LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-08-2006, 11:31 AM   #1
mac1234mac
Member
 
Registered: Sep 2005
Posts: 183

Rep: Reputation: 30
question about private and public keys


Hello

I'd like to know how public and private keys are working.
It would be the best if someone would explain it in example.

I downloaded kernel from www.kernel.org and there
was *.sign file next to it. Was it private key?.
I tried to verify kernel file in gpg and there was error:
no public key. I downloaded public key and imported it.
It worked. But how it works?. Why do I need public and
private key to verify file?.

I understand md5 verification:
someone generates md5 number (sequence of letters and numbers) on one computer and posts it on the web site with
file to be verified. Person who downloads file and number
can check if the number is correct.

But I can't fathom the idea of public and private keys.
Is this somehow similar?.

Cheers
 
Old 04-08-2006, 12:13 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
Wikipedia explains this very well.
 
Old 04-08-2006, 07:33 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,253

Rep: Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076
As the article explains ... keys come in pairs: a message encrypted by one can only be decrypted by the other, and vice-versa.

When you want to verify a signed file, you download the public key: the file's signature block is encrypted using the private key, so if it can be successfully decrypted by the public key, and it (the MD5 hash that it contains) matches the message, then it is considered "valid."
 
Old 04-09-2006, 06:41 AM   #4
heema
Senior Member
 
Registered: Sep 2003
Location: Egypt
Distribution: Arch
Posts: 1,528

Rep: Reputation: 46
Quote:
Originally Posted by mac1234mac
Why do I need public and
private key to verify file?.
Cheers
when you sign a message , it signs with your private key then the recipient verifies it with your public key
 
Old 04-09-2006, 03:21 PM   #5
mac1234mac
Member
 
Registered: Sep 2005
Posts: 183

Original Poster
Rep: Reputation: 30
Quote:
when you sign a message , it signs with your private key then the recipient verifies it with your public key
But when I verified kernel source I needed both public and private key. So I didn't need only public key but both.
So it seems that to verify file I need
both private and public key?.

Please look at www.kernel.org/signature.html

Last edited by mac1234mac; 04-09-2006 at 03:24 PM.
 
Old 04-09-2006, 03:38 PM   #6
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
Quote:
Originally Posted by mac1234mac
But when I verified kernel source I needed both public and private key. So I didn't need only public key but both.
So it seems that to verify file I need
both private and public key?.

Please look at www.kernel.org/signature.html
If you look at that web site, you will see only the public key. If you had access to the private key the packages were signed with, you would be able to sign packages as authentic - that is, coming from the official distribution. You can have your own private key, but you need someone else's public key to authenticate their signature. Read the Wikipedia article.
 
Old 04-10-2006, 11:11 AM   #7
mac1234mac
Member
 
Registered: Sep 2005
Posts: 183

Original Poster
Rep: Reputation: 30
So what do I have to import?. And what are the .sign files that can
be found in a directory in which kernel sources are?.
I guess that I have to import public key ID 517D0F0E
and to do

gpg --verify linux-2.3.9.tar.gz.sign linux-2.3.9.tar.gz

I have to have .sign file which is (another guess) private key.

So I need both public and private key, need I?.
 
Old 04-10-2006, 11:29 AM   #8
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
You import public keys, to add them to your keyring. A signed file (the extension doesn't mean anything), contains an encrypted hash of the data. You need a public key to decrypt and validate the data against the hash. Doing so authenticates the data - that it was signed by the person with the matching private key, and that it was not tampered with (no data was changed).

You can never have someone elses private key. Ever. That's why it's called a private key. The private key must be guarded like the key to a safe deposit box. Having the private key lets anyone prove they are the owner associated with a public key.

You can have your own private key. You would use your key to sign files and to encrypt files for others.

Last edited by macemoneta; 04-10-2006 at 11:30 AM.
 
Old 04-10-2006, 12:05 PM   #9
mac1234mac
Member
 
Registered: Sep 2005
Posts: 183

Original Poster
Rep: Reputation: 30
But in case of this kernel example I don't decrypt data. I validate it only. So I import public key, yes?. OK I know what is public
key in this case. So this .sign file is not private key?.
So how is it called?. Is this signature?.

