LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SSH / Asymmetric Key Cryptography Basics (https://www.linuxquestions.org/questions/linux-security-4/ssh-asymmetric-key-cryptography-basics-4175541321/)

wingman358 05-01-2015 10:19 AM
SSH / Asymmetric Key Cryptography Basics
 
Hi all, I'm a little bit confused about asymmetric key cryptography, particularly the use of RSA keys with SSH.

I have used ssh keys successfully in the past, but only after much headache and not much understanding. My comprehension is this: there is a public and private key, which when combined, allow a user to login.

My question is essentially which key goes where?

I have tried reading several posts and articles online, but they are mostly way above my head and the jargon does not make sense to me. I believe the private key is carried with the user, as in a "license" or fingerprint that is individually owned by a user. I think the public key stays on the remote server (the machine that is connected to during ssh 168.x.x.x ??), and the private key is on the local machine from which you are initiating the ssh session.

If that is true, then how does the private key stay private? Doesn't that schema mean the private key is transmitted over the network to the remote server, to be checked against the public key and accepted/rejected? or is the public key transmitted by the remote server to the local machine? In that case, how can the remote machine verify the local machine is authorized to connect?

I am sure I am missing something simple here.

Turbocapitalist 05-01-2015 10:41 AM
The public key goes onto the remote server you are going to connect to.

The private key stays on the local client you are going to connect from.

During authentication, the actual private key never leaves the client. Instead, the client takes some identifying session data and signs it with the private key. The server then checks using the public key to see if the signature is valid.

smallpond 05-01-2015 10:46 AM
The keys never need to be combined. The private key stays only readable and usable by you. The public key may be given to anyone to whom you need to prove your identity. The way it works is that nobody without the private key can sign a message that the public key will verify.

wingman358 05-01-2015 12:47 PM
Quote:
Originally Posted by Turbocapitalist (Post 5356207)
The public key goes onto the remote server you are going to connect to.

The private key stays on the local client you are going to connect from.

During authentication, the actual private key never leaves the client. Instead, the client takes some identifying session data and signs it with the private key. The server then checks using the public key to see if the signature is valid.
Thanks Turbocapitalist, that makes sense. One question regarding the signature- how does the server know what a valid signature looks like? The link you provided (great resource btw thank you for that) makes it sound like there must be some information that is shared plain text over the network in order to do the signature verification.

jpollard 05-01-2015 08:25 PM
Quote:
Originally Posted by wingman358 (Post 5356269)
Thanks Turbocapitalist, that makes sense. One question regarding the signature- how does the server know what a valid signature looks like? The link you provided (great resource btw thank you for that) makes it sound like there must be some information that is shared plain text over the network in order to do the signature verification.
I think this has what you are looking for (under the section "Asymmetrical Encryption")

https://www.digitalocean.com/communi...ection-process

and (harder to read, but the section '7 Public Key Authentication Method: "publickey"'
https://www.ietf.org/rfc/rfc4252.txt

metaschima 05-01-2015 09:49 PM
Just FYI, the asymmetric encryption and signing keys are two different keys, they have to be because using a key for both gives away info about it.

A signature scheme is basically a MAC with non-repudiation. It basically hashes the message using a hash function and then applies a keyed asymmetric signing transform (decryption). Whoever receives the message and the signature can check it by encrypting the signature and checking the hash.

As said above, think of the public key as a lock (only for encryption) and the private key as a key (only for decryption).

Turbocapitalist 05-02-2015 03:31 AM
Quote:
Originally Posted by wingman358 (Post 5356269)
Thanks Turbocapitalist, that makes sense. One question regarding the signature- how does the server know what a valid signature looks like? The link you provided (great resource btw thank you for that) makes it sound like there must be some information that is shared plain text over the network in order to do the signature verification.
The signature verification comes after the encrypted connection between the machines is already established. So no clear text is transmitted. Here's a description of the SSH connection process (if the link works)
http://www.linuxjournal.com/article/9566

For key-based authentication, the server has a priori the public part of the public/private key pair. In other words, that type of authentication cannot take place if the keys are not already in place first. Then if a private key was used to sign something then the matching public key, and only the matching public key, works to verify the signature (public key cryptography).

ntubski 05-02-2015 11:01 AM
Quote:
Originally Posted by Turbocapitalist (Post 5356559)
The signature verification comes after the encrypted connection between the machines is already established. So no clear text is transmitted. Here's a description of the SSH connection process (if the link works)
http://www.linuxjournal.com/article/9566
This is incorrect according to the article: the signature verification is used to establish the encryption keys in the first place, so the signature itself can't be encrypted.

Quote:
We know how to compute the individual encryption and MAC keys provided that we derive the basic parameters using the simple equation above. But, how do we get the parameters to begin with, in a secure, authenticated manner?

...we use a known and trusted server public key to authenticate key exchanges. Authentication of key exchange data is nothing more than signing with a private key. And, OpenSSH typically uses ssh-dsa or ssh-rsa keys for this purpose.
However, reading a signature will not reveal the private key (provided the thing signed was correctly padded), so encryption is not needed.

Turbocapitalist 05-02-2015 12:18 PM
Quote:
We know how to compute the individual encryption and MAC keys provided that we derive the basic parameters using the simple equation above. But, how do we get the parameters to begin with, in a secure, authenticated manner?

...we use a known and trusted server public key to authenticate key exchanges. Authentication of key exchange data is nothing more than signing with a private key. And, OpenSSH typically uses ssh-dsa or ssh-rsa keys for this purpose.
My reading of that is rather than the user's key it would be the server's key, the one(s) in /etc/ssh/, where the initial connection is established before authentication. However, I've not studied the transport layer protocol at all.

jpollard 05-02-2015 12:54 PM
According to RFC 4251 (https://www.ietf.org/rfc/rfc4251.txt) section 9.4,

Quote:
The purpose of this protocol is to perform client user
authentication. It assumes that this runs over a secure transport
layer protocol, which has already authenticated the server machine,
established an encrypted communications channel, and computed a
unique session identifier for this session.
So user authentication is done AFTER the encrypted session is set up.


All times are GMT -5. The time now is 10:19 AM.