98

Most cryptographically protected protocols use TLS these days. This applies to mail protocols, HTTP and many others. The newly designed QUIC has also adopted TLS as its cryptography layer.

However, SSH is different: it has its own cryptography layer.

Why does SSH have a non-TLS cryptography layer? Are there any benefits for SSH to have its own cryptography layer?

About the only difference between SSH and other protocols is that SSH frequently sends messages having just one keystroke. Is the SSH cryptography layer more optimal in the case of extremely short messages?

Related although not the same: How does TLS differ from SSH from a strictly cryptographic perspective?

I think the certificate verification mechanism of SSH (automatically learning) could be supported with TLS. You just wouldn't have a root CA; you would accept each certificate separately and remember the acceptance.

juhist
  • 1,643
  • 1
  • 13
  • 18

2 Answers2

83

SSH not using TLS is mostly historical; see for instance this answer (on security.SE). In practice, one could perfectly define a sort-of SSH that would use TLS for the data transport part; but, of course, it would not be compatible with existing SSH servers and clients. From a pure cryptographic point of view, SSH actually has some shortcomings with its encrypt-and-MAC encryption, and encrypted "length" field; this does not lead to really exploitable vulnerabilities due to the specific usage of SSH (attackers don't get to trigger thousands of new silent connections with partially chosen data, contrary to TLS, where such things can be done thanks to the magic of JavaScript), and recent AEAD integration mostly fixes them anyway.

Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315
54

If by TLS, you mean specifically the series of protocols that is named "TLS", then the answer to why SSH wasn't designed to use them, is quite simple: they didn't exist when SSH was designed. TLS was released in 1999, SSH in 1995.

If you are referring to the whole family of protocols that is now known as TLS but used to be known as SSL, then the answer is similar: SSL 2.0 was released in 1995, the same year as SSH. It is thus likely that SSH had at least partly already been designed before SSL became known.

SSL 1.0 already existed in 1994, but it was never released as a protocol, because it was soon discovered that it was severely broken. This may also have weakened Ylonen's trust in SSL, so even if he knew about it and considered using it, this may have influenced him to roll his own.

Jörg W Mittag
  • 663
  • 5
  • 10