This will helps the user to create their encryption standards in the SSH protocol which provides more security to the users network and known only to the users.

Published

2009

162. A Secure Migration Protocol for Mobile Agent Systems

Author

Harry H. Cheng, David Ko, and Najmus Saqib Malik

Subjects

Authentication, Engineering, business.industry, Process (engineering), Secure Shell, Encryption, Computer security, computer.software_genre, Strong authentication, Mobile agent, business, SSH File Transfer Protocol, Protocol (object-oriented programming), computer

Abstract

This paper describes a secure migration process of mobile agents between agencies. Mobile-C is an IEEE Foundation for Intelligent Physical Agents (FIPA) standard compliant multi-agent platform for supporting C/C++ mobile and stationary agents. This secure migration process is inspired from Secure Shell (SSH). Before migration, both agencies authenticate each other using public key authentication. After successful authentication, an encrypted mobile agent is transferred and its integrity is verified. Mobile-C is specially designed for mechatronic and factory automation systems where, for correct system operations, agencies must accept mobile agents from trusted agencies. For this reason, the emphasis is on strong authentication of both agencies involved in migration process. Security aspects of other popular mobile agent systems are described briefly. A comparison study with SSH protocol is performed and future work is elaborated.Copyright © 2009 by ASME

Published

2009

163. Configuring Cisco Routers

Author

Brian Barber, Luigi DiGrande, and Dale Liu

Subjects

Router, Telnet, Mode (computer interface), Hypertext Transfer Protocol, Computer science, computer.internet_protocol, Interface (computing), Secure Shell, Operating system, Cisco Discovery Protocol, Troubleshooting, computer.software_genre, computer

Abstract

Router administrative connections can be made using several methods that include direct connection to the console port, a modem connection made to the auxiliary port, a Telnet connection made to a management interface of the router, a Hypertext Transfer Protocol (HTTP) connection to the Web interface, or through the Secure Shell (SSH) connection. HyperTerminal is one of the most widely used terminal emulation packages used by Windows user to configure Cisco equipment. HyperTerminal can be used for direct console connections to Cisco equipment or for Telnet access to Cisco equipment. HyperTerminal is very easy to configure. There are three main administrative modes on all Cisco devices that include User Exec mode, Privileged Exec mode, and Global Configuration mode. Each mode offers its own set of features and functions such as User Exec mode is the basic mode, which mostly offers the ability to view device usage and to do some basic troubleshooting. Privileged Exec mode offers escalated privileges, in which sensitive information can be viewed such as device configurations. One can also perform tasks that will change the behavior of a device, like enabling debugging options. Global Configuration mode allows changing the configuration of a device.

Published

2009

164. Detecting Stepping-Stone Intruders with Long Connection Chains

Author

Zach Riggle, Wei Ding, Shou-Hsuan Stephen Huang, and Matthew Hausknecht

Subjects

Chain (algebraic topology), business.industry, Computer science, Distributed computing, Secure Shell, Server, Intrusion detection system, business, Login, Measure (mathematics), Host (network), Computer network, Connection (mathematics)

Abstract

It is generally agreed that there is no valid reason to use a long connection chain for remote login such as SSH connection. Most of the stepping-stone detection algorithms installed on a host were designed to protect the victim of a third party downstream from where the algorithm is running. It is much more important for a host to protect itself from being a victim. This project uses an approximated round-trip time to distinguish a long connection chain from a short one. Several measures were studied to distinguish long chains from short ones. An estimated roundtrip time was defined to measure the chain length. Preliminary result suggests shows that the proposed algorithm can distinguish long connection chains from short ones with relatively low false rate.

Published

2009

165. Performance improvements to NETCONF for airborne tactical networks

Author

Giri Kuthethoor, Diane Kiwior, John Strohm, J. DelMedico, C. Hansupichon, Jia-ying Lu, D. Climek, Gregory Hadynski, Prakash Sesha, David Parker, and D. Dunbrack

Subjects

NETCONF, Computer science, computer.internet_protocol, business.industry, Wireless ad hoc network, SOAP, Distributed computing, Secure Shell, Mobile ad hoc network, Networking hardware, Packet loss, Server, Transport layer, Enhanced Data Rates for GSM Evolution, business, computer, Computer network

Abstract

Network configuration (NETCONF) is a widely used protocol to deploy configuration of network devices. NETCONF uses different transport layer protocols like secure shell (SSH), simple object access protocol (SOAP), or blocks extensible exchange protocol (BEEP) (IETF RFCs 4742 through 4744), and assumes availability of a high bandwidth network for successful configuration deployment. In a dynamic MANET tactical edge network consisting of fast-moving aircraft and terrain obscuration, conditions exist where traditional NETCONF may be less effective and eventually fails to provide guaranteed services to the war fighter. In this paper, we will look at the performance of NETCONF in a limited bandwidth constrained environment with periods of high packet loss. We will also consider the performance effect of using other compression algorithms and binary XML to reduce the amount of configuration data that is sent. Finally, we will study the usage of UDP-based NETCONF transport to improve the performance of NETCONF. By using UDP, data can be delivered more quickly than in a TCP-based transport. The performance analysis of such an airborne network as applied to different tactical scenarios with hundreds of assets will be accomplished through simulation.

Published

2008

166. JanioS

Author

Marcos Pirmez, Flavia C. Delicato, and A. L. Oliveira

Subjects

Service (systems architecture), Ubiquitous computing, business.industry, Computer science, Wireless network, Secure Shell, Cryptography, Context (language use), Tunneling protocol, business, Computer network, Data compression

Abstract

The recent proliferation of portable devices with increasing computational power as well as the advent of new wireless network technologies has enabled the realization of the ubiquitous computing vision. The paradigm of ubiquitous computing raises new challenges and requirements, such as the need of applications to adapt in the face of context changes while providing a suitable level of security to the user. This paper presents JanioS, an implementation of a new version to a library that provides SSH tunnel connections (Secure Shell) between applications. JanioS will be part of Prometheus, a system for provision of a service for adaptive security target to ubiquitous environment. JanioS will be able to dynamically adapt security parameters, such as cryptographic and data compression algorithms, according to the current execution context.

