SSH + Public Key Authentication: The Simple Explanation You’ve Been Looking For

Michael Aranda
Aug 14, 2017 · 5 min read

For a while, all I knew about SSH was that it helped me connect to my GitHub repositories and remote servers. I had tried many times in the past to become more informed about how it works; sadly, nothing much ever really stuck.

But after years of unavoidable exposure to it, things happened to click, and I finally obtained something both rare and beautiful: a halfway-decent understanding of how SSH enables remote authentication and operations. It’s my hope with this article that I can help you obtain this beautiful gem of wisdom as well.

Our story begins. No big deal, but…

I’m Batman (don’t tell anyone). During my crime-fighting adventures, I regularly need to send important messages and commands to other members of the Justice League.

For instance, I might be in Gotham, while Wonder Woman is in Metropolis with Green Lantern. Results from an investigation come back, and I discover that the “Green Lantern” currently with Wonder Woman is an imposter.

I ask the Flash to run over to Wonder Woman and deliver a piece of paper with the following message:

“It’s Batman. The Green Lantern with you right now is actually an evil robot. Destroy him ASAP.”

Wonder Woman trusts me, but how does she know this message actually came from the real Batman? What if the message is from a supervillain who was posing as Batman, and tricked the Flash into delivering this message? What if the Flash himself is the imposter?

Wonder Woman would want some proof that the warning actually came from me before taking action.

Spells will save the day

Not to brag or anything, but being the world’s greatest detective, I came up with a brilliant system for allowing heroes to verify each others’ identities, simply by exchanging messages.

I ask Zatanna, a sorceress and member of the Justice League, to create my own personal pair of spells, with very special effects.

Spell 1 is invoked by mentally reciting the following phrase:

Namtab ma I dna, enyaw ecurb si eman ym.

Spell 2 is invoked by mentally reciting the following phrase:

Namtab ot laever ylno.

Here is what the spells do:

  1. If anyone writes on a piece of paper and casts Spell 1, the writing becomes invisible. Only casting Spell 2 will make it reappear.
  2. If anyone writes on a piece of paper and casts Spell 2, the writing becomes invisible. Only casting Spell 1 will make it reappear.

In this example, Zatanna represents SSH. She provides Spell 1, which is a “private key”, and Spell 2, which is a “public key”.

Casting Spell 1 to hide a message is equivalent to encrypting data using a private key.

Casting Spell 2 to hide a message is equivalent to encrypting data using a public key.

Casting Spell 1 to reveal a message hidden by Spell 2 is using a private key to decrypt a message encrypted by its matching public key.

Casting Spell 2 to reveal a message hidden by Spell 1 is using a public key to decrypt a message encrypted by its matching private key.

Once you have a good grasp of the above, you have almost arrived at a very solid understanding of how SSH authentication works. The following section will detail how the spells work to provide a reliable form of authentication, and then you’re there!

Using the spells for good

I share Spell 2 with every Justice League member— the people with whom I want to be able to communicate (this is why it’s a public key). On the other hand, I keep Spell 1 all to myself, and never share it with anyone (private key). You’ll see why very soon.

With all that in place, here’s how we can use the spells to confidently confirm identities:

Secure Super Hero (SSH) Authentication *

  1. I write a message to Wonder Woman: “It’s Batman. The Green Lantern with you right now is actually an evil robot. Destroy him ASAP.”
  2. I give the piece of paper to Flash, who runs it over to Wonder Woman in an instant.
  3. Wonder Woman receives my message. Before anything, she decides to make absolutely sure the message is from me.
  4. Wonder Woman writes something like “What’s 131,492 * 15,687?” on a piece of paper.
  5. Wonder Woman casts Spell 2, which I gave to all members of the Justice League. The multiplication problem is now invisible.
  6. Wonder Woman gives the piece of paper back to the Flash, who runs it back to me.
  7. I cast Spell 1 on the currently blank piece of paper from Wonder Woman (remember, I am the only person who has Spell 1). Since Spell 1 reveals text made invisible by Spell 2, I can now see the multiplication problem.
  8. I read the multiplication problem and write down the answer on a piece of paper: “2,062,715,004” (by the way, since I’m Batman, I did the math in my head).
  9. I give the piece of paper with my answer back to the Flash, who runs it back to Wonder Woman.
  10. Wonder Woman sees the answer to her “challenge” is correct. It is virtually impossible for the correct answer to have come from someone who did not have Spell 1 to decrypt the multiplication problem, so she is now confident she is dealing with the one and only Batman.
  11. Satisfied, Wonder Woman knocks the fake Green Lantern into the sun, and begins to wonder how I got so clever.

Now you know why I keep Spell 1 safe, and don’t share it with anyone else. If members of the League want to verify that a message they received is really from me, I can demonstrate my identity by correctly replying to a secret message they send back, which only I can decode.

You may realize that someone can effectively impersonate me if they get their hands on Spell 1. This is why a good practice is to password-protect your private keys, adding another layer of security to the authentication process. Even if someone manages to obtain my private key, they still need to know the password to use it.

You might also notice that, while this secret conversation was taking place, the Flash was privy to our messages the entire time. However, he never gained any insight into what Spell 1 is. I proved my identity without showing how I did so! This is definitely the kind of stuff that makes superheroes so cool.

From sidekick to superhero

If you understand the above procedure, then congratulations — you’ve got the gist of SSH authentication with public keys!

Please do note that, for the sake of brevity, this article focused mainly on SSH authentication, to give you a solid, high-level understanding of how remote access with SSH works. The initial stage of establishing a secure connection is omitted. I am considering writing a follow-up article on this, for those of you who want to continue your training and become full-fledged superheroes.

Thanks so much for reading, and please leave any questions, comments, or feedback you might have in the responses below. This is my first article, so I am very open to criticism. Thanks again!

*Note: SSH stands for Secure Shell. It does not stand for Secure Super Hero, sadly.

Michael Aranda

Written by

I’m a Web Solver. No, wait…I’m a Problem Developer! Hmm… || Web Developer at HP Inc.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade