GM/T 0129-2023 Secure shell cryptography protocol specification
1 Scope
This document specifies the secure shell cryptography protocol, the encrypted transport protocol, the authentication protocol, the connection protocol of the interactive tunnel, and the usage method of the cryptographic algorithm in the protocol.
This document is applicable to the development and testing of SSH server and SSH client products.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 15852.1 Information technology - Security techniques - Message authentication codes - Part 1: Mechanisms using a block cipher
GB/T 15852.2 Information technology - Security techniques - Message Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-function
GB/T 33560 Information security technology - Cryptographic application identifier criterion specification
GB/T 35275 Information security technology - SM2 cryptographic algorithm encrypted signature message syntax specification
GB/T 35276 Information security technology - SM2 cryptographic algorithm usage specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001 apply.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
CR: Carriage-Return
LF: Line-Feed
SP: Space
SSH: Secure Shell
5 Protocol framework
5.1 General
The SSH cryptography protocol is a protocol suite composed of the transport layer protocol, authentication protocol, and connection protocol. It is used for secure remote login and secure network service on insecure networks. The transport layer protocol and authentication protocol may also form security application services such as sftp and scp together with other services.
In the process of establishing the SSH cryptography protocol, firstly, a secure communication channel is established by the transport layer protocol; then, the authentication protocol is used to authenticate the identities of the client and server on this secure communication channel; finally, after the authentication is completed, the corresponding SSH service is established on the secure communication channel by the connection protocol.
5.2 Transport layer protocol
The transport layer protocol provides server authentication, confidentiality, and integrity. The transport layer protocol may run on a TCP connection and may also be used on other reliable data streams.
5.3 Authentication protocol
The authentication protocol is used by the server to authenticate the identity of the client user. The authentication protocol runs on the transport layer protocol.
5.4 Connection protocol
The connection protocol is used to multiplex an encrypted tunnel into several logical channels. The connection protocol runs on the authentication protocol. The connection protocol may be used to provide various network services, including the interactive environment (shell), port forwarding, and X11 connection.
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Protocol framework
5.1 General
5.2 Transport layer protocol
5.3 Authentication protocol
5.4 Connection protocol
6 Cryptographic algorithms and key types
6.1 Cryptographic algorithm
6.2 Key types
7 Definitions of data types
7.1 Algorithm identifier
7.2 Basic data types
8 Transport layer protocol
8.1 General
8.2 Protocol flow
8.3 Protocol version
8.4 Packet
8.5 Key agreement
8.6 Service request
8.7 Disconnection
9 Authentication protocol
9.1 General
9.2 Protocol flow
9.3 Packet
9.4 Password-based authentication method
9.5 Authentication method based on the asymmetric key
9.6 Authentication method based on the digital certificate
10 Connection protocol
10.1 General
10.2 Connection channel
10.3 Packet
Bibliography
GM/T 0129-2023 Secure shell cryptography protocol specification
1 Scope
This document specifies the secure shell cryptography protocol, the encrypted transport protocol, the authentication protocol, the connection protocol of the interactive tunnel, and the usage method of the cryptographic algorithm in the protocol.
This document is applicable to the development and testing of SSH server and SSH client products.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 15852.1 Information technology - Security techniques - Message authentication codes - Part 1: Mechanisms using a block cipher
GB/T 15852.2 Information technology - Security techniques - Message Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-function
GB/T 33560 Information security technology - Cryptographic application identifier criterion specification
GB/T 35275 Information security technology - SM2 cryptographic algorithm encrypted signature message syntax specification
GB/T 35276 Information security technology - SM2 cryptographic algorithm usage specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001 apply.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
CR: Carriage-Return
LF: Line-Feed
SP: Space
SSH: Secure Shell
5 Protocol framework
5.1 General
The SSH cryptography protocol is a protocol suite composed of the transport layer protocol, authentication protocol, and connection protocol. It is used for secure remote login and secure network service on insecure networks. The transport layer protocol and authentication protocol may also form security application services such as sftp and scp together with other services.
In the process of establishing the SSH cryptography protocol, firstly, a secure communication channel is established by the transport layer protocol; then, the authentication protocol is used to authenticate the identities of the client and server on this secure communication channel; finally, after the authentication is completed, the corresponding SSH service is established on the secure communication channel by the connection protocol.
5.2 Transport layer protocol
The transport layer protocol provides server authentication, confidentiality, and integrity. The transport layer protocol may run on a TCP connection and may also be used on other reliable data streams.
5.3 Authentication protocol
The authentication protocol is used by the server to authenticate the identity of the client user. The authentication protocol runs on the transport layer protocol.
5.4 Connection protocol
The connection protocol is used to multiplex an encrypted tunnel into several logical channels. The connection protocol runs on the authentication protocol. The connection protocol may be used to provide various network services, including the interactive environment (shell), port forwarding, and X11 connection.
Contents of GM/T 0129-2023
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Protocol framework
5.1 General
5.2 Transport layer protocol
5.3 Authentication protocol
5.4 Connection protocol
6 Cryptographic algorithms and key types
6.1 Cryptographic algorithm
6.2 Key types
7 Definitions of data types
7.1 Algorithm identifier
7.2 Basic data types
8 Transport layer protocol
8.1 General
8.2 Protocol flow
8.3 Protocol version
8.4 Packet
8.5 Key agreement
8.6 Service request
8.7 Disconnection
9 Authentication protocol
9.1 General
9.2 Protocol flow
9.3 Packet
9.4 Password-based authentication method
9.5 Authentication method based on the asymmetric key
9.6 Authentication method based on the digital certificate
10 Connection protocol
10.1 General
10.2 Connection channel
10.3 Packet
Bibliography