"Eric J. Schwertfeger" <[EMAIL PROTECTED]> writes:
> On 12 Jan 2000, Niels M�ller wrote:
>
> fixed. Wasn't sure about that, not having gone over the actual protocol.
> That makes more sense than what I was envisioning, because what I was
> envisioning wouldn't work if the user didn't have a key pair.
Actually, ssh-1 uses RSA in encryption mode, rather than DH and a
signature. Likewise for the (most common) operation with SSL. To do
this, the client chooses a random session key, encrypts it with the
server's public key, and sends it over. The server (and *only* the
right server) can decrypt this to get the session key.
And with ssh-1, there are actually *two* RSA keys, one long term that
users can store in their known_hosts file, and one temporary that is
replaced once every hour, or something like that. Both are used when
encrypting the session key.
This achieves "forward secrecy": If someone records a month's
encrypted ssh connections to a server, and then breaks into the server
to get it's private key, that does not give the attacker enough
information to decrypt all the previous traffic.
/Niels
