What's the fundamental principle regarding who should hold which key (public vs. private)?

1

1

In a SSH logging scenario, the client keeps the private key while the server stores the public key under its ./ssh directory.

In a different scenario, such as SSL, it's the server that keeps the private key and give away its corresponding public keys to the end users.

I read a lot about the two keys online, they are either off the topic or too deep for a beginner. Could someone explain using plain language about what is the governing rule here determining who should hold what key? Thanks very much.

北美38fule

Posted 2019-12-05T18:33:25.033

Reputation: 27

1The private key is always kept by the party that generated the key pair. Public keys are handed out to everyone (the public) who might want to send something to the person with the private key. – Mokubai – 2019-12-05T18:57:58.910

Answers

3

In all cases, the party which is being authenticated holds the private key (actually both keys, the whole set). The party which is verifying authentication only needs to know the public key.

Both SSH and TLS/SSL actually support authenticating both the client and the server, so each connection may use two different keypairs – one to verify the server's identity (server holds the private key) and one to verify the client's identity (client holds the private key).

For example, in SSH, the server's authorized_keys file holds client public keys, but the client's known_hosts file holds server public keys.

When you're being asked to verify the "hostkey fingerprint" when making an SSH connection, you're seeing the server's public key, and the server stores its private key in /etc/ssh. Once that step is done, the client presents its own public key to the server.

(The same thing exists in TLS as "client certificate authentication", but it is somewhat rare in comparison – but even though it's very rare on the web, many browsers support it anyway.)

user1686

Posted 2019-12-05T18:33:25.033

Reputation: 283 655

I can't believe my luck! Such a condensed and yet valuable answer! It beats the whole class that I have paid on Udamy:) – 北美38fule – 2019-12-05T20:01:05.990

By the way, dear grawity, I'd seriously like to pay you to be my remote mentor, is it possible? How can I reach you? Thank you. – 北美38fule – 2019-12-05T20:04:50.407

Just one clarification, when you mention Once that step is done, the client presents its own public key to the server. you meant uploading your own public key to the server's \ssh direction, it's not necessary every time you login, is my understanding correct? – 北美38fule – 2019-12-05T20:54:19.567

No, I meant the client software automatically sending the key as part of the SSH connection establishment, so that the server could compare it against what was previously manually uploaded to ~/.ssh/authorized_keys. – user1686 – 2019-12-05T20:55:56.167

Then did you mean it would actually send the key, or use that key to encrypt a message and send that message to test if the other end can decrypt? – 北美38fule – 2019-12-05T23:04:07.520

In SSHv2: first the client sends the public key to check whether it's acceptable; then, if it's acceptable, the server sends it a random challenge and the client replies back with a signature proving that it owns the private key as well. – user1686 – 2019-12-06T05:27:56.323

You mention testing for decryption – that's another possible approach, and it was used in e.g. SSHv1, but it has the downside that not all public-key algorithms actually support encryption/decryption at all. For example, ECDSA and Ed25519 are signing-only. So in both SSHv2 and TLS, the signature method is used instead. – user1686 – 2019-12-06T05:29:37.390

Asked: 2019-12-05T18:33:25.033

Viewed: 38 times

Active: 2019-12-05T18:43:06.180