Published

2008

167. A Model for the Study of Privacy Issues in Secure Shell Connections

Author

Maurizio Dusi, Luca Salgarelli, and Francesco Gringoli

Subjects

Information privacy, business.industry, Computer science, Secure Shell, Cryptography, Cryptographic protocol, Encryption, Computer security, computer.software_genre, ssh-agent, Strong cryptography, business, computer, Data Authentication Algorithm

Abstract

The secure shell protocol strives to protect the privacy of its users in several ways. On one hand, the strong encryption and authentication algorithms that it adopts provide guarantees that the data exchanged between two SSH endpoints remain private to third parties. On the other hand, the type of traffic that each SSH channel transports, such as e-mail, remote shell activity, etc., is also supposed to be hidden from any observer that does not possess the necessary keys. This paper introduces a simple but accurate model of the SSH channel which can be used to study the level of privacy that SSH-protected traffic can achieve with respect to the users' activities. We think that the model can facilitate several types of projects. For example, network managers can detect traffic anomalies hidden by SSH connections more easily by relying on the output of our model. Another example, which we present in this paper, is the use of this model to derive accurate fingerprints of the type of applications run through an SSH channel by simply starting from the statistics of captured clear-text traffic. Such fingerprints can then be used to detect what type of activity, i.e., what type of traffic, is going on within an SSH channel, thereby breaking user privacy.

Published

2008

168. Secure Link Middleware

Author

Brian B. Luu

Subjects

Network architecture, Network administrator, Engineering, business.industry, computer.internet_protocol, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Local area network, Computer security, computer.software_genre, Secure communication, IPsec, Data in transit, business, computer, Private network, Computer network

Abstract

One of the challenges for the U.S. National Archives and Records Administration (NARA) is to provide essential information assurance (IA) services for sensitive electronic records archives (ERA) in transit between networked computer systems. Current software technologies for securing data in transit rely on cryptographic algorithms and protocols provided in IP Security (IPSec), Virtual Private Network (VPN), or Secure Shell (ssh). The general difficulties of using IPSec and VPN are the complexity and compatibility. IPSec has been evolved and updated with new standards since 1995 (with RFC 1825-1829) to 2005 (with RFC 4301-4309). VPN are generally designed and built based on proprietary algorithms. Usually, they should be acquired, installed, and operated from the same manufacturer. Therefore, typically, IPSec and VPN are implemented and operated at network routers by network administrator to provide security for network traffic between local area networks (LAN) rather than being used by end users at system level. For example, IPSec or VPN are used to connect internal LANs of different sites of an organization through a public network such as the Internet. But with this type of operation, there are no end-to-end encryptions between any two networked computers in the same LAN or in different LANs. Hence, communication traffic of two computers in a same LAN or communication traffic from a local node to its router has no protection. To meet NARA's technical requirements for having end-to-end encryption and authentication at the computer system level, Army Research Laboratory (ARL) developed a secure communication network middleware called "Secure Link" capable of providing essential IA services for accessing or transferring sensitive ERA between any two networked computers. This report documents the development of ARL Secure Link.

Published

2008

169. A distributed active response architecture for preventing SSH dictionary attacks

Author

David Keeling, Randal Abler, and J.L. Thames

Subjects

Password, Authentication, Web server, Dictionary attack, business.industry, Computer science, Secure Shell, Information security, Login, Computer security, computer.software_genre, The Internet, business, computer, Computer network

Abstract

Dictionary attacks against Internet servers that provide the secure shell (SSH) service for secure, remote login is very common. The dictionary attack is an attempt to gain unauthorized access to a server by continuously guessing username and password pairs using sophisticated brute force techniques. Solutions exist that can detect and prevent this attack for a local host. However, a technique that distributes the detection and prevention information to a server's trusted neighbors can provide a gain in security by way of preemptive protection. This paper describes a distributed active response architecture that provides proactive, preemptive protection against the SSH dictionary attack.

Published

2008

170. A Preliminary Look at the Privacy of SSH Tunnels

Author

Francesco Gringoli, Luca Salgarelli, and Maurizio Dusi

Subjects

Password, Information privacy, business.industry, Computer science, Network packet, Secure Shell, Cryptography, Encryption, Tunneling protocol, Computer security, computer.software_genre, Obfuscation, business, computer, Computer network

Abstract

Secure Shell (SSH) tunnels are commonly used to provide two types of privacy protection to clear-text application protocols. First and foremost, they aim at protecting the privacy of the data being exchanged between two peers, such as passwords, details of monetary transactions and so on. Second, they are supposed to protect the privacy of the behavior of end-users, by preventing an unauthorized observer from detecting which application protocol is being transported by an SSH tunnel. In this paper we introduce a GMM-based (Gaussian Mixture Model) technique that, under a set of reasonable assumptions, can be used to identify which application is being tunneled inside an SSH session by simply observing the stream of encrypted packets. This technique can therefore break the presumption of privacy in its second incarnation as described above. Although still preliminary, experimental results show that the technique can be quite effective, and that the standard bodies might need to take this approach under consideration when designing new obfuscation techniques for SSH.

Published

2008

171. SpectroGrid: providing simple secure remote access to scientific instruments

Author

Andre Charbonneau, Victor V. Terskikh, and IEEE

Subjects

Scientific instrument, Computer science, business.industry, Secure Shell, open source technology, Data security, remote instrumentation, virtual network computing (VNC), Computer security, computer.software_genre, law.invention, high performance network, Grid computing, secure shell (SSH), law, Server, remote access, SpectroGrid, grid security infrastructure (GSI), Grid Security Infrastructure, Telecommunications, business, computer, Virtual network, Remote control

Abstract

High Performance Computing Systems and Applications, June 09-11, 2008, Québec City, Québec, Canada, available, unlimited, public

Published

2008

172. Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections

Author

Georgios Kambourakis, Angelos Rouskas, and Stefanos Gritzalis

Subjects

Protocol stack, Bluetooth, Computer science, law, business.industry, Goodput, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Throughput, Network performance, business, law.invention, Computer network

Abstract

Security is always an important factor in wireless connections. As with all other existing radio technologies, the Bluetooth standard is often cited to suffer from various vulnerabilities and security inefficiencies while attempting to optimize the trade-off between performance and complementary services including security. On the other hand, security protocols like IP secure (IPsec) and secure shell (SSH) provide strong, flexible, low cost, and easy to implement solutions for exchanging data over insecure communication links. However, the employment of such robust security mechanisms in wireless realms enjoins additional research efforts due to several limitations of the radio-based connections, for example, link bandwidth and unreliability. This chapter will evaluate several Bluetooth personal area network (PAN) parameters, including absolute transfer times, link capacity, throughput, and goodput. Experiments shall employ both Bluetooth native security mechanisms, as well as the two aforementioned protocols. Through a plethora of scenarios utilizing both laptops and palmtops, we offer a comprehensive in-depth comparative analysis of each of the aforementioned security mechanisms when deployed over Bluetooth communication links.

Published

2008

173. FOCSE: An OWA-based Evaluation Framework for OS Adoption in Critical Environments

Author

Claudio Agostino Ardagna, Ernesto Damiani, and Fulvio Frati

Subjects

Database, business.industry, Computer science, Process (engineering), Secure Shell, Access control, computer.software_genre, Data science, Set (abstract data type), Work (electrical), Code (cryptography), Selection (linguistics), Use case, business, computer

Abstract

While the vast majority of European and US companies increasingly use open source software for non-key applications, a much smaller number of companies have deployed it in critical areas such as security and access control. This is partly due to residual difficulties in performing and documenting the selection process of open source solutions. In this paper we describe the FOCSE metrics framework, supporting a specific selection process for security-related open source code. FOCSE is based on a set of general purpose metrics suitable for evaluating open source frameworks in general; however, it includes some specific metrics expressing security solutions’ capability of responding to continuous change in threats. We show FOCSE at work in two use cases about selecting two different types of security-related open source solutions, i.e. Single Sign-On and Secure Shell applications.

Published

2007

174. Development of Control Applications for High-Throughput Protein Crystallography Experiments

Author

Soichi Wakatsuki, Noriyuki Igarashi, Nobuo Honda, Naohiro Matsugaki, Yusuke Yamada, Masahiko Hiraki, Yurii Gaponov, and Kumiko Sasajima

Subjects

Unix, Access network, Database, Computer science, business.industry, Relational database, Secure Shell, computer.software_genre, Software, File server, Operating system, business, computer, Throughput (business), Graphical user interface

Abstract

An integrated client‐server control system (PCCS) with a unified relational database (PCDB) has been developed for high‐throughput protein crystallography experiments on synchrotron beamlines. The major steps in protein crystallographic experiments (purification, crystallization, crystal harvesting, data collection, and data processing) are integrated into the software. All information necessary for performing protein crystallography experiments is stored in the PCDB database (except raw X‐ray diffraction data, which is stored in the Network File Server). To allow all members of a protein crystallography group to participate in experiments, the system was developed as a multi‐user system with secure network access based on TCP/IP secure UNIX sockets. Secure remote access to the system is possible from any operating system with X‐terminal and SSH/X11 (Secure Shell with graphical user interface) support. Currently, the system covers the high‐throughput X‐ray data collection stages and is being commissioned at BL5A and NW12A (PF, PF‐AR, KEK, Tsukuba, Japan).

Published

2007

175. Web/File/Telnet/SSH

Author

Rob Cameron and Neil R. Wyler

Subjects

World Wide Web, Telnet, Transport Layer Security, Computer science, computer.internet_protocol, Web traffic, Secure Shell, User interface, SSH File Transfer Protocol, computer.software_genre, computer, Extranet, Java applet

Abstract

This chapter discusses few of the main access methods that the Extensive Instant Virtual Extranet (IVE) provides. The IVE supports a Web-based user interface for passing user Web traffic to internal network resources. The access does not require any provisioned clients to be installed on the client machine. It is found that access to file shares can be securely transported between a client Web browser and internal file shares. File bookmarks enable the administrator to configure access to file shares that can be browsed through the WebUI of the IVE. File access not only depends on the resource policies of the IVE, but also on whether the user is typically allowed to access the backend resources in the first place. Users can be granted access to individual directories, and not subdirectories by not using wildcards at the end of the resource policies. Telnet is an application that allows for interactive communication between a client and a server. The IVE supports Telnet and Secure Shell clients through the use of prebuilt Java applets that get opened on the user's machine, and then tunnel traffic through the Secure Sockets Layer virtual private network from the client to the IVE.

Published

2007

176. Different approaches for the detection of SSH anomalous connections

Author

Silvia González, Emilio Corchado, Urko Zurutuza, Álvaro Herrero, and Javier Sedano

Subjects

Password, Identification (information), Dictionary attack, Honeypot, Exploit, Logic, Network packet, Computer science, Secure Shell, Intrusion detection system, Data mining, computer.software_genre, computer

Abstract

The Secure Shell Protocol (SSH) is a well-known standard protocol, mainly used for remotely accessing shell accounts on Unix-like operating systems to perform administrative tasks. As a result, the SSH service has been an appealing target for attackers, aiming to guess root passwords performing dictionary attacks or to directly exploit the service itself. To identify such situations, this article addresses the detection of SSH anomalous connections from an intrusion detection perspective. The main idea is to compare several strategies and approaches for a better detection of SSH-based attacks. To test the classification performance of different classifiers and combinations of them, SSH data coming from a real-world honeynet are gathered and analysed. For comparison purposes and to draw conclusions about data collection, both packet-based and flow data are analysed. A wide range of classifiers and ensembles are applied to these data, as well as different validation schemes for better analysis of the obtained results. The high-rate classification results lead to positive conclusions about the identification of malicious SSH connections.

