The client doesn't send the secret back to the server, because the secret could be stollen this way. It uses the secret to encrypt the rest of the communication.
@@NetworkInfo No verification is needed because the rest of the communication will be encrypted. If the client was not able to get access to the key, it wouldn't be able to continue the communication. The fact that client can now send encrypted messages to server and the server can decrypt them proves that the client was legit hence able to get access to the secret key.
@@rakeshshiva625 there are two, the server's public key will be used by client to encrypt the message and the server's private key will be used by the server to decrypt them, so asymmetric.
great explanation! Your video provided the most important fragments of information which other videos lack, for ex:- you mentioned the key being a cipher and you explained which software are used in these different OSes. Thanks And Keep up the good work!
Thanks for your love and support, keep learning. Follow bitfumes on twitter.com/bitfumes or facebook.com/Bitfumes to get the latest updates. bitfumes.com
Thanks a lot. This is exactly the information I was looking for. Most videos assume I already know what a public and private key is so thanks for clearing everything from the ground up.
Correct me if I am wrong please? The step that I always missed understood was section 4:36.... 1. A public key is created by the client 2. And some how this newly created client public key is provided to the server to keep 3. Then when the client ssh(s) into the server, it sends the public key it has while connecting 4. The server receives the connection request "and" compares the public key being received with the once the server has on a list 5. If the keys match, then the server sends "its own" public key back the client 6. The client accepts the servers public key and connection is made If the process describe above is correct, then this means that servers have to have a way of accepting (someone approves) public keys from clients (step number 2 above) so that it compares when being used?
This video is not completely correct ! There is an missing part with the Diffie-Hellmann for the symmetric key wich is used to encrypt the communication. The asymmetric keys are only used for authentication.
Thanks for your love and support, keep learning. Follow bitfumes on twitter.com/bitfumes or facebook.com/Bitfumes to get the latest updates. bitfumes.com
In the video it is mentioned that at last the secret is sent back to server so server can identify the client. This secret can hacked. How it is avoided. Adding that to the video would make it complete.
Thanks for the details.. one query how does it know the first time which public key to pick for a new request .. what is that id against which the public key is picked for the authentication purpose
The "SSH Working" part gives a wrong explanation. The SSH public key authentication is signature-based challenge response protocol, which can be found in SSH protocol on section 7. The public key encryption and public signature are totally two different things.
I agree. In general the RU-vid video gives a very nice illustration on how SSH keys works. however, I don't agree with the top secret explanation. The "top secret" is a "challenge" generated by server to prove client has a proof of possession of the private key. Once decrypted, client signs the clear text version of the top secret with its private key and sends back to server. Server uses client's public key to authenticate the top secret by verifying the signature. Once the verification is successful, the security channel is established.
Private key can't be shared and private key can only decrypt the data So once, the secure tunnel is established, Does the data sent from client is encrypted using public key? If yes then, how can server decrypt the data, as it does not have the private key of client??
Data is encrypted using the public key. The secret key shared is encrypted using the clients public key, which can only be decrypted using the clients private key
thank your for explanation.however, client send topsecret key without hashing? what happens if somebody gets this open topsecret key during sending client to server?
wow great can you tell me difference between Bash language and puTTY and Command line command prompt. also what connection is there between Bash and Linux. Thanks in advance
Great explanation...... I have a question. When I am already on a linux machine and from there if I want to ssh any other linux machine then I do "ssh -i key.pem ". Here key.pem is private key. In this case how handshake happen as I am not sending Public key ?
When sending the Top Secret Key back to the server, can't someone intercept it and send it over to the server before you get yours to the server, thus not verifying the correct user?
