Key and algorithm negotiation, Authentication – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

289

either case, the client sends a packet to the server to notify the server of the protocol version that

it decides to use.

5.

The server compares the version number carried in the packet with that of its own. If the server
supports the version, the negotiation succeeds and the server and the client proceed with key and

algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection.

NOTE:

All the packets involved in the preceding steps are transferred in plain text.

Key and algorithm negotiation

The server and the client send algorithm negotiation packets to each other, notifying the peer of the

supported public key algorithms, encryption algorithms, Message Authentication Code (MAC)

algorithms, and compression algorithms.
Based on the received algorithm negotiation packets, the server and the client figure out the algorithms
to be used. If the negotiation of any type of algorithm fails, the algorithm negotiation fails and the server

tears down the connection with the client.
The server and the client use the DH key exchange algorithm and parameters such as the host key pair

to generate the session key and session ID, and the client authenticates the identity of the server.
Through the steps, the server and the client get the same session key and session ID. The session key is

used to encrypt and decrypt data exchanged between the server and client later. The session ID is used

to identify the session established between the server and client and is used in the authentication stage.

NOTE:

Before the key and algorithm negotiation, the server must have already generated an ECDSA or RSA key
pair, which is used in generating the session key and session ID, and by the client to authenticate the

identity of the server. For more information about ECDSA and RSA key pairs, see "Configuring public

keys."

Authentication

SSH supports the following authentication methods:

•

Password authentication—The SSH server uses AAA for authentication of the client. During
password authentication, the SSH client encrypts its username and password, encapsulates them

into a password authentication request, and sends the request to the server. After receiving the
request, the SSH server decrypts the username and password, checks the validity of the username

and password locally or by a remote AAA server, and then informs the client of the authentication

result. If the remote AAA server requires the user for a password re-authentication, it carries a

prompt in the authentication response to send to the access controller. The prompt is transparently
transmitted to the client, and displayed on the client to notify the user to enter a specified password.

After the user enters the correct password and passes validity check by the remote AAA server, the

access controller returns an authentication success message to the client.

•

Publickey authentication—The server authenticates the client by the digital signature. During
publickey authentication, the client sends the server a publickey authentication request that contains

its username, public key, and publickey algorithm information. The server checks whether the public
key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates

the client by the digital signature. Finally, the server sends a message to the client to inform it of the

authentication result. The access controller supports using the publickey algorithms RSA and ECDSA

for digital signature.