How the RSA/DSA key works

The following is a general overview of how the RSA/DSA key works. Let's start with an imaginary scenario, assuming that we want to use RSA authentication to allow a local Linux workstation (called Localbox) to open a remote shell on remotebox Remotebox is a machine of our ISP. At this point, when we try to ssh connect to Remotebox with our client program, we get the following hints:

ssh [email protected] [email protected] ' s password:

What we see here is ssh an example of the default way of handling authentication. In other words, it asks us to enter the password for this account on remotebox drobbins . If we enter our password on the remotebox , we ssh will use the Secure Password Authentication protocol to send our password to Remotebox for verification. But, telnet unlike the case, where our password is encrypted, it will not be intercepted by people who have seen our data connections. Once Remotebox has verified the password we provided with its password database, we will be allowed to log in if successful, and a remotebox shell prompt will welcome us. Although ssh the default authentication method is fairly secure, RSA and DSA certifications have created some new potential opportunities for us.

However, unlike ssh Secure Password authentication, RSA authentication requires some initial configuration. We only need to perform these initial configuration steps once. After that, the RSA authentication betweenlocalbox and remotebox is effortless. To set up RSA authentication, we first have to generate a pair of keys, a private key, and a public key. These two keys have some very interesting properties. The public key is used to encrypt the message, and only the person who owns the private key can decrypt the message. The public key can only be used for encryption , and the private key can only be used to decrypt messages encoded by a matching public key. The RSA (and DSA) authentication protocol uses these special properties of key pairs for secure authentication and does not require any confidential information to be transmitted online.

To apply RSA or DSA authentication, we need to perform a one-time configuration step. We copy the public key to the Remotebox. There is a reason why public keys are referred to as "public". Because it can only be used to encrypt the messages that are given to us, we don't need to worry too much about it falling into the hands of others. Once our public key has been copied to Remotebox and for Remotebox sshd to be able to locate it and put it in a dedicated file (~/.ssh/authorized_keys), We are ready to log on to remotebox using RSA authentication.

To log in with RSA, we just type in the console of Localbox ssh [email protected] , as we often do. But this time, ssh tell Remotebox that sshd it wants to use the RSA authentication protocol. What happens next is very interesting. The Remotebox sshd generates a random number and encrypts the random number using the public key we previously copied. The  sshd encrypted random number is then sent back to the running localbox ssh . Next, it's our turn to ssh decrypt this random number with a private key, and then send it back to Remotebox, which is actually saying: "Look, I do have a matching private key. I can successfully decrypt your message! Finally, we  sshd conclude that since we have a matching private key, we should be allowed to log in. Therefore, we have a matching private key which authorizes us to visit Remotebox.

How the RSA/DSA key works