Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "what is the implementation principle of SSH". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

SSH is a protocol standard, its main purpose is to achieve remote login and provide secure network services. There are many implementations, the most common of which is open source openssh.

Symmetric encryption and asymmetric encryption

Before we explain the principle of SSH implementation, let's take a look at the encryption method. We all know that for the sake of data security, data transmission on the Internet must be encrypted. Then encryption should be divided into two encryption methods:

Symmetric encryption (secret key encryption)

Asymmetric encryption (public key encryption)

Symmetric encryption means that both encryption and decryption use the same set of keys. Look at the following figure:

The interaction between the server and the client is shown below:

The encryption strength of symmetric encryption is very high, but there is a big problem. That is: how to ensure the security of key A? How to ensure the security of the secret key when the number of clients is very large? Once the secret key gets out, the consequences will be unimaginable. There is no guarantee for the security of users. So asymmetric encryption appears to make up for this.

Asymmetric encryption has two keys: the private key and the public key. The encrypted ciphertext can only be decrypted by the corresponding private key. However, it is very unlikely to deduce the private key from the public key. The following figure shows the basic principles:

There is a problem in the actual use of the above figure, that is, the client needs to know the public key of the server, otherwise it cannot be encrypted. So the server needs to inform the client of the public key. As shown below:

The server receives the login request from the client, and the server sends the public key to the client

The client uses this public key to encrypt the password

The client sends the encrypted password to the server

The server decrypts with the private key and verifies OK

Return the verification result

The private key is unique to the server, which ensures that even if the login information of the client is stolen in the process of network transmission, there is no private key for decryption, which ensures the security of the data, which makes full use of the characteristics of asymmetric encryption.

Do you think this is safe?

There is a loophole in the above figure: how does the client ensure that the public key received is the target server? If the attacker intercepts the client's request and sends his own public key, the password encrypted by the client with this public key can be decrypted by the attacker with his own private key. Isn't that a big loophole?

How does SSH do it?

There are two ways to SSH:

Password-based authentication

Based on public key authentication

1. Password-based authentication

As you can see from the above, our main problem is "how to verify the public key of the server". The client only needs to confirm the public key to OK. Usually when you log in for the first time, the following message appears:

He authenticity of host 'ssh-server.example.com (12.18.429.21)' can't be established. RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d. Are you sure you want to continue connecting (yes/no)?

The above message says: cannot confirm the authenticity of the host ssh-server.example.com (12.18.429.21), but know its public key fingerprint, do you want to continue to connect?

The main reason why fingerprint is used instead of key is that key is too long (the public key generated by RSA algorithm has 1024 bits), so it is difficult to compare directly. Therefore, hash the public key to generate a 128bit fingerprint, which is convenient for comparison.

After entering the yes, the host is confirmed and appended to the file known_hosts, and then you need to enter the password.

two。 Based on public key authentication

The client negotiates with the server to generate a session key

The client sends a login request (such as root@192.168.1.2) to the server, and the information sent includes the user name root and the public key fingerprint of root, and all the information is encrypted through the session key.

The server decrypts the data sent by the client through the session key to get the public key fingerprint of the user name root and root requesting login, then reads all the public key data under the root user's home directory (/ root/.ssh/autorized_keys file), and compares the data fingerprint of each public key with the data fingerprint sent by the client through the one-way encryption algorithm, so as to find the public key of the root user on the client.

The server uses the found client's public key to encrypt a random number and send it to the client.

The client uses the private key to decrypt the random ciphertext sent by the server, and then sends the decryption result to the server.

If the server verifies that the decrypted data of the client is consistent with the data sent by itself, the authentication of the client is successful.

This is the end of the content of "what is the implementation principle of SSH". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.