13

In SSH, what is the difference between host key and public key.

Public key I believe that is part of private/public key pair, so, that anything sent by server(encrypted using private) can be decrypted by client using public key and anything sent after encrypting with public key can only be decrypted by server's private key.

In SSH, server sends a Host key and client is supposed to know the Hash of host key before hand or cache it in a local store after client receives the key for the first time, which assures the authenticity of host.

My question is: Is my understanding of difference between the two is correct? If yes, then once, a machine gets a host key of a server upon connecting to it, can it not copy the host key and forge its identity as server whose host key it copied or there is some relation between private key and host key as it is between public and private key?

Julian
  • 516
  • 6
  • 18
prasun
  • 237
  • 2
  • 8

1 Answers1

11

The host has a key pair, consisting of a public key and a private key. (It can have multiple key pairs in different formats; at the beginning of a connection, the client and the server negociate to determine a format that they both support.) There's a host public key and a host private key; there are also other key pairs (public and private keys) which are not host key pairs (in SSH, users also have key pairs, with the private key residing on the client).

At the beginning of a connection, the two parties establish a secure channel with a Diffie-Hellman key exchange, which lets them establish a shared secret key that eavesdroppers cannot find out. At this point, the client and the server have a secure channel (which cannot be tampered with by a man-in-the-middle without being detected), but they do not yet know who is on the other end of the channel.

Then the client sends a random value to the server, a challenge. The server replies by sending its public key as well as a signature of the challenge value. By computing the signature of the challenge value, the server demonstrates that it knows the private key corresponding to the public key that it just sent. If the client has stored the host's public key in a file, it knows from that point on that the server is the same host that it communicated with before.

This mechanism, where everybody potentially knows the public key, one party sends a challenge and the other party responds to the challenge in a way that proves that it knows the private key (called a proof of possession), is a common use of public-key cryptography. It fully relies on the fact that public-key cryptography is asymmetric: knowing the public key doesn't give enough information to make computations involving the private key.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • You mean to say since, server has already proved ownership of public key, and attacker wwho uses the same host key won't be able to prove ownership of public key? But, does that mean host key and public key are same? – prasun Mar 28 '15 at 17:44
  • 1
    An attacker could prove the ownership of the *public* key, but that's useless. The protocol requires that the server proves ownership of the *private* key. The “host key” is in fact a key **pair**: there is a host public key and host private key. – Gilles 'SO- stop being evil' Mar 28 '15 at 17:52
  • That being said, challenged signature is signed using private key of host key? – prasun Mar 28 '15 at 17:57
  • @prasun Yes, you need to know the private key to make a signature. You can verify the signature with the public key. – Gilles 'SO- stop being evil' Mar 28 '15 at 18:00
  • Cool,fact that host key itself is a public of an another private key answers it. – prasun Mar 28 '15 at 18:03