Server Authentication using Public Keys

Reflection for Secure IT supports two types of server authentication: public key and certificate (a special form of public key authentication).

When public key authentication is used for host authentication, the following sequence of events takes place.

The Secure Shell client initiates a connection.
The server sends its public key to the client.

The client looks for this key in its trusted host key store.

If the client	This occurs
Finds the host key, and the client copy matches the key sent by the server	Authentication proceeds to the next step.
Does not find the host key	The client displays a message that the host is unknown and provides a fingerprint of the host key. If the client is configured to allow the user to accept unknown keys (the default), the user can accept the key, and authentication proceeds to the next step. If strict host key checking is enforced, the client ends the connection.
Finds a host key, and the client copy doesn't match the key sent by the server	The client displays a warning that the key doesn't match the existing key and displays the fingerprint of the key sent by the server. If the client is configured to allow the user to accept unknown keys (the default), the user can accept the new key. If strict host key checking is enforced, the client ends the connection.

If the client

This occurs

Finds the host key, and the client copy matches the key sent by the server

Authentication proceeds to the next step.

Does not find the host key

The client displays a message that the host is unknown and provides a fingerprint of the host key. If the client is configured to allow the user to accept unknown keys (the default), the user can accept the key, and authentication proceeds to the next step.

If strict host key checking is enforced, the client ends the connection.

Finds a host key, and the client copy doesn't match the key sent by the server

The client displays a warning that the key doesn't match the existing key and displays the fingerprint of the key sent by the server. If the client is configured to allow the user to accept unknown keys (the default), the user can accept the new key.

If strict host key checking is enforced, the client ends the connection.

To confirm that the server actually holds the private key that corresponds to the received public key, the client sends a challenge (an arbitrary message) to the server and computes a hash Also called a message digest, a hash or hash value is a fixed-length number generated from variable-length digital data. The hash is substantially smaller than the original data, and is generated by a formula in such a way that it is statistically unlikely that some other data will produce the same hash value. based on this message text.
The server creates a digital signature based on the challenge message. To do this, the server independently computes the message hash, and then encrypts the computed hash using its private key. The server attaches this digital signature to the original challenge and returns this signed message to the client.
The client decrypts the signature using the public key and compares the hash with its own computed hash. If the values match, host authentication is successful.