开发者

ssh authentication conceptual question

开发者 https://www.devze.com 2023-04-07 11:57 出处:网络
Everywhere I read they say ssh key pair authentic开发者_如何学运维ation is more secure then simple password authentication because signature send to the server is always different .So if someone get m

Everywhere I read they say ssh key pair authentic开发者_如何学运维ation is more secure then simple password authentication because signature send to the server is always different . So if someone get my signature he cannot use it next time to login on my behalf .

Now my question is how this signature is unique ?

Does server send some random string first to which my computer sign it with my private key and send it back . Because this is the only way I see signature to be unique everytime . But everywhere on the web they say client send signature FIRST (as this is the first step) but I think server should send random string first !!


For key authentication, your private key is never revealed to the server (and therefore not to the attacker), only your public key. Likewise, the server's private key is never revealed to you (or the attacker), only the public key.

Diffie-Hellman is used to derive two keypairs (one for each party) that are then used to send application data back and forth, whether authentication is done using a simple password or using public-key authentication.

In the case of password authentication, the session keypairs are calculated before the user/password is sent across the wire. This prevents simple eavesdropping but of course does not prevent attackers from trying to connect and guess the user/password combination directly. And of course, many users choose poor passwords.

In the case of public-key authentication, the session keypairs are calculated, then a simple conversation (typically a math question/answer) is done using RSA or a similar algorithm to verify the declared user matches the public key. This conversation cannot be faked without guessing one of the private keys. When done correctly, this is much harder to do than for even the strongest passwords. Even if there is a weakness in public-key authentication, such as in the random number generator, the resulting weak public-key authentication can still be much stronger than for password authentication.


I’m not a security expert, but here’s my understanding of how key-based authentication works: The server sends a random number encrypted using your private key. The client decrypts the challenge and sends it back to the server, verifying that it is in possession of the private key.

However, I presume that a similar technique is used for password-based authentication: The server sends a random number. The client appends the random number to the password, computes the hash, and sends it to the server which verifies it by computing it in the same way.

So that doesn’t seem to be a reason why public key–based authentication would be “more secure”.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号