While public key encryption is a method of encrypting data, signature authentication or public key authentication is an alternative method of identifying yourself to a login server, instead of typing the password. Under most circumstances, it is considered considerably more secure and and at the same time more flexible then conventional password authentication.
When using the latter, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means that if the server has been hacked or your connection to the server is being spoofed, an attacker can learn your password.
You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures . A signature created with your private key (virtually) cannot be forged using some other key; but anybody who has your public key can verify that a particular signature is genuine.
With the program of your choice, you generate a key pair on your own computer (which should not already be hacked…), and copy the public key to the server, in our case running OpenWrt. Then, when the server asks you to prove who you are, PuTTY can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in.
Now in case the server is hacked or the connection is being spoofed, the attacker does not gain your private key nor your password, but merely one signature. And signatures cannot be re-used, so they have gained nothing.
NOTE: ssh already make use of public key authentication, but only to authenticate the server. If the server has been hacked, the auth would still succeed.
|Security never relies on some algorithm, but on the user comprehending the principles and acting sanely. Usually there is a chain of security and every link must be kept secure on its own, for the whole concept to work. Therefore every encryption method has some immanent weaknesses which once met, define a method as considerably secure. But then there is the user…|
* If success of brute-force attacks is reported as high, do not use this encryption method any longer
The passphrase can make public-key authentication less convenient than password authentication because the passphrase is much longer then a password. Every time you log in to the server, instead of typing a short password, you have to type a long passphrase. One solution to this is to use an authentication agent, a separate program which holds decrypted private keys and generates signatures on request. PuTTY's authentication agent is called Pageant. When you begin a Windows session, you start Pageant and load your private key into it (typing your passphrase once). For the rest of your session, you can start PuTTY any number of times and Pageant will automatically generate signatures without you having to do anything. When you close your Windows session, Pageant shuts down, without ever having stored your decrypted private key on disk. Many people feel this is a good compromise between security and convenience.
There is more than one public-key algorithm available. The most common is RSA, but others exist, notably DSA (otherwise known as DSS), the USA's federal Digital Signature Standard.
Here is a german wiki from fedorawiki.de about security:
Assuming you have a key in ~/.ssh/id_rsa.pub on your host computer, you can copy it to the OpenWrt system in just one command:
ssh root@openwrt "echo $(cat ~/.ssh/id_rsa.pub) >>/etc/dropbear/authorized_keys;chmod 0600 /etc/dropbear/authorized_keys"
Thereafter, you can log into the OpenWrt system from your host computer without the need for a password.