Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
04-08-2006, 11:31 AM
|
#1
|
Member
Registered: Sep 2005
Posts: 183
Rep:
|
question about private and public keys
Hello
I'd like to know how public and private keys are working.
It would be the best if someone would explain it in example.
I downloaded kernel from www.kernel.org and there
was *.sign file next to it. Was it private key?.
I tried to verify kernel file in gpg and there was error:
no public key. I downloaded public key and imported it.
It worked. But how it works?. Why do I need public and
private key to verify file?.
I understand md5 verification:
someone generates md5 number (sequence of letters and numbers) on one computer and posts it on the web site with
file to be verified. Person who downloads file and number
can check if the number is correct.
But I can't fathom the idea of public and private keys.
Is this somehow similar?.
Cheers
|
|
|
04-08-2006, 12:13 PM
|
#2
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
|
|
|
04-08-2006, 07:33 PM
|
#3
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,201
|
As the article explains ... keys come in pairs: a message encrypted by one can only be decrypted by the other, and vice-versa.
When you want to verify a signed file, you download the public key: the file's signature block is encrypted using the private key, so if it can be successfully decrypted by the public key, and it (the MD5 hash that it contains) matches the message, then it is considered "valid."
|
|
|
04-09-2006, 06:41 AM
|
#4
|
Senior Member
Registered: Sep 2003
Location: Egypt
Distribution: Arch
Posts: 1,528
Rep:
|
Quote:
Originally Posted by mac1234mac
Why do I need public and
private key to verify file?.
Cheers
|
when you sign a message , it signs with your private key then the recipient verifies it with your public key
|
|
|
04-09-2006, 03:21 PM
|
#5
|
Member
Registered: Sep 2005
Posts: 183
Original Poster
Rep:
|
Quote:
when you sign a message , it signs with your private key then the recipient verifies it with your public key
|
But when I verified kernel source I needed both public and private key. So I didn't need only public key but both.
So it seems that to verify file I need
both private and public key?.
Please look at www.kernel.org/signature.html
Last edited by mac1234mac; 04-09-2006 at 03:24 PM.
|
|
|
04-09-2006, 03:38 PM
|
#6
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
Quote:
Originally Posted by mac1234mac
But when I verified kernel source I needed both public and private key. So I didn't need only public key but both.
So it seems that to verify file I need
both private and public key?.
Please look at www.kernel.org/signature.html
|
If you look at that web site, you will see only the public key. If you had access to the private key the packages were signed with, you would be able to sign packages as authentic - that is, coming from the official distribution. You can have your own private key, but you need someone else's public key to authenticate their signature. Read the Wikipedia article.
|
|
|
04-10-2006, 11:11 AM
|
#7
|
Member
Registered: Sep 2005
Posts: 183
Original Poster
Rep:
|
So what do I have to import?. And what are the .sign files that can
be found in a directory in which kernel sources are?.
I guess that I have to import public key ID 517D0F0E
and to do
gpg --verify linux-2.3.9.tar.gz.sign linux-2.3.9.tar.gz
I have to have .sign file which is (another guess) private key.
So I need both public and private key, need I?.
|
|
|
04-10-2006, 11:29 AM
|
#8
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
You import public keys, to add them to your keyring. A signed file (the extension doesn't mean anything), contains an encrypted hash of the data. You need a public key to decrypt and validate the data against the hash. Doing so authenticates the data - that it was signed by the person with the matching private key, and that it was not tampered with (no data was changed).
You can never have someone elses private key. Ever. That's why it's called a private key. The private key must be guarded like the key to a safe deposit box. Having the private key lets anyone prove they are the owner associated with a public key.
You can have your own private key. You would use your key to sign files and to encrypt files for others.
Last edited by macemoneta; 04-10-2006 at 11:30 AM.
|
|
|
04-10-2006, 12:05 PM
|
#9
|
Member
Registered: Sep 2005
Posts: 183
Original Poster
Rep:
|
But in case of this kernel example I don't decrypt data. I validate it only. So I import public key, yes?. OK I know what is public
key in this case. So this .sign file is not private key?.
