IBM Support

QRadar: What is public key authentication?

Question & Answer


What is public key authentication and how does QRadar use it?


Public key authentication is an authentication method commonly used by server administrators due to its high level of security and ease to connect. This authentication method works with a pair of keys, one called a private key and the other one is a public key. The public key is compared against the authorized_keys on the remote host. This file contains a list of allowed hosts with their public key.

QRadar uses this authentication method to communicate with all the hosts without using passwords.
The following overview explains how SSH connections are established:
  1. The client sends its public key to the server.
  2. The server validates whether the key is allowed by comparing to keys in the /root/.ssh/authorized_keys directory.
  3. If the key is allowed, the server encrypts a random message with the public key of the client and sends the encrypted message to the client.
  4. The client decrypts the encrypted message with its private key then uses SHA256 to hash the decrypted message and sends the hash to the server.
  5. The server compares the hash of the original message against the hash received from the client. If the hashes match it means that the pair of keys is valid, and the connection can be established.

    The following image illustrates the process for establishing an SSH session when key-based authentication is enabled.
    Key-based authentication

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
31 May 2023