LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2019, 05:17 AM   #1
lelunicu
Member
 
Registered: Jun 2019
Posts: 37

Rep: Reputation: Disabled
pki


hi,
just to understand.
ssl pki certificate are on server side and private pki certificate are on client side?
why we need to create a private key and a signed certificate on server side?then we will use them with services or application.
this certificate will be downloaded to the client before the traffic between server and client?

tnx

Last edited by lelunicu; 08-16-2019 at 05:36 AM.
 
Old 08-16-2019, 03:50 PM   #2
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,267

Rep: Reputation: 141Reputation: 141
When I first read this question I'm sure SSH was mentioned, and you questioned why certificates weren't needed for that. I'll start with that.

A certificate is a public key, with identity information attached and signed by someone else's private key.

For SSH this isn't required because either you own the machine you are connecting to, or you have some sort of relationship with the person/organisation that does, and you can share public keys/fingerprints using a medium other than the SSH protocol, and authenticity is established during that exchange.

Something like HTTPS doesn't rely on or assume a preexisting relationship, and thus must establishing authenticity is just as important as encryption. This is where certificates come in. You have a small set of 'Root Certificate Authority' certificates that came with your browser or operating system. You trust these.

Most of the time, for HTTPS, determining authenticity of the server is sufficient. You configure the server with a private key and a cert. Whoever has signed the cert has (should have) gone out of their way to validate your identity and make sure you are who you say you are. When, for example, I connect to your server I'll receive your certificate and I'll check that the certificate has been signed by one of the Root Certificate Authorities* I know about and trust, if it has, I can be happy that you are who you say you are. This is the chain of trust.

* Generally your server cert won't be signed by a Root CA, there will be a bunch of intermediary certificate authorities in between, hence chain.

Some times, servers need to verify the client is who they say they are, so the client needs a cert signed by a CA the server trusts. This isn't common for general web traffic (this site, google, bookface, etc). It is more common in organizations with internal websites and company laptops and VPNs.

PKI is asymmetric encryption, every private key needs a corresponding public key. Generally asymmetric encryption is only used to establish authenticity and to exchange a symmetric key (or data that allows a key to be computed) for further communication. Symmetric encryption/decryption is far faster than asymmetric encryption.

Disclaimer: I'm not an expert, just a layman as far as encryption goes.
 
1 members found this post helpful.
Old 08-17-2019, 02:41 PM   #3
lelunicu
Member
 
Registered: Jun 2019
Posts: 37

Original Poster
Rep: Reputation: Disabled
certificates are used over ssl or tsl.application or service use certificate to authenticate client machine or user?
ex. puppet server sign a certificate requested by client machine.apache server send over a certificate to web browser at client machine or the certificate is per user or session level?
certificate issued by kerberos not use a CA root certificate as certificate over ssl or tls use.right?
ssh can use an kerberos certificate.
certificate over ssl or tls does not use pam as ssh use.right?

Last edited by lelunicu; 08-17-2019 at 02:48 PM.
 
Old 08-17-2019, 07:22 PM   #4
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,267

Rep: Reputation: 141Reputation: 141
Quote:
Originally Posted by lelunicu View Post
certificates are used over ssl or tsl.
I assume you mean TLS? Then both.

Quote:
Originally Posted by lelunicu View Post
application or service use certificate to authenticate client machine or user?
I'm not 100% sure what you are asking.

Quote:
Originally Posted by lelunicu View Post
ex. puppet server sign a certificate requested by client machine.apache server send over a certificate to web browser at client machine or the certificate is per user or session level?
I'm not sure what you are asking here. If you are doing client authentication, and your client has a certificate that has been signed, a web server wouldn't be sending it to the client, it would be the other way about.

Quote:
Originally Posted by lelunicu View Post
certificate issued by kerberos not use a CA root certificate as certificate over ssl or tls use.right?
I don't know. I last read about Kerberos over a decade ago. I can't remember.

Quote:
Originally Posted by lelunicu View Post
ssh can use an kerberos certificate.
Kerberos ticket for authentication. Yes.

Quote:
Originally Posted by lelunicu View Post
certificate over ssl or tls does not use pam as ssh use.right?
Correct.

All this is easily obtained information using your favourite search engine. I encourage you to use it.
 
