Recently saw an article about the introduction of SSH is very clear, here to record a deeper impression:
Basic principle:
SSH (Secure Shell) is a set of protocol standards that can be used to achieve secure login between two machines and secure data transfer, which ensures that the principle of data security is asymmetric encryption .
Traditional symmetric encryption using a set of secret keys, data encryption and decryption is the set of keys, it is conceivable that all the client and the server need to save the secret key, the risk of leakage is very high, and once the secret key will be leaked will not guarantee data security.
Asymmetric encryption solves this problem, which consists of two sets of keys-the public key and the private key, where the public key is used for encryption, the private key is used for decryption, and the private key is not computed through the public key, so the private key is carefully stored on the server, and the public key can be passed casually, even if the leak is not risky.
The method of ensuring the security of SSH, simply means that the client and the server each generate a set of private keys and public keys, and exchange the public key, so that each of the data emitted can be encrypted with the other party's public key, the other received and then use their own private key to decrypt.
As can be seen from the previous figure, the two machines, in addition to their own set of public and private keys, also save the other party's public key, so there must be a exchange of their own public key steps.
Public key exchange when establishing a connection for the first time:
The public key exchange at the time of the connection is not actually a simple exchange of the public key, but rather a specialized algorithm, which occurs before the data is transferred on the first connection.
- Client initiated link Request
- The server returns its own public key, as well as a session ID (this step the client gets the server's public key)
- Client-generated key pair
- The client calculates a value with its own public key XOR or session ID, and encrypts it with the public key of the server
- The client sends the encrypted value to the service side, and the server decrypts it with the private key.
- The server uses the decrypted value XOR or session ID to calculate the client's public key (this step serves to get the client's public key)
- At this point, each side holds three keys, respectively, their own pair of public, private key, and the other's public key, all subsequent communications will be encrypted
Here is an interesting place, when two machines first use SSH link, when the server returns its own public key (2nd step), the client will have a message to the effect that the other side is unable to verify the credibility of the other, and give the other public key MD5 encoded value, asked whether it is determined to establish a link.
This is because SSH although the transmission process is very secure, but in the first time the link is not able to know whether the public key is actually from the requested server, if someone in the client to intercept the request after the server, and return their public key impersonate the server, if the link is established, Then all the data can be decrypted by the attacker with their private key. This is known as a man-in-the- middle attack .
Password login via ssh:
SSH is commonly used to telnet to another machine, there are two common methods, the first is to use the account password to log in:
- After the server receives the login request, it first swaps the secret key, as described in the previous section for detailed steps.
- The client encrypts the account password and sends it with the server's public key
- The server uses its own secret key to decrypt the account password and verify it.
- The server uses the client's public key to encrypt the validation results and returns
- The server is decrypted with its own secret key and the results are verified.
Use the public key to log in:
This is the second way to remotely log on to another machine by using the public key.
Sometimes it is not the developer to connect to the server manually, but the client's program needs to connect to the server, this time with a password login is not convenient, one needs to handle the input password problem, the second is the need to find a way to securely store the password into the program, in this case you can use the public key for password-free login.
Or you often want to connect to a server remotely, and do not want to enter the account number and password every time, you can also use this method:
- The client user must manually add his or her public key to the server, a file called Authorized_keys, which, as the name implies, holds the public key of all machines that can log in remotely.
- The client initiates a login request and sends a fingerprint of its own public key (unique, but not the public key)
- The server checks whether this public key is stored in Authorized_keys based on the fingerprint
- If present, the server generates a random string and then encrypts it with the client public key and returns
- After the client receives it, decrypts it with its private key, and then sends it back with the service-side public key encryption.
- The server is decrypted with its own private key after it is received, and if it is the same string, it is validated by
The key to using a public key login is to manually add the client's public key to the server, such as GitHub, which can be added and then logged without a password.
Data from: Jiefang crowdsourcing platform
This is an article I saw in the headlines today, so here's a direct address to the article in today's headline: (This is basically copy of this article here)
Https://www.toutiao.com/a6605433008616899076/?tt_from=weixin&utm_campaign=client_share&wxshare_count=1 ×tamp=1538185223&app=news_article&utm_source=weixin&iid=11692987337&utm_medium= toutiao_android&group_id=6605433008616899076
Introduction to SSH