Introduction

In our daily lives, there are many services with which we have to use authentication in order to get access; be it personal services like our cloud email solutions, a social gathering service, business socializing websites, or enterprise services needed to do our jobs. Enterprises most often have to have access to the following services:

  • Domain name service: it’s where all the records for their domains are kept and managed. An attacker having accessed the domain name service can change all their domain records to point to his own malicious website in order to disrupt the enterprise service and possibly even attack all of the visitors of the service.
  • Dedicated servers: A company usually has many dedicated services in different data centers around the word. A hacker, having gained access to a dedicated server, can disrupt the service running on that server; obtain all user credentials from login requests coming over the network or something entirely different, like installing a backdoor into the system.
  • Source code hosting: Software companies often use source code hosting in order to save repositories for various projects online. This greatly simplifies the development and maintenance of source code repositories, but allows an attacker possibly to gain access and steal the source code of an application or a system.
  • A website: A company can easily set up a website by using various platforms that already do most of the work for us. However, if the website allows user authentication, it should be run over TLS in order for a secure session to be established prior to entering the credentials.

All of the above services can be installed and maintained in an company’s internal network and by company administrators, but there are cloud service providers offering the same kind of services for free or possibly for small subscription fee. In any case, users of the services have to access those services regularly in order to do their jobs. There are many ways a user can access the services, but in order to be most secure public/private keys are used to obtain access to the service.

Public/Private keys

To access various cloud-based services securely, we can use public-key cryptography, which uses two separate but corresponding keys –the public and private key. The public key can be publicly disclosed and is used for encrypting the message, while the private key must be kept private and is used to decrypt the message. The public-key cryptography is used in various protocols and infrastructure applications, like when connecting to a TLS-enabled website, connect to a dedicated server through SSH, access the source code repository at hosting provider, etc. Whenever we use git to push/pull source code changes from the repository or using ssh to connect to the remote server, we’re using the public/private key-pairs. Therefore, it’s safe to conclude that public/private keys are extensively used and they have to be properly protected to achieve the utmost security.

The public/private key pair can be generated by a tool ssh-keygen, which is part of the openssh package in Linux. In Windows, we can generate the keys by using the Putty client, which also includes the Puttygen utility used for generating the keys.

Let’s generate a simple public/private key by using the ssh-keygen command below and using the -f option, which specifies the filename of the key file.

# ssh-keygen -f mykey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mykey.
Your public key has been saved in mykey.pub.
The key fingerprint is:
86:79:43:6a:c2:ab:34:2b:bf:7f:e1:63:5f:83:a4:42 user@server
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|                 |
|        .        |
|   .   =         |
|    E = S        |
|   . +.= o       |
|  o o.... o      |
|.. + .=  . .     |
| o=o.o o.        |
+-----------------+

The ssh-keygen command generated two files, the private key mykey and the public key mykey.pub, which has the .pub extension. The public key can be seen below and is defined of several fields [1]:

  • Key format: specifies how the format of the key, where the following options are available: ssh-dss, ssh-rsa, pgp-sign-rsa and pgp-sign-dss.
  • Encoded Data: a base64-encoded public key.
  • Additional information: usually specifies the user and server identifier about where the key was generated.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Qrhb8G6e4QayTBXShd5PCUvlKmmWVarYd1lV0TZTw47C5yFC+pj/NsH/EZM7vI9LvFZ0vj8WRy1k7KmHzXZcThr6e9VzsU42YOtTAys8SXlZ8Bac/B97K3g3KspQWCv0Yd1HQMTWZ8hELHPL+6J0nhXazxQM2DgivREri8jjzLqLw+T7twwNzBCwS6kjuRYBiuHSjLYdV+EIv+a6DU1s14YlQHYuo6icic4OFouXurol4pphO+7bzlYrw/o5XA2Umt4q5tFEEogy7n+NaYyq8/+QRehR1awlQz74NMqklbmzhgHpVBMxKFpUxBKR0d8KZVxcKD4QlGlylhM1Xl8RkrQl3SQOscVv9TNYIPvxXGvxderXszsnogShARoKAix3vAXCkJO0DOgFgAX5mVyT1Eq2AR5YDoP/E2O61m716EC0J/j3hbNnNzOh63nIucF2n6w3C32dAxF6xKVlrzkvkWCH7m6sd7xtVx0KzsYXYGEdbBSMtsMCDc1n3XQdCKO05oWNd2SplpM8m8bybDR+JU6LGsgCBwGoHG7HQIvpf/OYZo9NIyli2pXYOEKoanQW3H2QRqiqPEKde5HMp4aHjGu0Kl9f6VyQC0w5dCB+7rDahfdh0e6PvVA8rCYYyXqQTbyT7mJs3v5DE5/tnjJ9bFcmqsV6wN4LDPlra7oOlw== user@server

The private key mykey, which doesn’t have an extension, can be seen below and follows the ASN.1 syntax notation.

