|
This got me thinking - how is a public key any guarantee of identity? I mean, it's the public key, right? So in theory I should be able to let anyone know my public key.
That's true, but the public key has no value unless the private key is available on the other end of the connection. If you encrypt something with the public key, nobody can decrypt it (including someone else with the public key) except for the person with the private key.
This setup is used for the challenge/response you mentioned in your e-mail. So the only person who can unencrypt the challenge and issue the correct response is the person with the private key.
More info on asymmetric cryptography can be found here: http://en.wikipedia.org/wiki/Asymmetric_key
Scott, is that what you mean by your comment "which means that to decrypt, you have to have the private key"? I realized this is paraphrasing quite a bit, there are some other steps involved, but this gets the idea across.
True.
I have to agree with Scott that the requirement of both public key and password authentication somewhat redundant. Not only that, it also seems to break the SSH standard protocol.
Yes, it does. And a crypto key is much more secure than a password. Guessing a password that's 6-10 characters long, with values from 1-9 and a-z and makes an easy-to-remember phrase for a user is relatively easy. then there's the social engineering aspect of it -- you can often trick a user into giving away his/her password in a telephone conversation. Then there's the proverbial "post-it stuck to the monitor with the password" situation.
Try the same thing with a 2048 bit (256 byte) crypto key. Where each byte can have any value from 0-255 (as opposed to the 36 letters and numbers) and where the user doesn't even need to know the key value, and therefore can't give it out!
There's no comparison.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.