In order to secure the transmission of information, SSH employs a number of different types of data manipulation techniques at various points in the transaction. These include forms of symmetrical encryption(对称加密), asymmetrical encryption(非对称加密), and hashing.
为了信息的安全传输,SSH在事务的不同阶段使用不同类型的数据操作技术。包括对称加密,非对称加密和哈希。
The relationship of the components that encrypt and decrypt data determine whether an encryption scheme is symmetrical or asymmetrical.
加密和解密数据的组件之间的关系决定加密方案是对称加密的还是非对称加密。
对称加密
Symmetrical encryption is a type of encryption where one key can be used to encrypt messages to the opposite(对面的) party, and also to decrypt the messages received from the other participant. This means that anyone who holds the key can encrypt and decrypt messages to anyone else holding the key.
对称加密是一个密钥既可以用于将数据加密发送到对方,也可以用于对方解密收到的数据的加密类型。这意味着任何拥有此密钥的实体都可以和另一个拥有此密钥的实体之间加密和解密数据。
Symmetric keys are used by SSH in order to encrypt the entire connection. Contrary to what some users assume, public/private asymmetrical key pairs that can be created are only used for authentication, not the encrypting the connection. The symmetrical encryption allows even password authentication to be protected against snooping(窥探).
对称加密在SSH中被用来加密整个链接(注:这是从性能方面考虑,如果整个链接都用非对称加密的话,每次传输的消息都要用非对称方式来加解密,效率会成为主要问题)。这里需要注意一点,可能和一些用户想象的不一样:用户创建的public/private非对称密钥对仅用于认证过程(即免密登陆)。经非对称加密的连接同样保证了密码认证方式免受窥探。
The client and server both contribute toward establishing this key, and the resulting secret is never known to outside parties. The secret key is created through a process known as a key exchange algorithm. This exchange results in the server and client both arriving at the same key independently by sharing certain pieces of public data and manipulating them with certain secret data. This process is explained in greater detail later on.
为了得到这个用于加密整条链接的对称密钥,client和server端都要做一些工作,结果是所产生的这个对称密钥肯定不会被外界所知。(为什么呢)因为这个对称密钥是通过一个被称为“密钥交换算法”的过程,通过共享公共数据里的某个片段并且操作他们伴随着一些秘密数据,在client和server端各自独立计算产生的(不会在网络上传输)。
The symmetrical encryption key created by this procedure is session-based and constitutes the actual encryption for the data sent between server and client . Once this is established, the rest of the data must be encrypted with this shared secret. This is done prior to authenticating a client.
由上述过程产生的对称加密密钥是基于会话的并且对server和client端传输的数据进行实际的加密。一旦这个完成,剩下的数据交换必须由这个共享密钥来加密。(注意)这是在对client进行认证之前做的
非对称加密
Asymmetrical encryption is different from symmetrical encryption in that to send data in a single direction, two associated keys are needed. One of these keys is known as the private key, while the other is called the public key.
The public key can be freely shared with any party(公钥可以和任何一方共享). It is associated with its paired key, but the private key cannot be derived from the public key. The mathematical relationship between the public key and the private key allows the public key to encrypt messages that can only be decrypted by the private key(公钥加密的数据只能有私钥解密). This is a one-way ability, meaning that the public key has no ability to decrypt the messages it writes, nor can it decrypt anything the private key may send it(这是一个单向能力,即公钥不能解密他自己加密的信息,也不能解密任何私钥加密的信息).
The private key should be kept entirely secret and should never be shared with another party(私钥一定要保证私密性和安全性). This is a key requirement for the public key paradigm to work. The private key is the only component capable of decrypting messages that were encrypted using the associated public key. By virtue of this fact, any entity capable decrypting these messages has demonstrated that they are in control of the private key(私钥是唯一的组件能解开公钥加密的数据,基于这个事实,任何能解密这些数据的实体都会被视为拥有私钥的控制权).
SSH utilizes asymmetric encryption in a few different places.During the initial key exchange process used to set up the symmetrical encryption (used to encrypt the session), asymmetrical encryption is used(非对称加密用在最初的为了设置“共享密钥”而进行的“密钥交换”过程). In this stage, both parties produce temporary key pairs and exchange the public key in order to produce the shared secret that will be used for symmetrical encryption(在这个阶段,c和s都将产生一对儿临时密钥对并且交换公钥,为了生成”共享密钥“).
The more well-discussed use of asymmetrical encryption with SSH comes from SSH key-based authentication. SSH key pairs can be used to authenticate a client to a server. The client creates a key pair and then uploads the public key to any remote server it wishes to access. This is placed in a file calledauthorized_keys within the ~/.ssh directory in the user account's home directory on the remote server.
After the symmetrical encryption is established to secure communications between the server and client, the client must authenticate to be allowed access(当创建好了用于在双方加密通信的“共享密钥”之后,客户端必须证明自己有权限进入。说明初始化在上一段中说到的“c和s分别产生临时密钥对”的过程和我们免密钥登陆所生成的密钥对是两回事). The server can use the public key in this file to encrypt a challenge message to the client. If the client can prove that it was able to decrypt this message, it has demonstrated that it owns the associated private key. The server then can set up the environment for the client(s将用记在自己authorized_keys 文件里的该client的公钥来加密一个“挑战信息”返送给c,如果c能解密该信息,则说明c拥有对应的私钥,允许进入。然后s为该c设置相关环境变量).
哈希
Another form of data manipulation that SSH takes advantage of is cryptographic hashing(ssh利用的另一种数据操作是“密码散列”). Cryptographic hash functions are methods of creating a succinct "signature" or summary of a set of information. Their main distinguishing attributes are that they are never meant to be reversed, they are virtually impossible to influence predictably, and they are practically unique(密码散列“几乎”不可能被反解,“几乎”不可预见,“几乎”是唯一的).
Using the same hashing function and message should produce the same hash(对同样的内容执行hash得到的结果应该是一样的); modifying any portion of the data should produce an entirely different hash. A user should not be able to produce the original message from a given hash, but they should be able to tell if a given message produced a given hash(不可能根据hash值来还原原始信息,但似乎却可以判断给定的消息是否得到给定的hash值。即 验证消息发出后是否被改过。hash主要用来验证数据“完整的,未被更改的”).
How Does SSH Work?
An SSH session is established in two separate stages. The first is to agree upon and establish encryption to protect future communication(达成一致并建立加密来保护以后的通信). The second stage is to authenticate the user and discover whether access to the server should be granted.
关于client端的.ssh/known_hosts文件里面的内容:
是“sshd服务在启动/重启”时生成的秘钥对儿中公钥的内容
这些默认及存在的秘钥对存储于/etc/ssh/目录下,
这些秘钥对儿被移走之后,便无法再“远程登陆",报错如下
转载于:https://blog.51cto.com/kaifly/2358890
1734
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