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAtUK4W/BunuEGskwV0oXeTwlL5SppllWq2HdZVdE2U8OOwuch
QvqY/zbB/xGTO7yPS7xWdL4/FkctZOyph812XE4a+nvVc7FONmDrUwMrPEl5WfAW
nPwfeyt4NyrKUFgr9GHdR0DE1mfIRCxzy/uidJ4V2s8UDNg4Ir0RK4vI48y6i8Pk
+7cMDcwQsEupI7kWAYrh0oy2HVfhCL/mug1NbNeGJUB2LqOonInODhaLl7q6JeKa
YTvu285WK8P6OVwNlJreKubRRBKIMu5/jWmMqvP/kEXoUdWsJUM++DTKpJW5s4YB
6VQTMShaVMQSkdHfCmVcXCg+EJRpcpYTNV5fEZK0Jd0kDrHFb/UzWCD78Vxr8XXq
17M7J6IEoQEaCgIsd7wFwpCTtAzoBYAF+Zlck9RKtgEeWA6D/xNjutZu9ehAtCf4
94WzZzczoet5yLnBdp+sNwt9nQMResSlZa85L5Fgh+5urHe8bVcdCs7GF2BhHWwU
jLbDAg3NZ910HQijtOaFjXdkqZaTPJvG8mw0fiVOixrIAgcBqBxux0CL6X/zmGaP
TSMpYtqV2DhCqGp0Ftx9kEaoqjxCnXuRzKeGh4xrtCpfX+lckAtMOXQgfu6w2oX3
YdHuj71QPKwmGMl6kE28k+5ibN7+QxOf7Z4yfWxXJqrFesDeCwz5a2u6DpcCAwEA
AQKCAgAVaO0Xxv15/MBqvPvy4ucQVNvHFMxl+nZ0nRxLO6v8FuQ890oBfFIoCxK9
Cxll++69FmDr5zDSc9PT0PRxWv55Bqy/G3Np9+5yE96X7o7jzxXrXqV9I3ageND5
Sy+cb925PvoBGZBmdtm727hNxso4lhekwcLvhXaT+9sUVq2C4sLCEYBxjvx4gLsT
58vxsUH9Kqdj1EUKkD+/ZdNd9IZJredlbQjIl4IqA0j4dwdEA8VLBkoP5CFhiyy4
fKyIq+vaurQ1QxBCxyGZSnx8epQn+SwdoXRAfkmYGSpN7QZmjFzj7Jc7NTgTHV4W
FxbObIi41KIlLIewM6eE5l8cdaoq2Sk+x5HFlvzUwB6e5oS3o9N5dvWXFyeW0wfm
SBFoPI+cDF7MGbliybZslrEhV6QSS5OkV7vIx2KICcBrxx9m5cfqNBcMEeoh9BH5
XuitIIY3rZDE93C+atOkeIQCV4bAu5R4qU8X9Pa0aLoZPpvuQfHLBshr9nQa0eGs
VRwsKac0pStdCyin2/YGUvmQrQYpDDCL/v5RlHRy50QZ/uTGPYyDKNu0cMG5U9RF
6KRsix4OSxuPL02ahrRzl6pD0isOnX7f+4joVgXVdZpJhoVZ4aKyLsADFIbMZxv3
duIuij5cXMZWxIIKmn/Sez5fZgLgjBv1h8p5ZHIJ7BiAk/6IoQKCAQEA6VEC0u9A
i7tqh8DmjarZy7ojF8Kp+3r9EKWYZ8OkP+qG641E5JoaBZ5kx7BaFIL6n8UVZQxA
HZ5Ip4Q16YlP9WAo7B7PXl6Zq6sNGHvmeXBa7/HIPNU44vlEKMJPkxVV7Bh1aqHF
Dx4wPDCrQfW5h92Smv1CQSlpTNW4VsJ29TFxvJ0pk2E2sUN11kyiT2SF77AlNKHn
ztZd3XLuH/zt5wjko9dNudqgPa9NZUC75F3035XdayeemAtJh2aLY/M3frXm578Y
faTWciNwtv7BOcmMDYXqE8jZL61gXs3dEHe4Kx+yAKWOow7tVeJz09VCDVP1c9H4
S9Myb5oQqbUkMQKCAQEAxuIY3DhFvXSuyLW1bo4JOkbx+HZ8/yCzQu/OfrFdZJtH
B7yiS/zkTUqLOGSzxAjK2xnaTjfX4KY8ahJ2r+Aw318jjp6oTcCvDBTitZ+ZIBg4
TLujjEtmr56JWLRlMn4f4HAt1qaIfnS5AbTqKKuQN2zKZIFS5YJF2JjECYE5aVoL
ddZ1d404ePnZdNJ1MsbW9jxWXvqHhoM2i5u8dH/ddZKLojb6qr/Ch0kZ/W0ZjFEm
eui/S+sTXqtUeqOVP8a+qBnTIh8LCTpFo1p8L8JAszKlwyS3Ys9mqFhVWIBNCaQC
ucnoJqigCxvIVC7z+VC+7TuOe3C9/K8YkabDzpUVRwKCAQEA5AtCb1laBTmRzk5F
CoLLjczJMBgcfKihYPv6ErGugKqCZQkXJTlZ5dQDPQqpgRLkU/UWDEYFBO4IpXMc
Hr8PYA408VTL6rkcCiaODjhL9LZUq+HujUb66x4n+I6zqFdaPAFMAoVLTpN7IdmQ
ClBanul6ufKAJ6CKQ4dBPcuk6dMCEBCs6lhCVNBTBLqyilb+cmAAfYkiQZBU/nWv
OaTGAuM2Vs3CMr31kVUemLDE9VjAVyjr2ihHYuTlYWphI7g9raOtpSWqkmPjFnx9
Vt95jTnpoe4Z9GyDm44ie4dLYyUg5UV9fhRTbhzQ7PkBrTLr9Irzhdjcj4BF877q
OnXKgQKCAQBKAnFF4hrxua4hOp1dmrWMXkJFN7KkLkMHMb4iH1alzbLNCkFLDbzX
llngjnjnBm6WwjQez2EiVDo/LsfEAyWsufa9aAUxifaaBFupQs70xo6M33apCpYX
3GM4A0l1VMH//z7PlgFNLZp7LBvHLrDoLy/R3t4+UhAz3gV1lAUNU1jYbQohhwfw
3OkzM+4xCxWLZECv74LnZ4Swxy+GGt8KlZIot1TonZuCRI3LZQIQ2VH8gwhM9Bmt
LQyu5pjvtsHURGfxVqQAtxKbC10TWLJC/SH6UHt95bhKBTUdTgFdCQ+Km7wsRqvn
9lrCGQbpTEcAeR04imfo1C/MY8aR5aCZAoIBAEzL+Vaq0dGhhR0zyiPFblmP2k/p
A1tD1XbASlVisz00D2E2xmR7HF43Xq6byO2v8R5scR/ozJp5nko/1DXgcj8MXElZ
yU7YDX8FekCBYHcodvoR1v7eO0oyMS09D1eqXnPeZdZEaOprVKl2n17jsV7FhYw3
LWO6sDG9BadDKavF8cLqdQwNBE28/380OWMRTsnU6uBv+nUxPZpKVc2osZ5hcmTn
2iw2WfXV/f+8aEWNMZaO8jjGiJE3QDjgBprUZY/b4AqJ1PHkGNFWceVOhJiKNuQa
kKqXQHek02udOXVXXIe66XSQV7Cs5RzJqaStrVnFcWpB/Vp2nIYc/iT/aXA=
-----END RSA PRIVATE KEY-----