Let's return to MD5 authentication, there is one file to be downloaded and one which contains sequence of letters and numbers.
But such file with sequence is only one!!!.
I compare what md5 program prints out (refering to the file downloaded) and I know if the file is corrupted or not.

In case of "kernel" authentication there are two files. Why?.

Has private and public key the same format?.

Last edited by mac1234mac; 04-10-2006 at 12:12 PM.
 
Old 04-10-2006, 12:43 PM   #10
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
Quote:
But in case of this kernel example I don't decrypt data.
Yes, you are decrypting the hash to validate the signed file.

Quote:
So I import public key, yes?
Yes, you import public keys for decrypting and validation of signed data.

Quote:
So this .sign file is not private key?
No, it is not a private key. It is a signed file (the file+the signature) or the signature of a file (just the signature associated with a separate file).

Quote:
In case of "kernel" authentication there are two files. Why?
The kernel developers have chosen to use a separate data file and signature:

linux-2.6.16.2.tar.bz2 - the linux kernel (the data file)

linux-2.6.16.2.tar.bz2.sign - signature (for the data file,linux-2.6.16.2.tar.bz2)

Validating the file with the signature means that the signature file will be decrypted using the kernel.org public key. This will yield a hash. The hash will be compared to the calculated value for the the data file (the kernel); if they match, the file has been validated. If they do not match, then either:

1. The data or signature file have been changed after the signature was made,

2. The private key used to sign the file is not the one associated with the public key used to validate it.

Last edited by macemoneta; 04-10-2006 at 12:44 PM.
 
Old 04-10-2006, 12:51 PM   #11
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
Regarding the format of the public/private keys, they can both be in the same format, but usually are not.

The private key, since it is never sent to anyone, is usually stored in binary.

The public key is also stored in a binary format, but is also exported into an ASCII format suitable for transfer via email and web browser. It is this exported ASCII format that you import, returning it to its binary stored format.
 
Old 04-10-2006, 02:42 PM   #12
mac1234mac
Member
 
Registered: Sep 2005
Posts: 183

Original Poster
Rep: Reputation: 30
So there is connection between private and public key?.
So you have generate your public and private key on your box,
you send public key to recipient and then what?. He can decrypt
data with your public key?. Either I got it wrong or it doesn't make
sense. Everyone who can get public key can decrypt such file?.
(I thing I've got it wrong...)
 
Old 04-10-2006, 05:22 PM   #13
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
Quote:
Originally Posted by mac1234mac
Everyone who can get public key can decrypt such file?.
(I thing I've got it wrong...)
Yes, you have it wrong. Again, I'd like to stress that this is explained more clearly in the Wikipedia article mentioned above.

Public and private keys are related mathematically; they constitute a key-pair.

When encrypting a file for someone, you use your private key and their public key. The receipient will then use their private key and your public key. As a result, only the intended recipient (the person with the private key matching the public key you used) can decode the file. In addition, since the senders public key is used, it validates that the file actually originated with that individual.
 
Old 04-11-2006, 01:15 PM   #14
mac1234mac
Member
 
Registered: Sep 2005
Posts: 183

Original Poster
Rep: Reputation: 30
So, for example, I create public and private key, send public key
to another person, this person encrypts some file with his
private key, using my public key, and then sends encrypted file to me and I can
decrypt the file with my private key?. So public key must
contain information about private key?.

Last edited by mac1234mac; 04-11-2006 at 01:18 PM.
 
Old 04-11-2006, 01:28 PM   #15
heema
Senior Member
 
Registered: Sep 2003
Location: Egypt
Distribution: Arch
Posts: 1,528

Rep: Reputation: 46
I can encrypt a message using your public key, and nobody other than the person who has the matching private key can decrypt it. so when you receive the decrypted message and apply your private key to decrypt it, the only way it will properly decrypt is if it was encrypted with your public key
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh public/private keys lord_darkhelmet Linux - Newbie 8 10-29-2005 03:14 PM
SSH public / private keys problem guideweb Linux - Software 7 08-27-2005 09:49 PM
Using GPG without public or private keys darin3200 Linux - Security 3 01-10-2005 03:40 AM
How to delete public & private keys for SSH? TrulyTessa Linux - Security 2 11-18-2004 12:27 PM
Help with SSH and public/private keys stodge Linux - Security 5 05-14-2003 01:22 PM


All times are GMT -5. The time now is 04:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration