Through the SSH suite, when data is sent from a client to a server, SSH ensures the authentication, encryption and integrity of data transmitted over a network. SSH automatically encrypts login information as well as session traffic before it even leaves the client. On the receiving end, SSH automatically decrypts the data, making the entire encryption process transparent to the user—no user involvement is required (Barrett & Silverman, 2001).
SSH has a known-host mechanism that engages when a client connects to an unfamiliar server for the first time. During SSH authentication, both the server and client must authenticate each other through public-key cryptography (Barrett & Silverman, 2001). Every SSH server has a private, unique host key used to identify itself to clients. Upon first connection, a public version of the host key gets stored on the client, and this key is referenced upon every future connection (Barrett & Silverman). If it does not match, SSH returns a warning message, informing the user to be wary about connecting unless they trust the server is legitimate.
There are several major features SSH aims to provide to users, the first of which is ensuring data is protected from disclosure through end-to-end encryption. This encryption takes place through the exchange of random keys negotiated for the session and then destroyed when the session is terminated (Barrett & Silverman, 2001).
SSH also serves to see that data is transmitted over the network and arrives unaltered at the receiving end. While TCP/IP does have some degree of error checking, it can be fooled through malicious tampering. The SSH-2 protocol uses cryptographic integrity checking that makes sure data has not been altered and that the data came from a legitimate host (Barrett & Silverman, 2001).
Authentication of each party is a significant security advantage to SSH. Both the client and server authenticate each other; more specifically, the client verifies the identity of the server and the server verifies the identity of the user requesting access. Next it is determined what capabilities the user is to be granted based on their permission levels and authentication mechanism being used; this can only happen after authentication since one cannot be granted privileges unless their identity is verified first (Barrett & Silverman, 2001).