Password Protected Keys

We’ve said that public keys can and usually have to be shared with the public in order for the other users to be able to encrypt the messages with your public key. After the messages are sent to you, you can decrypt them with your corresponding private key without providing any additional information. If an attacker is able to compromise your machine and get access to the private key, he will also be able to decrypt all the messages that were encrypted with the corresponding public key.

In most penetration tests or vulnerability assessments, we’ve come across numerous private/public keys. A penetration test is an attack on computer system or network in order to gain access to internal system and its data. After the reconnaissance phase, we’ve scanned the network for open ports in which we found a number of publicly available web applications. Despite certain security precautions used by some of the applications, we’ve been able to upload a shell on the server in order to be able to run arbitrary commands under the application or web server user. That gave us access to the actual file system, where we could search for interesting files; since we had the permissions of the web application, some directories were not browsable, so we couldn’t look inside. Despite that, we obtained certain private keys from /etc/ssh/, which didn’t have correct permissions. Normally, the files should be owned by root:root and have 600 permissions only to allow user root to access them. Since that wasn’t so in our case, the private keys were obtainable, and later we’ve figured out, they were actually used to access some other internal systems over SSH protocol. We were able to compromise the second server by using the private keys obtained on the first server.

I hope this emphasizes the importance of actually encrypting the private keys with an additional password. If that were the case on the server previously mentioned, we wouldn’t be able to compromise the second server because we would only have access to an encrypted private key. We could, however, bruteforce the password of the private key, but such operation is quite slow and normally fails, because a person encrypting the private key knows enough about security not to use a weak password that could easily get cracked. Additionally, the ssh-keygen itself will reject a weak password as we can see below, where we used a password “test” that doesn’t contain the minimum allowable number of characters.

# ssh-keygen -f mykey -b 4096
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
key_save_private: passphrase is too short (minimum four characters)
Saving the key failed: mykey.

Nevertheless, the password verification isn’t good enough, since we can choose a password “test123” that will easily be accepted by the ssh-keygen tool.

# ssh-keygen -f mykey2 -b 4096
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mykey.
Your public key has been saved in mykey.pub.
The key fingerprint is:
00:dc:18:e2:31:87:1e:be:d5:6a:16:2a:67:d4:81:55 server@host
The key's randomart image is:
+---[RSA 4096]----+
|  +===E          |
| .+=+..          |
| o.o o.          |
|  + + ..         |
| . + o  S        |
|. = +            |
| + o             |
|                 |
|                 |
+-----------------+

We have to choose a strong password when creating a private key in order to store the key in encrypted form on the hard drive. Any program that wishes to use the private key must provide the password that was chosen when generating the key. An encrypted version of a key can be seen below.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,32864DAE2AD5C5F838F6DFCEBDEA103E