Old 08-18-2019, 05:51 AM   #5
lelunicu
Member
 
Registered: Jun 2019
Posts: 37

Original Poster
Rep: Reputation: Disabled
ssh use public and private key to authenticate user.
certificate is used to authenticate what?a user?a client host?
 
Old 08-18-2019, 07:57 AM   #6
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,511

Rep: Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813
A certificate is used to link a public key to a name.

There are other ways to do this, e.g., ssh_known_hosts.
 
Old 08-18-2019, 05:29 PM   #7
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,267

Rep: Reputation: 141Reputation: 141
Quote:
Originally Posted by lelunicu View Post
certificate is used to authenticate what?a user?a client host?
Either or, or both.
 
Old 08-19-2019, 08:49 AM   #8
lelunicu
Member
 
Registered: Jun 2019
Posts: 37

Original Poster
Rep: Reputation: Disabled
client has user with public key and private key generated.the same server has public and private key for a user.
if the public key of user is copied in authorized_keys in server then how the traffic is encrypted?


clent encript data with private key and send it to the server.this decript the data with public key?
or the client and server will generate a session key and this key is used by client and server to encript or decript the data?
 
Old 08-19-2019, 09:41 AM   #9
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 3,410
Blog Entries: 9

Rep: Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897
It's actually a 2-stage process. In the first stage, your computer generates a private one-time key out of random noise. It contacts the server and the server sends back an unencrypted packet containing its public key, a list of the encryption algorithms that it supports and a certificate confirming that the public key is genuine. Your computer then uses this public key to encrypt a packet containing the private key it has made and the name of the encryption algorithm it wants to use. The server uses its private key to decrypt the package; no one else can decrypt it. Even if someone intercepts the package, it will be gobbledygook to them.

Now the server knows the one-time key you have created and what encryption algorithm you want to use. In the second stage, both parties switch to symmetric encryption, using that algorithm and using the same key to encrypt and decrypt, which is a lot faster. Nobody else can eavesdrop because nobody else knows either the algorithm or the key to use.

Last edited by hazel; 08-19-2019 at 09:42 AM.
 
Old 08-19-2019, 09:52 AM   #10
lelunicu
Member
 
Registered: Jun 2019
Posts: 37

Original Poster
Rep: Reputation: Disabled
in passwordless case how the date is encrypted or decrypted?when public key from client $HOME/.ssh is copied in authoried_keys in server.
 
Old 08-19-2019, 10:03 AM   #11
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 3,410
Blog Entries: 9

Rep: Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897
The server uses that public key to encrypt. The other machine decrypts it with the corresponding private key.
 
Old 08-20-2019, 03:34 AM   #12
lelunicu
Member
 
Registered: Jun 2019
Posts: 37

Original Poster
Rep: Reputation: Disabled
if the password is used to authenticate -this is not part of pki.right?
in this case the traffic will be encrypted?
 
Old 08-20-2019, 06:30 AM   #13
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 3,410
Blog Entries: 9

Rep: Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897
Yes, the encryption stuff has to be done first so that the password will already be encrypted when it is transferred across. Otherwise someone could sniff your password. That's how you log into Linux Questions too.
 
Old 08-20-2019, 06:53 AM   #14
lelunicu
Member
 
Registered: Jun 2019
Posts: 37

Original Poster
Rep: Reputation: Disabled
if there are no public and private key on client or server,then what component will encrypt the password at logon time using ssh?after the user is logged in,the traffic will be encrypted?what component will be used to encrypt the traffic?


is correct to say that https traffic goes over tls?or https traffic use tls?

Last edited by lelunicu; 08-20-2019 at 06:56 AM.
 
Old 08-20-2019, 08:01 AM   #15
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 3,410
Blog Entries: 9

Rep: Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897Reputation: 1897
Here's what Linux From Scratch says about using openssh:
Quote:
If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed:

ssh-keygen &&
ssh-copy-id -i ~/.ssh/id_rsa.pub REMOTE_USERNAME@REMOTE_HOSTNAME

Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user:
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to run PKI Gins Linux - General 2 01-17-2007 12:45 PM
PKI implementation amsri Linux - Networking 0 01-24-2006 07:49 AM
PKI Enabled FTP Client elvinyup Linux - Software 0 09-20-2005 02:31 AM
PKI implementation on Red Hat Linux Fedora 3.0 fauzie Linux - Networking 4 01-14-2005 10:01 PM
Pki subban Linux - Enterprise 1 12-19-2004 04:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration