This report will detail the TLS and SSH security standards how they work and where they are used. Comparing both standards to assess similarities and main differences between them by looking at where each is used we can gain an understanding of why the standards are used so widely within the realm of the internet
TLS is the security protocol used to secure important information such as bank details and credit card transactions. It is the successor to SSL which was originally created by Netscape and had three versions with the first never being publically released although version 2.0 was released in February 1996 which was succeed by 3.0 in 1996 as it contained many bugs and security flaws after this all versions were called TLS starting with 3.1 that was released in 1999. The new standard was not very different from SSL 3.0 although both are not the same and cannot work together although TLS 1.0 can downgrade the connection to SSL 3.0. Major changes came with the development of TLS 1.1 (SSL 3.1) which added protection against some attacks including Cipher-chain blocking as well as changing the initialisation vector to explicit from implicit and enabling padding errors.
Get your grade
or your money back
using our Essay Writing Service!
Finally TLS 1.3 which is currently being used is an adaptation of 1.1 and including many changes to do with the encryption it used including MD5 and also SHA algorithm's being used to protect the data while it was transferred between the client browser and server. This seems to work well and nowadays most websites are secured with TLS with companies like VeriSign issuing certificates. (Wikipedia, 2011)
Secure shell is one most widely used protocols used today. It is used to connect to remote servers for administration purposes and gives the user full access to the server this is handy if the server in question is the other side of the world and needs updating or reconfigured. The term SSH relates to the standard although there are many variants of SSH there are only two standards SSH-1 created by Tatu Ylönen in 1995 who was a researcher at the Helsinki University Of Technology in Finland who actually created SSH for himself due to an attack on the university network which compromised passwords it was only later when beta version's started to gain attention be foreseen that it could possibly be used in a bigger scale. Later that year in July SSH 1 was released to the public as free open source software and had 20,000 users by the end of the year with Ylönen getting hundreds of emails a day asking for support this lead him on to create the SSH Communications Security, Ltd which today governs the development and continuation of the SSH code. Ylönen is today the chairman and chief technology officer (CTO) of this company. The SSH standards current version is SSH2 or SSH-2 and it was released in 2006 with added security and features such as running multiple shells over a single SSH connection. (Wikipedia, Secure Shell, 2011)
Similarities of both security protocols
Both of these protocols are widely used in today's internet age where security is the highest priority to companies who wish to secure their data and also secure their customers. With TLS being used in a wider market as most web applications are now using TLS to secure the connection between the users whereas SSH is used but by nature its used in administration situations both security standards are transparent to the user although TLS is more transparent at higher levels of application protocols meaning that an application like email is aware when a TLS connection to the server is made and it creates a session with the server and after the user closes the application the session is ended automatically. Both encryptions use the MD5 and SHA ciphers for their key hash checking methods to make sure the data has not been altered. (S.Tanenbaum, 2003) (Daniel J. Barrett, 2001)
Differences of both security protocols
The main differences between TLS and SSH is that they both use different ways to encrypt the data that is sent TLS uses cryptography in the form of MD5-SHA combination to encrypt the data between the server and clients browser whereas SSH uses a username and passwords and uses channels of random keys when the connection is made and then destroys them when the connection is closed. SSH can use a bunch of different encryption algorithms including blowfish, DES, and triple DES to name just a few. TLS could be seen as less secure than SSH because even though TLS cannot be eavesdropped like older SSL standards thanks mostly to the RSA hash keys it uses to negotiate a connection with the user although the weakness here could be the users browser which can be made to disable TLS before making a connection to the server thus meaning any data is transmitted in the clear whereas with SSH the connection cannot be tampered with in this way. (S.Tanenbaum, 2003) (Daniel J. Barrett, 2001)
Always on Time
Marked to Standard
The requirement for TLS is to have a web server or web application and a signed certificate that is either issued by the server which is the case for internal networks where the certificate doesn't need to go through the same process called a self-signed certificate which is non-trusted which is ok for intranets and internal email but if the for the internet the certificate needs to be purchased and there are a few places for example VeriSign who are one of the biggest suppliers of trusted certificates giving users pace of mind when using online banking and shopping websites. Network requirements of SSL/TLS could be a server that is connected to the internet with a dedicated IP address and that was a web server such as apache or Microsoft IIS that can support SSL certificates and traffic over the internet.
The requirements for SSH would be one of the SSH servers that are available such as OpenSSH which runs on linux which is where SSH is used more often than any other operating system as most web servers are linux also a network requirement would be to have port 22 open on the firewall if SSH is being accessed from the outside world and then on the other end the user would require an SSH client like Putty which is widely used and is light and simple to use. From a security stand point a RSA key could also be generated so that when the user connects they are not prompted with a warning message every time they connect.
Examples of protocol use
SSH would be used rather than TLS for remote server administration tasks such as creating users on a server or transferring a large amount of data from one machine to another using SSH gives the admin full access to the computer which they connect to and they can even run applications remotely using this protocol whereas TLS could not offer such flexibility as it could pose a security risk if the clients browser is compromised with a side jacking attack to steal cookies that could give the attacker access to the server because the original user would still be logged in and they would be using their session cookies to interact with the web server.
TLS would be preferred over SSH when there is a need to secure the network from outside attacks by locking the outside network to a few ports the system administrators could protect the internal network with only a web front end being available to the end user although as detailed above this is also not the best it's more secure in the regards to the fact that if the SSH username and password were compromised the attacker could run riot on the network with a secure website for things like file transfer and email the risk is lessened. A good example of this could be shared hosting if each user was given SSH access they could access everyone else's web site on the server and this it's self is a security risk.
In conclusion both of these security protocols seem pretty secure although during my research and through a personal interest in security I have found even now with all the revisions of TLS there are still many flaws with it mainly the browser so the protocol can't really be faulted and SSH seems secure unless the username and password are cracked or leaked by accident by bad system administrators. With the internet age taking on leaps and bounds and with everything online nowadays including everyone's personal data located on servers all over the world I can see TLS continuing to be developed although SSH will probably not have the same fate as Microsoft have started to include a remote shell in server 2008 on the windows side of things it's only a matter of time before a better solution comes around the corner.