Score:4

Why does the SSH protocol generate two keys: an encryption key for client to server communication and server to client communication?

dz flag

As described in the SSH RFC an initial IV to server, initial IV to client, encryption key client to server, encryption key server to client, integrity key client to server, and an integrity key server to client are generated.

Why does SSH generate a key for server -> client communication and a key for client -> server communication?

Score:9
ng flag

There's a line of thought in crypto when it comes to keys: one usage, one key.

That gives a first level of rationale towards using separates keys in each direction: each direction is a different usage of the key.

Next level is to illustrate what class of attacks this prevents. That is: mirror attacks. Imagine an encryption key and a (separate) authentication key are used in both directions. It's at least plausible that an adversary can take an encrypted and authenticated piece of data sent by the server, and re-transmit it towards the server as if it came from the client. Baring details in the protocol, that piece of data would pass authentication and be decrypted as if it came from the client. That goes against the simpler statement of the objective of the protocol, and is a break (whether it's exploitable depends on details that we do not want to consider). Contrast with the situation using different keys: authentication fails (and decryption, if it occurs, yields rubbish).

Addition: There are other effective ways to prevent mirror attacks ( e.g. indicating the intended recipient in authenticated cryptograms). There sometime are good reasons to use this rather than multiple keys (e.g. minimizing the memory footprint of an open channel).

nilch avatar
dz flag
Thank you, follow up question: does TLS also generate two symmetric keys (one for client->server and one for server->client)?
cn flag
@nilch No it doesn't, which is a counter-argument to this answer. Other measures in the protocol address the issue mentioned here.
poncho avatar
my flag
@user207421: actually, TLS *does* generate separate symmetric keys for the two directions (client-to-server and server-to-client).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.