Account name plain or encrypted?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm just wondering: Is the account name used for login already part of
the encryption or not?

Thanks in advance!

Re: Account name plain or encrypted?

Quoted text here. Click to load it

Yes. Encryption has already begun by the time the account name is
sent over the wire.

(This is a good thing, and formed one of the killer arguments in the
question of whether SRP, should it ever be seriously adopted in SSH,
should be implemented as an alternative userauth phase or as an
alternative kex phase. The other killer argument - which,
fortunately, argues in the same direction - is that the SRP shared
secret can be used to retrospectively validate the ordinary host
key, meaning that after you complete a successful SRP authentication
with a server you can then trust its host key for other forms of
Simon Tatham         "The voices in my head are trying to ignore me.

Re: Account name plain or encrypted?

Tobias Nissen wrote:
Quoted text here. Click to load it

The hosts exchange information about their *public* hostkeys, and verify it
with their private keys in a fascinating sort of way, and with that
information encrypt everything else. I'd have to trace the flow of data to see
if the public keys are exchanged in a private way, but certainly the data is
signed with the private key in that exchange to verify that it's the same
server using the same private keys in the future.

Site Timeline