PKI, Digital Signatures & SSH: A Practical Guide to Information Security

PKI (Public Key Infrastructure) is a framework that leverages public‑key cryptography to provide comprehensive security services for network applications. It is a core technology for information security and e‑commerce.

Symmetric Encryption

Symmetric encryption uses the same key for both encryption and decryption. Common algorithms include AES, DES, 3DES, SM1, and SM4. While computationally simple, it requires secure key distribution, which led to the invention of asymmetric encryption.

Asymmetric Encryption

Asymmetric encryption uses a pair of keys: a public key and a private key. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice‑versa. Typical algorithms are RSA, ECC, and SM2. This solves the key‑distribution problem but is computationally heavier.

Digital Signature

A digital signature is created by encrypting a hash of the message with the sender’s private key. The receiver uses the sender’s public key to decrypt the signature and compares the resulting hash with a freshly computed hash of the received message. Matching hashes confirm integrity and authenticity.

Sender hashes the message to obtain a digest (h1).

Sender encrypts h1 with their private key to produce the digital signature.

The signature is attached to the message and sent.

Receiver decrypts the signature with the sender’s public key to recover h1.

Receiver hashes the received message to obtain h2 and compares h1 with h2.

If both hashes match, the message has not been altered and the sender is verified.

Digital Certificate

A Certificate Authority (CA) signs a user’s public key together with identity information, producing a digital certificate. The certificate is attached to the signed message. The receiver validates the certificate using the CA’s public key (root certificate) before verifying the digital signature.

Certificates solve the problem of public‑key substitution attacks by providing a trusted third‑party verification of the public key.

SSH Protocol Overview

SSH is a secure protocol for remote login and other network services. It uses asymmetric encryption for key exchange and symmetric encryption for the session.

SSH Handshake

Server sends its public key to the client.

Client encrypts the password (or a random secret) with the server’s public key and sends it.

Server decrypts with its private key and validates the client.

To prevent man‑in‑the‑middle attacks, the client must verify the server’s public key fingerprint on first connection, typically by confirming a prompt.

The authenticity of host 'www.mapway.cn (12.18.429.21)' can't be established.

RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.

Are you sure you want to continue connecting (yes/no)?

After confirming, the host key is stored in known_hosts and future connections are trusted.

Public‑Key Authentication

Client places its public key in the server’s authorized_keys file.

Server encrypts a random challenge with the client’s public key and sends it.

Client decrypts the challenge with its private key, combines it with the session key, hashes the result, and returns the digest.

Server performs the same hash and compares the digests to authenticate the client without a password.

Digital Certificates in IoT and Smart Home

In IoT, devices use certificates issued by a private CA to authenticate each other, encrypt communications, and verify firmware updates. Trusted Computing Platform Alliance (TCPA) and Trusted Computing Group (TCG) define standards such as TPM for secure key storage.

Device certificates (one‑per‑device) enable secure identification, encrypted data exchange, and protected OTA updates.