SSH: Difference between revisions
| Line 1: | Line 1: | ||
==General== | ==General== | ||
The SSH employs a public key cryptography. A public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Together they are known as a key-pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a host (server) key, the other as a user (client) key. Any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key. | The SSH employs a public key cryptography. A public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Together they are known as a key-pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a '''host (server) key''', the other as a '''user (client) key'''. Any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key. | ||
One important issue is confidence/proof that a particular public key is authentic, i.e. that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. There are several possible approaches, including: | One important issue is confidence/proof that a particular public key is authentic, i.e. that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. There are several possible approaches, including: | ||
*A public key infrastructure (PKI), in which one or more third parties – known as certificate authorities – certify ownership of key pairs. TLS relies upon this. | *A public key infrastructure (PKI), in which one or more third parties – known as certificate authorities – certify ownership of key pairs. TLS relies upon this. | ||
*A "web of trust" which decentralizes authentication by using individual endorsements of the link between user and public key. PGP uses this approach, as well as lookup in the domain name system (DNS). The DKIM system for digitally signing emails also uses this approach. | *A "web of trust" which decentralizes authentication by using individual endorsements of the link between user and public key. PGP uses this approach, as well as lookup in the domain name system (DNS). The DKIM system for digitally signing emails also uses this approach. | ||
Revision as of 21:00, 7 January 2020
General
The SSH employs a public key cryptography. A public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Together they are known as a key-pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a host (server) key, the other as a user (client) key. Any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.
One important issue is confidence/proof that a particular public key is authentic, i.e. that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. There are several possible approaches, including:
- A public key infrastructure (PKI), in which one or more third parties – known as certificate authorities – certify ownership of key pairs. TLS relies upon this.
- A "web of trust" which decentralizes authentication by using individual endorsements of the link between user and public key. PGP uses this approach, as well as lookup in the domain name system (DNS). The DKIM system for digitally signing emails also uses this approach.