Q5NJXbEmvu/BFhE65KPdxQXyxTFK0uMKloSR5/XcBMggDnMpowy27amjAH77sz5U
4BDx73SENtca7EmB5f2gaHBOdA48kzYNFs0JMamwnTY1jQyLFIxrwWjtT5sR660L
MXO4vwgxUlSfOg7gQgKp7finJUR7zq4CPVDvWmHAtDk6SwtfNW1DsVS1F1+hwK+2
6JpfAYD8Tmvj3D86kKnlB5U+kc0VCV+mzdvliG+y9Q5lj9Fbbx718mtXUg09WBdW
YJLglWVWj4SYFWjg9Wa2XTm3oZDJ7nStvjFUO7Nz0kX+LTJ7uUHrMoXWrUtsKEtJ
B5XV6dO/opa7Le1W9EZ72ixmLY/4p6dVJNDMJx3GzEqtFQ179OpDjIGaFKy28KHy
Btb4sJu5TiB48es+cSM+Pgpp3D2mmV4EESN5mBUkTK0F287U+Tu/zuptmnKlgIhA
u68Mb5xmU1ZMAx6c9vLMnlLnWLfLhEjDsH6ml6rbxK7o/b20Z3L7kn3vAUdnNbuc
NVCotr+PMW4Dpl97j4SLCTL3Qs1XmEatvKE630cq72EBhG1tlqYULJYnSy5+mKdE
n7pSXjtCSKEalfRjRneJgX3fi82qQVZ8QALviSGK+LFIbJpHhwsIt3JpfRp3qEXe
HAU4WpfQQDRnunnPHY/NUdpR4H7lXNbURqkyelj2ASh+pbQK90x5QlPeSWqyI79Z
oL611E7KXJCpyRkwbd/FPCi554sTdMT6AkrMQWj6+/xyBwhHhJr6DiSEVoWZjL1p
F+fNwxyvMwlqsisOwwhUQiUNGQ49tKBoy1H8IovrhOhx6HxrFf5LmIU5fq/nPdda
zsiR+gdS6/UA9EQalBiwm109LfYzQC8ElXhoHK2NpVRCB9CAFOCoVJ6K1Xi0WDVQ
9hHq7Jor4Ngzq6EyhSMOAeXyuD/ltZDAU1KPLgBJzzu2jdhwqNqMX25QphA4PD/u
7lTVMmCUPNZt/44PniLdwg2jcndiA+VCiuAAT//svvw9D2d/Km02NOhNnGDc0Zvo
q+I3ZS18P5LsPI4QCJ7P53gMByMYrkgG4a7BxRfJtbDghqnzDeCpJie6aiXvJb6V
0xz3kE6r9tZ00QOn9RpKEkYR/fjbakvX70NUeRL22uVgkkwDpgYlWQHSzmXNyOtW
VDu1aWt2PA/7i4H4Hel71bKryCqLLHLlu/setLPHmvUeDJNyQYjj2c6Tr68B0lnu
Xl02sOHQq1IlQ/tdM6pqxzGIZ9Ax1qztarIxOIcEfI5UVFza60wk+vPWGTxQ26QH
rYrRL5ESjebQERxdsDwk2XZPagTtKo5XhHwgybzPpQw216TZ7T1WW/13YCbirYEQ
ws2gkikvaijA1dItJaZVwJhMdJecTX+xDqLI+lTv+IQnVyxOOuQayc1+WKChbsBX
AEZpnPB5ran1jwyaqEVopkRKitohBiJPEAG+7nrd6VCE7CEwzZZPVqs64+YQcbac
Fq1Fds7htim20OaNC7Tax9wggCFYyw6s9sA9oyqcDdbA6uOtfCmOrH+bnmt7Khwl
EIl8CQ794zVR5fTDa0/dIvefLylLQ3piCjk3J+M3rqLp6oPQA4dOWRzkDKbS7h5G
wOV9pQkaNdaeuPFfsJU5E7K2pC1UyJ4e25bjK/Y3Jg0Xw22LsFWDVUpOEPGpp2O4
mrRryWV/LWIFYHUAcuwKQH+cGqf62YiB5gUIiGLJAqOwjuLtM3bqpYZ+hwmuoAsl
Kn3nb5eKIs83/tPPJ4mVEsJ+R0fFkp0blfv8OaGWpsMBwjKi4TndhPuCB3bA9LJ2
QNxE96wDUJ6KoqpP1CYJjIyZ6eAGVRxph1b097xfe2uVcQNrwtlMSMWpy+j/eRXW
v/V1kekxOEBGixaWXnXFQNAEM8S2Sp+Jl1ZyoY52g1VKlsnJZCm1RCZl14ud+uZH
