SSH Encryption Authentication principle __github

I. Background Introduction

Bloggers have recently uploaded some of their own code to GitHub, in the configuration of the GitHub environment for their SSH authentication principle is very puzzled, so a little understanding, and recorded here.

ii. introduction of SSH

Simply put, SSH (secure Shell) is a secure network protocol combining asymmetric encryption and symmetric encryption algorithms for computer communication encryption. The process of establishing an SSH session is divided into two phases: the first phase, the two sides communicate and agree to establish an encrypted connection channel for subsequent information transmission; the second stage is to authenticate the user requesting access to determine whether the server side is going to open access to the user.

third, the principle of SSH operation

1. Building the encrypted channel together

Use SSH protocol for authentication, the first to establish a cryptographic channel, the encryption channel is a symmetric encryption process, using the same key for encryption and decryption, then how to make the server and the client can safely obtain this key.

The first approach is that the server ends up with asymmetric encryption, generates a public and private key, when the client initiates the request, the server exposes the public key to the client (the public key can be arbitrarily exposed), and the client, after acquiring the public key, produces a session key (called a password) consisting of 256 digits of random digits. The client encrypts the password through the public key, sends it to the server side, decrypts the server by the private key, obtains the communication password, and then transmits the information to the client and the service end, which is encrypted by the symmetric cipher.

Because the first method has the possibility of data being stolen, there is a higher security second approach. The second method uses the DH (diffie-hellman) key exchange algorithm to generate the key for the encrypted channel. Assuming that there are a, b two, a as the sender, B as the receiver, you can build a key password that belongs to both parties by following these steps:
1 First A, b both sides, before the communication to build their own private key pair, the assumption is public key A, private key A, public key B, private key B;
(2) a exposes its own public key A to b,b to generate local key B via a certain operation of the private key B and public key A;
3 Similarly, B exposes its own public key B to a,a to generate local key A by means of a certain operation via private key A and public key B;
4 Finally, the interesting thing about this algorithm is that key A and key B are consistent so that both A and B have a "secret" password belonging to both parties.

2. User authentication and open access

After the session encryption channel was established, SSH began to enter the user authentication phase to log in the remote computing method. There are two ways of authentication, the first is "Password Authentication" and the second is "Public key authentication".

1) Password Authentication
After the encryption channel is established, the server requires the client to enter a password, and the password entered by the client is transmitted to the server through the above channel encryption.

2) Public key authentication
The authentication process for an SSH key pair begins when the previous encryption channel is established, and its implementation steps are as follows: The client sends its own key ID to the server-side server in its own Authorized_keys file to check for the public key of this ID if yes, the server generates a random number, A server with this public key encryption sends the encrypted random number to the client client to decrypt the random number with the private key, and then make a MD5 hash of the local random number. The client sends the MD5 hash to the server-side server to make a MD5 hash of the random number it generates at the beginning, and then uses the communication channel "public Key" The hash is encrypted and compared to what the client sends. If both sides of the content are consistent, then through authentication, open access permissions to the client

In simple terms, the server uses the public key to encrypt the information, and the client decrypts the information with the private key to prove that it holds the private key.

Reference:
[1] Understanding SSH encryption and connection process
[2] SSH encryption principle, RSA Asymmetric Encryption algorithm learning and understanding
[3] talking about the encryption principle of SSH
[4] SSH Encryption Login Protocol
[5] SSH public key The principle of private key authentication