Version negotiation, Key and algorithm negotiation, Authentication – H3C Technologies H3C WX6000 Series Access Controllers User Manual

64-3

Version negotiation

z

The server opens port 22 to listen to connection requests from clients.

z

The client sends a TCP connection request to the server. After the TCP connection is established,
the server sends the first packet to the client, which includes a version identification string in the
format of “SSH-<primary protocol version number>.<secondary protocol version
number>-<software version number>”. The primary and secondary protocol version numbers
constitute the protocol version number, while the software version number is used for debugging.

z

The client receives and resolves the packet. If the protocol version of the server is lower but
supportable, the client uses the protocol version of the server; otherwise, the client uses its own
protocol version.

z

The client sends to the server a packet that contains the number of the protocol version it decides
to use. The server compares the version carried in the packet with that of its own to determine
whether it can cooperate with the client.

z

If the negotiation is successful, the server and the client proceed with key and algorithm negotiation;
otherwise, the server breaks the TCP connection.

All the packets involved in the above steps are transferred in plain text.

Key and algorithm negotiation

z

The server and the client send key algorithm negotiation packets to each other, which include the
supported public key algorithm list, encryption algorithm list, MAC algorithm list, and compression
algorithm list.

z

Based on the received algorithm negotiation packets, the server and the client figure out the
algorithms to be used.

z

The server and the client use the DH key exchange algorithm and parameters such as the host key
pair to generate the session key and session ID.

Through the above steps, the server and the client get the same session key, which is to be used to
encrypt and decrypt data exchanged between the server and the client later. The server and the client
use session ID in the authentication stage.

Before the negotiation, the server must have already generated the RSA and DSA key pairs, which are
mainly used for generating the session key.

Authentication

z

The client sends to the server an authentication request, which includes the username,
authentication method and information related to the authentication method (the password in the
case of password authentication).