Published

2015

177. Detecting Policy Violations through Traffic Analysis

Author

Rei Safavi-Naini and Jeffrey Horton

Subjects

Session Initiation Protocol, Otway–Rees protocol, Internet Protocol Control Protocol, business.industry, computer.internet_protocol, Computer science, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, Tunneling protocol, Internet protocol suite, User Datagram Protocol, business, SSH File Transfer Protocol, computer, Computer network

Abstract

Restrictions are commonly placed on the permitted uses of network protocols in the interests of security. These restrictions can sometimes be difficult to enforce. As an example, a permitted protocol can be used as a carrier for another protocol not otherwise permitted. However, if the observable behaviour of the protocol exhibits differences between permitted and non-permitted uses, it is possible to detect inappropriate use. We consider SSH, the Secure Shell protocol. This is an encrypted protocol with several uses. We attempt firstly to classify SSH sessions according to some different types of traffic for which the sessions have been used, and secondly, given a policy that permits SSH use for interactive traffic, to identify when a session appears to have been used for some other purpose.

Published

2006

178. A Novel Mechanism for Improving Performance and Security of TCP Flows over Satellite Links

Author

N. Thanthry, M Deshpande, and Ravi Pendse

Subjects

Transport Layer Security, Computer science, Transmission Control Protocol, computer.internet_protocol, business.industry, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Data security, Round-trip delay time, Internet traffic, Security association, IPsec, business, computer, Computer network

Abstract

Satellite based broadband networks are gaining importance due to their distance insensitivity and high bandwidth availability. Although it is possible to transmit internet traffic through satellite network, it has been observed that many of the IP related protocols (especially transmission control protocol) do not perform well in the Satellite environment due to the high latency and variable round trip time (RTT) offered by the satellite network. Some of the researchers have suggested using performance enhancement proxies (PEP) at strategic locations to improve the transmission control protocol (TCP) performance over the satellite network. However usage of end-to-end security mechanism like IPSec affects the PEP's functioning as the encryption mechanisms generally hide the TCP header information along with the data from intermediate nodes. While other approaches suggest either establishing multiple security associations or sacrificing end-to-end security by using less secure mechanisms like Secure Shell (SSL) or Transport Layer Security (TLS), the authors of this paper propose a simpler solution for PEP and end-to-end security coexistence. The proposed solution achieves the coexistence of PEP and end-to-end security with minimal overhead as compared to the solutions proposed by other researchers. Initial analysis carried out by the authors indicates a significant overhead reduction and performance improvement in the proposed solution as compared to the other approaches.

Published

2006

179. Hardware-Accelerated SSH on Self-Reconfigurable Systems

Author

Ivan Gonzalez, Sergio Lopez-Buedo, and Francisco J. Gómez-Arribas

Subjects

MicroBlaze, Coprocessor, Computer science, business.industry, Secure Shell, Control reconfiguration, Cryptography, Reduction (complexity), Logic synthesis, Embedded system, Hardware_ARITHMETICANDLOGICSTRUCTURES, Field-programmable gate array, business, Computer hardware

Abstract

The performance of security applications can be greatly improved by accelerating the cryptographic algorithms in hardware. In this paper, an implementation of the secure shell (SSH) application is presented. A self-reconfigurable platform based on a Xilinx Spartan-3 FPGA has been employed to implement a MicroBlaze-based embedded system, which executes SSH under the uCLinux operative system. Run-time reconfiguration is used to change the cryptographic coprocessors utilized for data ciphering. The performance of SSH has been improved and, in comparison to other alternatives not using reconfiguration, a reduction of the area requirements was also achieved.

Published

2006

180. Enhancing Scientific Workflows with Secure Shell Functionality in UNICORE Grids

Author

Daniel Mallmann, Achim Streit, and Morris Riedel

Subjects

Collaborative software, business.industry, Computer science, Distributed computing, Secure Shell, Data security, Grid, Supercomputer, computer.software_genre, Workflow, Grid computing, business, computer, Graphical user interface

Abstract

The UNICORE grid technology provides a seamless, secure and intuitive access to distributed grid resources such as computational or storage related resources. In addition, its extensible character through application-specific plug-ins and its enhancements developed in various European-funded projects leads to the UNICORE technology that is used in daily production at many supercomputer centers and research facilities world-wide today. In this paper we present an enhancement that provides the dynamic capabilities of a secure shell terminal within the UNICORE grid technology while single sign-on remains. This enhancement allows the integration of the dynamic work-behavior of scientists, or existing scientific applications, to be more integrated into the usual workflow with UNICORE and therefore in collaborative grid environments. As a well-known tool in the scientific community, a secure shell terminal provides the most flexible way of working on remote systems that no graphical user interface or advanced tooling in grid computing can ever provide

Published

2006

181. Debugging Embedded Software

Author

Doug Abbott

Subjects

Background debug mode interface, Computer science, media_common.quotation_subject, Debug menu, Context (language use), computer.software_genre, Front and back ends, Software, gdbserver, Software_SOFTWAREENGINEERING, Protocol (object-oriented programming), Eclipse, Debugger, media_common, Graphical user interface, Processor register, business.industry, Secure Shell, Process (computing), Embedded software, Debugging, Operating system, Software engineering, business, Nexus (standard), computer, Host (network)

Abstract

Publisher Summary This chapter presents various steps for debugging the embedded software. It begins with the discussion of GDB. GDB stands for the GNU DeBugger, the source-level debugging package that is part of the GNU tool chain. Like any good debugger, it allows the user to start their program, insert breakpoints to stop the program at specified points, and examine and modify variables and processor registers. In an embedded environment, data display debugger (DDD)/GDB runs on the host and the program being debugged runs on the target. GDB implements a serial protocol that allows it to work with remote targets. DDD provides an X-windows front end for GDB. It allows the user to point-and-click to set breakpoints and examine variables. DDD translates the graphical user interface (GUI) input into commands for GDB. Most recent Linux distributions include DDD and GDB as part of the standard GNU tool chain. The chapter also describes the setting for remote debugging, in which the program, shellsort, is moved to the target and debugged.