Old comment but, I think that would be correct. But at that point I don't think any protocol can help you. It is very well the case in practice that services can be denied e.g. DDOS(not that that is the scenario you describe). The point of having such protocols is not to guarantee that the sender and receiver can communicate, but instead that when communication occurs, an interceptor would not be able to extract any useful information. Even without some malicious actor, we can't guarantee that communication works out. Sometimes packets of data just drop ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-7rLROSYcQU8.html. You can't even guarantee that two computers are absolutely sure that they both agree on something (The Two Generals Problem) ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-IP-rGJKSZ3s.html A single computer can't even have guarantees about it's current state, like stray cosmic rays can hit the silicon to flip bits. Anyways, though we have a lot of things we can't guarantee, one can attempt to produce the most robust solution possible given the circumstances(and, with some assumptions, prove that it is secure), or we can produce a solution which we believe to have a low probability of failing. Like, it is incredibly unlikely that cosmic rays do flip bits in memory, but even if this was an issue there are ways of using redundancy to lower the probability that we read corrupted data(coding theory and information theory). Quicksort is an example of an algorithm where we choose to take our chances, it hinges on selecting a random pivot, and on average it is a very fast algorithm but if you give it a really inconvenient input list it will have the same time complexity as the naive sorting algorithms(Bubblesort, SelectionSort, etc). To put out one last caveat, we don't even know if cryptography is actually bulletproof :) It's still an open question as to whether P = NP, but if it is and we find a good algorithm for solving NP problems, then we also have a good algorithm for breaking cryptography. Noone's cracked P vs NP yet though, and modern cryptography isn't cracked yet either(or maybe it is and some people have kept that secret really well), soooooooooooooooooooooooooooooooooo it's probably safe. Rant aside, SSH and all other protocols can't guarantee service, but if it is observed that the service is consistently being denied and it's an issue, then either the user or the people who provide the service should investigate and figure out what the root cause is.
Server gets your public key Server encrypts a [challenge] with your public key You decrypt the challenge with your private key(as only your private key will unlock what the private key you shared locked) and send back the challenge Server verified the challenge and established a tunnel
@@yordanibonilla5859 I see, but the question Nabil asks still applies. Basically the situation would become, what if an interceptor responds to the challenge before you do(with an invalid response), resulting in the challenge being failed and you not being verified. Ah, but upon rereading the original comment, it says "not verifying the correct user". I interpreted it as the interceptor preventing you from being verified, rather then the interceptor being verified pretending to be you. But ya, given this procedure they can't beat the challenge the server provides.
@@Vaaaaadim Right and if they the interceptor did send the correct challenge by intercepting yours and it so happens to get there before you wouldn't they just be doing you a favor verifying ya lol?
Sir, its nice presentation with little diversion!. you said, "Symmetrical encryption can’t be done on remote servers". But you didn't continue the need for SSH with proper justification.
it is the same key everywhere - hence, sharing it becomes increasingly risky with asymmetrical encryption, identity and uniqueness is assigned to a caller
you say that the service is only available when the system starts , is it possible for a admin to use Wake-On-LAN in a Client system while the system in in off and establish the tunnel
I am lost here, Okay remote computer uses public key to encrypt a secret key which is a key to SSH. Well public key is known and so what's the point ...I am lost, please help
Server gets your public key Server encrypts a challenge with your public key You decrypt the challenge with your private key and send back the challenge Server verified the challenge and established a tunnel
After connection established we go to folder .ssh(of server) and copy all private keys( which will be encrypted by client public key) and get it into our system 😂 finally we hacked it.
@@Bitfumes I searched more about this and found out that the pair of the public and private key are some how mathematically connected, but there is no way to derive one key from another. Whatever is encrypted by public key can only be decrypted by the paired private key.
If I have just a LapTop and want to use a SSH just for security can I just Enable the Open ssh on my LapTop. Or do I have to have a server to configure the ssh? I just can't get it right.
@Bitfumes Webnologies Great explanation! But I have a question, if I am a MITM, I can catch the encrypted "top secret" message from the server (in this state I cannot read the message or get the private key) - but when I am able to catch the decrypted "top secret" that the client send back to the server, I now have the encrypted "top secret" message and the decrypted "top secret" message, and now I can figure out the private key... am I wrong? there is something I miss here?
encryption algorithm which is used in SSH is RSA and it is really hard to guess it, the key itself could be AES-256 encrypted, so it will take few million years to guess
If I use password authentication for ssh session then how the data gets encrypted? In password authentication the client's public key is not present in server.
@@NetworkInfo I believe ssh channel is first established then authentication process starts. Ssh server and client first set up a secret key using Diffie Hellman algorithm and then that key is used to encrypt the channel. Next it asked for authentication method, either password based or ssh key based. That's why ssh key is not necessary for ssh connection. And we will always share client key into server, generating public private key is not necessary in server. For SSL it's different where server's public key is shared with client.