BfvPxBqBXlc5mg6hA3i2cJUGF++4Jdu5FUo1RZKGW7viD81uEry92aqQBrnVZPSE
FF6mlAO6eRgyTZPzGUP852Ji3I1UjTrGdYA4Vo9F9TOjo725NT3unrMUXKglSnB/
VEdE+pAVCu1W0RNiWksWR0S4KZ7nvgILiPnhJsBHNEBRr81xFLLOvX4XpcnLrud/
ysvPOMZHq13Rr+skdqRaoZj9d2m0SH4m8JhxS78NTzPd3rAmSoIkLdJ2tnLn8KYT
qCxWFISRxEUYHnIjDbJoP9eVTUBdJq/82OtcJYPVjt7fcFhE/w6BiK8i4Aim7pKA
GyuxkO9Flbw1m7BiPNYLNAWznvF6rBLqr3bp9aEhzdhU2Ah4c8ETt5mE4GjBqB7G
ND3PaowjqZMMAN9iu72CSxVTCGElffSZwO7RhYoXs07nJ0S4n9+ULkq1Z8SMqEZT
QNV7neczYg+vAer4OaLhche3Miw76PMAR9tjzmWyq3qkEqB+wTAWv+B+3lWZ93hm
Bq7k+3oHPgK3SvfskPDEoLQ49dew6ep7uUam0e3ySM/D/rNUnSRVO4JqXTK1YrOc
MBjOA1i9b5L5U9xKwBkmEGxSGDkSsEFkJO2VZ4Bjz06KWK0YAtSWP+OvCJ1HHjOh
aQHr60BMm24NWDVrZPUazsfj0eS/gsSvg1AvDmD/c/mwesJMQ5ha9V8NM6DYAVAY
V8H5q7ODtdjIZ7YNMxv6QALLMAA5cE76JBhFMc2GHvTlG9xPUlmTFYa4onMc6wvv
0vUTDImnsrQ4zibhsyYmMG+exi2z8WeTJMboHWVcbH2axgHalk4j4ijem0wqzF8M
cRGMv+gurCU+Nmmv+llgdQjHvB07/eRKVZfvo9Htt3j+FYBJ4/54o6UhOs1x2o9b
naemd9BeZ51JfI0V6h0zg0O3pphmynVnqRhPSZcIRvJsci6WOZWMANp9E9T/RsUf
m2jvGrn+9jdGxz3rtQYBvK0hnmIxEIkn2PTh0/fmFEsqFaLA9Ew1wt7l5jYcHbq3
8JwtY21bic4ILBVKYI4x0SlEzGX/5M+YxQnBBV1zunn8QEui7Sx5v0JBY/Rnx766
b2unDFukFHgyUUSYvchO+zmMIBuUgCDkoed5+PY6XcZUqhrXfTf/wf2PndSi741q
2w3oMjFPEeWeuWUpTvaDDA2kkn8UhQtafJomu9BCGzeOL7KKkZc45SAhtcFrpwYr
-----END RSA PRIVATE KEY-----

Key Strength

When passing the -b option to ssh-keygen, we can specify the number of bits in the key that will be created. Normally the following sizes are supported: 1024, 2048, 4096, etc. To generate an asymmetric RSA key, two prime numbers are selected and their product is calculated. The strength of the asymmetric encryption lies in the fact that it’s very easy to calculate the product of two randomly chosen prime numbers, but it’s fairly difficult to determine which of the two prime numbers were used if we know only their product. If an attacker can determine the two prime numbers somehow, he can calculate the private RSA key and break the cryptography.

An attacker can break the RSA by bruteforcing all the keys of certain size, but every number of certain size isn’t a RSA key, because it isn’t a product of two prime numbers. Therefore, even if the size of the key is quite larger than when using a symmetric key, there are actually less possibilities, which we have to bruteforce. If a product is a number of 2048 bits in size, then both prime numbers are around 1024 bits in size. A 128-bit symmetric key provides the same strength and therefore security as a 3248-bit asymmetric key [2].

Therefore, it’s advisable that we choose a 4096-bit asymmetric key length when generating the keys that will be used for authentication. We can do that by using the command below.

# ssh-keygen -f mykey2 -b 4096

An example private key consisting of 1024 bits can be seen below:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDN7tW5GRy5wNHrAEOpko80fd6zrABqVQFsAQaqi0h8TgNScfX0
ynSzrBlqTEenHp6QUAS45OJ1gNDAxGlbX+pLVX+je2sr7aTrGrCeYxVhms0vln8x
8Nrfk2Axh1B0UHrPRx+TXg3rZcfq/3U1A8k9DUb4jsoBHdNHhiyBZRUZwQIDAQAB
AoGAYrkOqG/Lf5laiShVR6PFF0sISmY4xMD/r4FGatfe5giYOxv652FvVPs6K+Vp
rEpXhaN2wBSqI96fNOpz/6QZsyroe95UkXOPYp7iwEiTjQYp5/ixdfmiMBOnBwDX
/UDA9KJCEK6uGXzeB+t+iwLhECbV9oTYPHGI8fff/2slCwkCQQD5BiQ0BVy1Cfi3
SgICwcV7/MJW+cK6Ur/5T2OXgSa74WIEAx2l07ChebwrHoBpTXLFxTgpqmkySf0x
2ipUvEY7AkEA07OrQZe19e4OlC5YnxGtiyUeNKwmMj6Uh5vwC9Cv/QIzh8t1iMhE
fOYGuleZAIfsLThGwI5qKWLVvQKK3FuUMwJBANaEu9s0Y1Bxbpg2YNUPJ5hPfPp/
3Ye0kTurcBerYjqnRVA/fuLDIX146OgcNnKADUbhRihebJCtvDedwKmOJtECQQC+
tVYLSr3Sg9eCSZXwBh7OAGwLiyEFljZ7S1CddCt1wqvlIrYIuFBqK1XYO91LCycJ
PW8PO7wK+EwPbuDkzWLdAkEA4bx5fINl3NWLBvievrBDTXyZo6whxrB5tZK9Po8G
Lxm/OrMACYuyUcTMkgYhE12DFCQ61VXJbU7F3u5GY5LTdw==
-----END RSA PRIVATE KEY-----