Published

2006

182. Performance Analysis of SNMP over SSH

Author

Vladislav Marinov and Jürgen Schönwälder

Subjects

Computer science, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Simple Network Management Protocol, Computer security model, Computer security, computer.software_genre, Key management, computer, Protocol (object-oriented programming)

Abstract

There have been several attempts in the past to secure the Simple Network Management Protocol (SNMP). Version 3 of the SNMP protocol introduced a User-based Security Model (USM) which comes with its own user and key-management infrastructure. However, many operators are reluctant to introduce a new user and key management infrastructure just to secure SNMP. This paper describes how the Secure Shell (SSH) protocol can be used to secure SNMP and it provides a performance analysis of a prototype implementation which compares the performance of SNMP over SSH with other secure and insecure versions of SNMP.

Published

2006

183. Design and Implementation of a Mobile SSH Protocol

Author

I-Hsuan Huang, Szu-Wei Wang, Cheng-Zen Yang, and Wei-Jin Tzeng

Subjects

Engineering, Wireless network, business.industry, computer.internet_protocol, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, FTPS, ssh-agent, Secure communication, Server, business, SSH File Transfer Protocol, computer, Mobility management, Computer network

Abstract

SSH (secure shell) is a very popular secure communication application. Users can remotely login to servers through SSH channels with security protection. However, since the SSH protocol lacks mobility management support, an SSH session can be easily broken while the wireless device roams around. In this paper, we propose a mobile SSH protocol which employs an application-layer handover mechanism. We have implemented the proposed SSH protocol in OpenSSH and Putty. With the proposed protocol, the mobile users can switch from one wireless network to another without terminating their SSH sessions. This paper presents the design of the proposed mobile SSH protocol and the preliminary experimental results.

Published

2006

184. Understanding the Extended Capabilities of the Nessus Environment

Author

Mike Petruzzi, SensePost, Chris Hurley, James C. Foster, Mark Wolfgang, Noam Rathaus, Johnny Long, and Aaron W. Bayles

Subjects

Unix, Service (systems architecture), Remote machine, Database, Computer science, Secure Shell, Server Message Block, computer.software_genre, Hotfix, Operating system, computer, Host (network), Protocol (object-oriented programming), Vulnerability (computing), PATH (variable)

Abstract

Publisher Summary Some of the more advanced functions that Nessus' include files provide allow a user to write more than just banner comparison or service-detection tests; they also allow users to easily utilize Windows' internal functions to determine whether a certain Windows service pack or hotfix has been installed on a remote machine or whether a certain UNIX patch has been installed. Nessus can connect to a remote Windows machine by utilizing Microsoft's Server Message Block (SMB) protocol. Once SMB connectivity has been established, many types of functionality can be implemented, including the ability to query the remote host's service list, connect to file shares and open files that reside under it, access the remote host's registry, and determine user and group lists. This chapter discusses Nessus' include files implementation of the SMB protocol, followed by Nessus' include files implementation of Windows-related hotfix and service pack verification. The chapter also addresses how a similar kind of hotfix and service pack verification can be done for different UNIX flavors by utilizing relevant include files.

Published

2005

185. PIX Firewall Management

Author

Thorsten Behrens, Ido Dubrawsky, Daniel Kligerman, Michael Sweeney, Brian Browne, Charles Riley, and Umer Khan

Subjects

Check Point VPN-1, Telnet, Engineering, business.industry, computer.internet_protocol, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Debug menu, ComputerApplications_COMPUTERSINOTHERSYSTEMS, computer.software_genre, Cisco PIX, Firewall (construction), syslog, Server, Operating system, business, computer

Abstract

When configuring the PIX for logging, one can choose from a variety of logging options such as buffered logging, console, Telnet/SSH sessions, syslog servers, or SNMP. Message severity levels can be selected, ranging from Level1 (alert) to Level7 (debug) based on the needs. Aside from selecting the severity level, one can choose from several facility levels to direct the flow of the syslog messaging. One can specify that all syslog messages should be logged or he or she can filter out certain messages, so they will not be sent. This functionality is very useful in troubleshooting a network issue where one might be in debug mode, and the normal message flow would be overwhelming to work with. The Cisco PIX firewall can be managed using a console port, although usually the PIX will be managed by remote access. The Cisco PIX firewall can act only as a server for SSH and Telnet services, not a client. An important point to remember about the Cisco PIX and SSH is to make sure to use a client that supports SSHv2 such as PuTTY or SSH Secure Shell. The Cisco PIX supports read-only SNMP reporting or read-only and can either send traps to a host or be polled for information. The Cisco PIX firewall has a wealth of system time and date functionality.

Published

2005

186. Bibliotecas de Pasaje de Mensajes y Cómputo Intercluster

Author

Tinetti, Fernando Gustavo and Aróztegui, Walter

Subjects

secure shell, firewalls, Ingeniería Eléctrica y Electrónica, cómputo paralelo intercluster, login remoto

Abstract

Este reporte está orientado básicamente a documentar el estudio realizado de las bibliotecas más conocidas de pasaje de mensajes en el contexto de su posible utilización para cómputo paralelo intercluster. En un reporte técnico anterior, se describía lo más importante del servicio de shell seguro (secure shell) que se asume como el más sostenible desde el punto de vista técnico para la interconexión de dos o más clusters con la posibilidad de Jogin remoto y disparo de tareas remotas. En este reporte se enfocan las bibliotecas de pasaje de mensajes específicamente en lo referente a la sostenibilidad de las características de seguridad. Desde esta perspectiva de seguridad, como en el caso del servicio ssh, se debe tener en cuenta como mínimo la protección provista por los firewalls de cada cluster. Desde el punto de vista del rendimiento, por su parte, se debe tener en cuenta que para cómputo intercluster normalmente existen fuertes diferencias de rendimiento de las redes de interconexión involucradas.

Published

2005

187. Making secure TCP connections resistant to server failures

Author

Andrew L. Burt, Hailin Wu, and Ramakrishna Thurimella

Subjects

Computer science, business.industry, Secure Shell, computer.software_genre, Failover, law.invention, Server farm, law, Backup, Server, Internet Protocol, TCP hole punching, Zeta-TCP, Operating system, business, computer, Computer network

Abstract

Methods are presented to increase resiliency to server failures by migrating long running, secure TCP-based connections to backup servers, thus mitigating damage from servers disabled by attacks or accidental failures. The failover mechanism described is completely transparent to the client. Using these techniques, simple, practical systems can be built that can be retrofitted into the existing infrastructure, i.e. without requiring changes either to the TCP/IP protocol, or to the client system. The end result is a drop-in method of adding significant robustness to secure network connections such as those using the secure shell protocol (SSH). As there is a large installed universe of TCP-based user agent software, it will be some time before widespread adoption takes place of other approaches designed to withstand these kind of service failures; our methods provide an immediate way to enhance reliability, and thus resistance to attack, without having to wait for clients to upgrade software at their end. The practical viability of our approach is demonstrated by providing details of a system we have built that satisfies these requirements.

Published

2004

188. Access and accounting schemes of wireless broadband

Author

Xing Yu, Yan Wang, Benxiong Huang, and Jian Zhang

Subjects

Router, Authentication, Transport Layer Security, SSLIOP, business.product_category, Computer access control, business.industry, Computer science, computer.internet_protocol, Secure Shell, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Access control, Accounting, Cryptographic protocol, Encryption, Public-key cryptography, Wireless broadband, Authentication protocol, Internet access, RADIUS, The Internet, business, computer, Computer network

Abstract

In this paper, two wireless broadband access and accounting schemes were introduced. There are some differences in the client and the access router module between them. In one scheme, Secure Shell (SSH) protocol is used in the access system. The SSH server makes the authentication based on private key cryptography. The advantage of this scheme is the security of the user's information, and we have sophisticated access control. In the other scheme, Secure Sockets Layer (SSL) protocol is used the access system. It uses the technology of public privacy key. Nowadays, web browser generally combines HTTP and SSL protocol and we use the SSL protocol to implement the encryption of the data between the clients and the access route. The schemes are same in the radius sever part. Remote Authentication Dial in User Service (RADIUS), as a security protocol in the form of Client/Sever, is becoming an authentication/accounting protocol for standard access to the Internet. It will be explained in a flow chart. In our scheme, the access router serves as the client to the radius server.

Published

2004

189. Architectural defects of the secure shell

Author

Takamichi Saito, T. Kito, K. Umesawa, and Fumio Mizoguchi

Subjects

Challenge-Handshake Authentication Protocol, Password, Key generation, Authentication, business.industry, Computer science, Secure Shell, Key distribution, Encryption, Computer security, computer.software_genre, Key authentication, S/KEY, Public-key cryptography, ssh-agent, Authentication protocol, Session key, Message authentication code, Pre-shared key, Challenge–response authentication, business, SSH File Transfer Protocol, computer, Key exchange, Computer network

Abstract

Although flaws have been found out in SSH, the Secure Shell, there has been little discussion about its architecture or design safety. Therefore, considering SSH architecture, e.g. the key exchange protocol, user authentication protocols and total design of the SSH, we not only discuss SSH architectural safety but show critical flaws for SSH users. For establishing the SSH connection, before user authentication, the SSH server and client exchange a session key, which can communicate securely. Then, over the secret channel encrypted by the session key, the SSH server authenticates a user in the SSH client using a user's password or public key. However, owing to defects in the SSH protocols and its design, a user can be deprived of their password in the authentication protocol. Moreover, we show that those who use its public key for authentication are exposed to the same risks as password-oriented users.

Published

2004

190. Syntax and Semantics-Preserving Application-Layer Protocol Steganography

Author

Steve J. Chapin, Payman Yadollahpour, Norka B. Lucena, and James Pease

Subjects

Steganography tools, Steganography, Computer science, Secure Shell, General Inter-ORB Protocol, Computer security, computer.software_genre, Tunneling protocol, Application layer, law.invention, law, Universal composability, Internet Protocol, computer

Abstract

Protocol steganography allows users who wish to communicate secretly to embed information within other messages and network control protocols used by common applications. This form of unobservable communication can be used as means to enhance privacy and anonymity as well as for many other purposes, ranging from entertainment to protected business communication or national defense. In this paper, we describe our approach to application-layer protocol steganography, describing how we can embed messages into a commonly used TCP/IP protocol. We also introduce the notions of syntax and semantics preservation, which ensure that messages after embedding still conform to the host protocol. Based on those concepts, we attempt to produce reasonably secure and robust stegosystems. To demonstrate the efficacy of our approach, we have implemented protocol steganography within the Secure Shell (SSH) protocol. Findings indicate that protocol steganographic system is reasonably secure if the statistical profile of the covermessages and the statistical profile of its traffic match their counterparts after embedding.

Published

2004

191. A text graphics character CAPTCHA for password authentication

Author

Chanathip Namprempre and Matthew N. Dailey

Subjects

Password, Authentication, CAPTCHA, Dictionary attack, Computer access control, computer.internet_protocol, Computer science, Secure Shell, computer.software_genre, Computer security, Electronic mail, S/KEY, World Wide Web, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password authentication protocol, Message authentication code, Challenge–response authentication, computer

Abstract

We propose a new construct, the Text-Graphics Character (TGC) CAPTCHA, for preventing dictionary attacks against password authenticated systems allowing remote access via dumb terminals. Password authentication is commonly used for computer access control. But password authenticated systems are prone to dictionary attacks, in which attackers repeatedly attempt to gain access using the entries in a list of frequently-used passwords. CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) are currently being used to prevent automated "bots" from registering for email accounts. They have also been suggested as a means for preventing dictionary attacks. However, current CAPTCHAs are unsuitable for text-based remote access. Our TGC CAPTCHA fills this gap. In this paper, we define the TGC CAPTCHA, prove that it is a (secure) CAPTCHA, demonstrate its utility in a prototype based on the SSH (Secure Shell) protocol suite and provide empirical evidence that the test is easy for humans and hard for machines. We believe that the system will not only help improve the security of servers allowing remote terminal access, but also encourage a healthy spirit of competition in the fields of pattern recognition, computer graphics and psychology.

Published

2004

192. Remote Management

Author

Paul Cevoli

Subjects

Telnet, business.product_category, Spoofing attack, Computer science, computer.internet_protocol, business.industry, Secure Shell, Shell (computing), computer.software_genre, Encryption, law.invention, law, Internet Protocol, Operating system, Callback, Internet appliance, business, computer

Abstract

Publisher Summary This chapter provides an overview of many internet appliances that are installed in a remote location that is not easily accessible. One feature often required by an internet appliance is remote management. Remote management is often implemented using telnet, rlogin, and remote shell. Although these tools are reliable, they are insecure. The Secure Shell (SSH) is developed to provide remote access to systems that use encryption to pass data between the systems for security. The standard FreeBSD installation contains an open source implementation of SSH called “Open SSH.” SSH can protect an internet appliance against attacks— such as internet protocol spoofing and packet snooping, but cannot protect the system when someone has a logon access. Configuring SSH, creating a management logon account, and developing a custom Digital Input-Output (DIO) management shell is also discussed in this chapter. Open SSH developed a framework used to implement a basic command line parser and engine that uses callbacks to implement actions based on the user input. This framework is used to implement the DIO Shell, a digital I0 specific shell for the DIO Appliance.

Published

2003

193. Connecting to the Internet Securely; Protecting Home Networks CIAC-2324

Author

W J Orvis, J Smith, and P Krystosek

Subjects

Engineering, Transport Layer Security, business.industry, Network security, Secure Shell, Internet privacy, Computer security, computer.software_genre, Information sensitivity, Firewall (construction), Physical access, The Internet, business, computer, Private network

Abstract

With more and more people working at home and connecting to company networks via the Internet, the risk to company networks to intrusion and theft of sensitive information is growing. Working from home has many positive advantages for both the home worker and the company they work for. However, as companies encourage people to work from home, they need to start considering the interaction of the employee's home network and the company network he connects to. This paper discusses problems and solutions related to protection of home computers from attacks on those computers via the network connection. It does not consider protection of those systems from people who have physical access to the computers nor does it consider company laptops taken on-the-road. Home networks are often targeted by intruders because they are plentiful and they are usually not well secured. While companies have departments of professionals to maintain and secure their networks, home networks are maintained by the employee who may be less knowledgeable about network security matters. The biggest problems with home networks are that: Home networks are not designed to be secure and may use technologies (wireless) that are not secure; The operating systems are not secured whenmore » they are installed; The operating systems and applications are not maintained (for security considerations) after they are installed; and The networks are often used for other activities that put them at risk for being compromised. Home networks that are going to be connected to company networks need to be cooperatively secured by the employee and the company so they do not open up the company network to intruders. Securing home networks involves many of the same operations as securing a company network: Patch and maintain systems; Securely configure systems; Eliminate unneeded services; Protect remote logins; Use good passwords; Use current antivirus software; and Moderate your Internet usage habits. Most of these items do not take a lot of work, but require an awareness of the risks involved in not doing them or doing them incorrectly. The security of home networks and communications with company networks can be significantly improved by adding an appropriate software or hardware firewall to the home network and using a protected protocol such as Secure Sockets Layer (SSL), a Virtual Private Network (VPN), or Secure Shell (SSH) for connecting to the company network.« less

Published

2002

194. Authenticated encryption in SSH

Author

Mihir Bellare, Chanathip Namprempre, and Tadayoshi Kohno

Subjects

Authenticated encryption, business.industry, Computer science, computer.internet_protocol, Secure Shell, Cryptography, Cryptographic protocol, Computer security, computer.software_genre, Encryption, FTPS, Stateful firewall, business, SSH File Transfer Protocol, computer, Computer network

Abstract

The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol or to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Published

2002

195. An experimental study of security vulnerabilities caused by errors

Author

Shuo Chen, Jun Xu, Zbigniew Kalbarczyk, and Ravishankar K. Iyer

Subjects

Authentication, business.industry, Computer science, Embedded system, Secure Shell, Key (cryptography), Data security, Transient (computer programming), Message authentication code, Hamming distance, business, Error detection and correction, Computer network

Abstract

The paper presents an experimental study which shows that, for the Intel x86 architecture, single-bit control flow errors in the authentication sections of targeted applications can result in significant security vulnerabilities. The experiment targets two well-known Internet server applications: FTP and SSH (secure shell), injecting single-bit control flow errors into user authentication sections of the applications. The injected sections constitute approximately 2-8% of the text segment of the target applications. The results show that out of all activated errors: (a) 1-2% comprised system security (create a permanent window of vulnerability); (b) 43-62% resulted in crash failures (about 8.5% of these errors create a transient window of vulnerability); and (c) 7-12% resulted in fail silence violations. A key reason for the measured security vulnerabilities is that, in the x86 architecture, conditional branch instructions are a minimum of one Hamming distance apart. The design and evaluation of a new encoding scheme that reduces or eliminates this problem is presented.

Published

2002

196. Share Desktop Screen to Raspberry Pi

Author

Tarun Jain

Subjects

Raspberry pi, Physical media, Computer science, business.industry, Transfer (computing), Secure Shell, Operating system, computer.software_genre, business, computer, Computer hardware

Abstract

Our aim is to connect laptops to projectors/TV/LED's wirelessly (without any physical media) and transfer video signals from them. For this, SSH connection is used in Raspberry Pi device and we have transferred command using CGI. Index Terms- Raspberry Pi, WIFI, VNC, SSH.

Published

2014

197. The CASS shell

Author

Q. Le Viet, George M. Mohay, Hasmukh Morarji, Lance Munday, and William Caelli

Subjects

System requirements, Computer architecture, Computer science, Secure Shell, Shell (computing), Component-based software engineering, Operating system, Systems architecture, Message authentication code, Software system, Reference architecture, computer.software_genre, computer

Abstract

The goal of the Computer Architecture for Secure Systems (CASS) project [1] is to develop an architecture and tools to ensure the security and integrity of software in distributed systems. CASS makes use of various cryptographic techniques at the operating system kernel level to authenticate software integrity. The CASS shell, the work described in this paper, is on the other hand a secure shell implemented on top of UNIX1 System V Release 4.2 (UNIX SVR4.2) to achieve the same purpose but in an operating system independent manner. The CASS shell carries out cryptographic authentication of executable files based on the MD5 Message-Digest algorithm [2] and presents a closed computing environment in which system utilities are safeguarded against unauthorised alteration and users are prevented from executing unsafe commands. In order to provide cryptographic authentication and other cryptographic functions such as public-key based signatures, in hardware, the work has also involved the incorporation of an encryption hardware sub-system into SVR4.2 operating on an Intel 80×86 hardware platform. The paper describes the structure and features of the CASS shell and the development and performance of both the hardware and software implementations of the cryptographic functions it uses.

Published

1996

198. An Open Source Multiplatform Virtual Laboratory for Engineering Education

Author

Aitor Villar-Zafra, Jose A. Lazaro, Rosa M. Fernandez-Canti, and Sergio Zarza-Sánchez

Subjects

lcsh:T58.5-58.64, Java, lcsh:T, lcsh:Information technology, Computer science, Computation, Secure Shell, General Engineering, computer.software_genre, lcsh:Technology, Virtual laboratory, open source software, control experiment, e-learning, Open source, Engineering education, Control system, Virtual Laboratory, Operating system, MATLAB, computer, computer.programming_language

Abstract

An autonomous and multiplatform virtual laboratory for educational purposes is presented. The implemented platform includes a server with a SSH (Secure SHell) connection and a separated repository containing the virtual experiments. The programming of the experiments is implemented in Java language based tool, the EJS (Easy Java Simulation) and uses an external computation engine, for example Matlab. The virtual laboratory provides control system experiments at University level. Two application examples are described, namely, a magnetic levitator and an inverted pendulum-cart system. The virtual laboratory has been successfully used for education and training of Electronics Engineering students. A discussion of the results of this e-learning experience is also presented.

Published

2012

199. Sumo: An Authenticating Web Application with an Embedded R Session

Author

Timothy T. Bergsma and Michael S. Smith

Subjects

Statistics and Probability, Numerical Analysis, Java, Java servlet, business.industry, Computer science, Secure Shell, Directory, computer.file_format, computer.software_genre, World Wide Web, Operating system, Web application, The Internet, Data set (IBM mainframe), Session (computer science), Statistics, Probability and Uncertainty, business, computer, computer.programming_language

Abstract

Sumo is a web application intended as a template for developers. It is distributed as a Java 'war' file that deploys automatically when placed in a Servlet container's 'webapps' directory. If a user supplies proper credentials, Sumo creates a session-specific Secure Shell con- nection to the host and a user-specific R session over that connection. Developers may write dy- namic server pages that make use of the persis- tent R session and user-specific file space. The supplied example plots a data set conditional on preferences indicated by the user; it also displays some static text. A companion server page al- lows the user to interact directly with the R ses- sion. Sumo's novel feature set complements pre- vious efforts to supply R functionality over the internet. Despite longstanding interest in delivering R func- tionality over the internet (Hornik, 2011), embed- ding R in a web application can still be technically challenging. Anonymity of internet users is a com- pounding problem, complicating the assignment of persistent sessions and file space. Sumo uses Java servlet technology to minimize administrative bur- den and requires authentication to allow unambigu- ous assignment of resources. Sumo has few depen- dencies and may be readily adapted to create other applications.

Published

2012

200. Massive data transfer between supercomputers and grid clusters using SCP controlled by FTS

Author

Manuel Delfino, C Neissner, N Tonello, M. Rodriguez, P Tallada, M Caubet, Francisco Linares Martínez, and G Bernabeu

Subjects

History, business.industry, Computer science, Secure Shell, Supercomputer, Grid, computer.software_genre, Computer Science Applications, Education, Grid computing, Transfer (computing), Computer data storage, Bandwidth (computing), Operating system, Grid energy storage, business, computer

Abstract

Data transfers between Supercomputing centers and Grid sites may be complicated since, in general, Supercomputing centers are not completely incorporated in the Grid environment. In particular, the Port d'Informacio Cientifica (PIC) had to transfer data of cosmological simulations from the Barcelona Supercomputing Center (BSC) to Grid storage resources in order to post-process those data at PIC. The data connection is limited to the Secure Shell (SSH) protocol using the scp command. Besides a limitof bandwidth, we had to deal with a lack of automation and reliability of the transfers. PIC managed to control those scp transfers through gLite's File Transfer Service (FTS). Therefore, the discs containing the data at the BSC are mounted via SSH to a local Storage Resource Management (SRM) server at PIC. Once established the access to the data through the SRM server, the data can be transfered to any other SRM server, including the storage system at PIC, using grid protocols. Although we cannot improve the bandwidth, we reach a level of automation and reliability comparable to transfers from the Tier-0 to Tier-1 sites of the Large Hadron Collider (LHC) experiments.

Published

2011