I've just started reading about SSH and how it's used for authentication. From this website, it says:
The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have that key; but anybody who has your public key can verify that a particular signature is genuine.
So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, PuTTY can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
My question is what kind of message is used in real life, along with your private key, to generate the digital signature? And once the server applies its public key to generate the original message, how does it know whether that message is correct? Is the message publicly available?
Or when you try to connect, does the server send out a one-time-use message for you to create the digital signature from using your private key?
Aucun commentaire:
Enregistrer un commentaire