So how is it called?. Is this signature?.
Let's return to MD5 authentication, there is one file to be downloaded and one which contains sequence of letters and numbers.
But such file with sequence is only one!!!.
I compare what md5 program prints out (refering to the file downloaded) and I know if the file is corrupted or not.
In case of "kernel" authentication there are two files. Why?.
Has private and public key the same format?.
Last edited by mac1234mac; 04-10-2006 at 12:12 PM.
|
|
|
04-10-2006, 12:43 PM
|
#10
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
Quote:
But in case of this kernel example I don't decrypt data.
|
Yes, you are decrypting the hash to validate the signed file.
Quote:
So I import public key, yes?
|
Yes, you import public keys for decrypting and validation of signed data.
Quote:
So this .sign file is not private key?
|
No, it is not a private key. It is a signed file (the file+the signature) or the signature of a file (just the signature associated with a separate file).
Quote:
In case of "kernel" authentication there are two files. Why?
|
The kernel developers have chosen to use a separate data file and signature:
linux-2.6.16.2.tar.bz2 - the linux kernel (the data file)
linux-2.6.16.2.tar.bz2.sign - signature (for the data file,linux-2.6.16.2.tar.bz2)
Validating the file with the signature means that the signature file will be decrypted using the kernel.org public key. This will yield a hash. The hash will be compared to the calculated value for the the data file (the kernel); if they match, the file has been validated. If they do not match, then either:
1. The data or signature file have been changed after the signature was made,
2. The private key used to sign the file is not the one associated with the public key used to validate it.
Last edited by macemoneta; 04-10-2006 at 12:44 PM.
|
|
|
04-10-2006, 12:51 PM
|
#11
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
Regarding the format of the public/private keys, they can both be in the same format, but usually are not.
The private key, since it is never sent to anyone, is usually stored in binary.
The public key is also stored in a binary format, but is also exported into an ASCII format suitable for transfer via email and web browser. It is this exported ASCII format that you import, returning it to its binary stored format.
|
|
|
04-10-2006, 02:42 PM
|
#12
|
Member
Registered: Sep 2005
Posts: 183
Original Poster
Rep:
|
So there is connection between private and public key?.
So you have generate your public and private key on your box,
you send public key to recipient and then what?. He can decrypt
data with your public key?. Either I got it wrong or it doesn't make
sense. Everyone who can get public key can decrypt such file?.
(I thing I've got it wrong...)
|
|
|
04-10-2006, 05:22 PM
|
#13
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
Quote:
Originally Posted by mac1234mac
Everyone who can get public key can decrypt such file?.
(I thing I've got it wrong...)
|
Yes, you have it wrong. Again, I'd like to stress that this is explained more clearly in the Wikipedia article mentioned above.
Public and private keys are related mathematically; they constitute a key-pair.
When encrypting a file for someone, you use your private key and their public key. The receipient will then use their private key and your public key. As a result, only the intended recipient (the person with the private key matching the public key you used) can decode the file. In addition, since the senders public key is used, it validates that the file actually originated with that individual.
|
|
|
04-11-2006, 01:15 PM
|
#14
|
Member
Registered: Sep 2005
Posts: 183
Original Poster
Rep:
|
So, for example, I create public and private key, send public key
to another person, this person encrypts some file with his
private key, using my public key, and then sends encrypted file to me and I can
decrypt the file with my private key?. So public key must
contain information about private key?.
Last edited by mac1234mac; 04-11-2006 at 01:18 PM.
|
|
|
04-11-2006, 01:28 PM
|
#15
|
Senior Member
Registered: Sep 2003
Location: Egypt
Distribution: Arch
Posts: 1,528
Rep:
|
I can encrypt a message using your public key, and nobody other than the person who has the matching private key can decrypt it. so when you receive the decrypted message and apply your private key to decrypt it, the only way it will properly decrypt is if it was encrypted with your public key
|
|
|
All times are GMT -5. The time now is 11:43 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|