An example private key consisting of 1024 bits can be seen below:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqkzWjlcyEC31pMRU6BnnzbyFGXm1uFx8vGrh/1bUImmJvuO8
s0Pg2vgt7iiLsOFyabaHR0kxanwDAjxG9Q0E+GkB02HL393TX8eVey0P75YbQMtL
kHOCNCq8XL4BJSd6ML0PcSu1VYhCXLojnnCznjwX8IqHAmtd+qLSTsFmDsi2+QUq
+REuy/nxs+0PxSJNszPcBYSlB3Kp9/uCC/EOKJXkkMsaNewqEd3epvGhevs/5/3Z
Eu+f7d6F5QzCNVtcYHPY7mON+o9pEWCVfiH/0ILfcw4oF052E9VQ0Ks+zLVmv+b5
6ZzpuDy4m1b+rQ78+EH+zIW7HChuRuvxRMoFbQIDAQABAoIBAQCOz2zFZN24r7Hl
ADdrg/3di4/aMzRubDC2GLN4Wqn+SZ6Xk4b0laGEPsbVhu7N3+EAQW7kGr7z2xby
0vV2HfrjDbvYNZSwIOdW1JnH95v7gFdOWKz/b73qXUQkSbnQHHDdWk4Oy2Z/WYq9
E+M2xK/7q80vjBt3re3bdpsCLDCXh98D2xrcg8JZ7OvBjedcomUC2ne871O4fFYF
mDX9YuJCqXMtJ9WN6qFyNEuM3TW5KBW6Uc7ldHfSSkKYwzTBeRhVi6e4r33fMaY0
GIr2yICLWBoTxDdzHyVtC0xbXzqtTCn2bvUHlW+Sxe0TKGrWrWrgQlNOHxIEmkZB
QlNiDDKBAoGBAN3IUnnc80ZqXvlIJ9/dKKZ9SnGHypiGI2aR5kLV6IT9bc0UTgNM
KRM8swbc4+1k5PmdAi2nwJXvLV18ClEhNxfiXNXLaZD3O3F2HTqnI/CCwrRBuId6
Hm9VUjZjV4cdr5YDCxkf7dzK4EgtpyfYWroRgpeVtLocg7idaoI/sAtdAoGBAMST
IeonnDG16TzAzQSOKwo+z6nJx3+WzUWbZgeYXwKulOfgrgFuXjnBV/soUhdK93iZ
OQU9WdmyNwStgzQGw6jOc5c+e0tvAcXsov11EoCuwd3xf5wgbnhmqCzZ9LXro6wv
/lwfX0B2paMmcFvLxMpVITmxbN0FXLgkdUqqllFRAoGAKPUgvh6e0sc8KN85de86
3ZxPzi2crZRAH2YcVwV3/m9rAq+YRKWhBEt2aHMMqL+0RaDIUTQkrcvQ3e3VXew7
Z27HZDg/k6UE1kxQ048gZP9RA8cLVAGqczcXirHH7Uz/Kz3+o7Iw1FCnIM1FjGc5
QhmPu3zLNn+jl8mCbPFkCoUCgYAiD8ykolByXK8Zk97ylx/mGpQpO4mSFjNjiFXZ
oxFziYTL2SbNoK47G8F/B7GRz6+p+gLjYYocKsFV0isV7MYijgOBhZYfsBCCl0p2
2L5oBeAZ8SrHhucdfcxOWUYJ79bgk0Bj/hunM+fnqVV20ow68x1avd+7PJ6gWdDp
Kz34wQKBgQC8X1yjXlagP+Js8mIiY6IeKQMKNwOGDCf0atCBZsfyz6SJ/1Ueiqpg
oFJCACx+mYkLEcks43BJ1bvXdzUMtFu7yBRZGJvmUYgiu4yFlFIgqzSoef8rMAjY
FM0oX88NeiKMjnEM4klMR+L8zjcvcg2ek5qwrbtfqyR4ld2EphOVRw==
-----END RSA PRIVATE KEY-----

An example private key consisting of 4096 bits can be seen below:

-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAs97b02xeA+uwL+JKi1cSs+7HjlZAw6fi5SwQZhipILjHlCuU
LDxOa//YgxK+XId9YkIos8wrMh1VwewsHT3XlpxFLL3sVZuTYM2Tngb0/6kCW7zp
DQb8FZCIy9dn7BhL4Klym5ltyCaf7OgktyfE/vGV7+cqcrVF84lb3ZZ2wq7v3mq7
dKd+RCQ/RlfeVIzmluCZDIAZbPtHBwtW2dI53PPD8gmZm88Sg9hmxLwogxx6atrW
FOYYiOjnM4ceRVhfp55xF1O71fN42L/pdW41LtnTzFWmCAqJOpQjpV3ZqYd30Xnn
6XLDQ3zTerblCmzaK/N6QEiswD1QVrbLJ1qr67QREBlEHoAtbdQ5hiWNUPWb3FGZ
FrdL34e6aKoWJ++QUbCY+t9YjsQNN+b876VhYmEjpXccPN17BoaMkhE+xspmnCIE
VallHH17bo//QptJMYZsI4H1fWSmYY2eUs8doUYcQJSRqcpG8KlQHXLwCmP2NsSH
uEf3Vur2neOAT9e98CpMX9tEj3eMQaVxI+CfUadx91Xp+4BBadki0zS25mkHwMYu
bav8qUyuR/KQqIyiM802CuJPR8ZTGT6RUrPNklF7HqDjU4p1Ga0gzIqYOuZwSHYj
cTINs5ywkNOWCUKZrdpcquB0AIWVDXZu0z0gx40S+zOcw85DRnrKhEODdMUCAwEA
AQKCAgBrnfwyTBUYDWzVyXPGWKt1AnldHRgUuB8V9L4/B6QxUrz+VvCJYu+cyG+X
RKCmpd4L6v+FS7PQgSKtKwvd1wFlOExfD6cWNUYBVh5rH0h4qnshvi5FwBcVI+vk
4hVoecT0Pw22MR8w8IMg8Gf/OYkw7AREjC+mf/TBWD6hnoOhyZ70mTFdA1WVmYZO
JQZ92eug+/I2O3J69QCzI0Ksgo5iN2rWJo5EXal7Pv+F1/n5MBHCWvpZeK3XRFoI
R2CCJvTcSfzp8wxgXxK/xFr/CphBVszU5a24A+3FIZsONs+jEc1LhL+Puj0/5LB3
LHRvP19tinhre8/4GPc3WpjEDAjttR3o89WIAJdlT5Ry2NAbskwdcC/I8sq/lnve
Da1vYOTO+5KbT+IR+WvIQPf3O4sBRJxJChM+qfGOHHjsge+I8h2/s6F98zukYtxg
UIcBQM9G1hHwZm5alqZJz60CSgj+zkVa8ir6CU4+WsbJ3RIByI1aRoJ1bdABflc7
dR4yhhm6UNEa6ivZJpwqHWKelTLDem7CwqqWjnk5eFG6/eOKW7W10uqTR/YZnSj0
9GcQS7/MOGjcw8FfxdNh7vNnQJnTV0lRX3rwn0L1NtDKmyX74Qww7eT8EV9UUZWi
l7MHObyUAWkVAqfTi+Cm2RKaUPkguJ3625chAUIdvUL3bs6zwQKCAQEA4qquCP5H
JRFRLJpA35y6XEXfeW58uyjwR6Mx5BR/6j0i0goI8ttutMN51qa1F/BzqlWOvJvq
t13OwkCAMnfM0pAaMWl8PjNeU/HLJ6S/TB60TEK4utuQAhfWCbiJlsi66UF/rYQX
TA0//AO+HsP58YrcZ4uNyzvk0L60tlBsAqMybLCfThm1dvOOo9Rd6lylrmSNXsMA
231MGtB9se2CBkTTxJPppHkc4jG6YeDUEkQGlENRoN7xUd3uXEPV6QJzTIqS81AJ
rhpKWEd32UsnUAmF0lkQjb7UzQwGCFZ+HJOCjzv/qwzoDoCZ0G9pHHtZuo/PHfgE
0MNdqWJ9Br/IdQKCAQEAyyXaJirM0v0Z0koPiiVxJAV+/mC+aWdznq7mbup3OqTu
RWiv5sy5nQk2zwcrn9ge/zZNr3jn6U27m9njWoRWhA77kzjz9cOIcK7t94i+oYXo
T1sNZpTWhWvaxLC9amzUMP48bHTCHmGLRf/AwjqGxVqChcxUeoQgF5bO1/nGdstp
7VnC0KuEx3e0X65In6W6gTBf0SIFs/XBPyVtUuaxEjp9ivds7v1BF3uASIYr/AW2
PZiZZ3l+gEsY/jKt0RYwgKzghVYgURro3EaAmVmDf0NQ0rGgjLrlxyLTw5D6PmkO
QpMH2oydell5zo7ecMViAcNcLagPDNW/9wbw1q3xEQKCAQEAu8SMWyLZqNlJl1tJ
NnRM5Td0wtFGPnzRX2bPY5Ofy1lNyRVLCHPCp7fu7GQ5TFWCW654icHXlIL/TmfE
Swp3AE8jg59Qru46y+tXUcXmOpaM4Ue8Y/6Ss0kvo+ndAK3UOHpr3D+6VOP9BzXK
fw31taREpPo0QhGhoVL5vLWuZBjxIpzFuxsM+jcVCJ5aFlUdYvQlMET2Jt0K+IOS
PJz1w1+s1gF54Sf7R13OelqXE3KKyLNjoZJN8nWYiZIgV+ARx2xcA3dgLXvV7n91
xum87U6WLwRc9C8LdbjqHmoYGnAQDbu0NeyBJ9JcmRBR0KhWUnfjKX5V7uKIalMO
I1MoKQKCAQEAiF0oSmaAh0COjLJaLAlmIR/vVyHprydaXTJaTCnnTt5XcxAKw4q5
Lch5mg7eIbYZWIdDLn6ibeFYBg4Ep0YeLRdBmFmqqVZPyBQkePy5ugMBJgOgwzM1
rOnxOAbLnxzecuS1+reFdo9TxfEfm0FeJivTYaz/KB54zFzXC/MGXce9my2dsCTy
RFL+KRv8c+3ze7TVHLURzvMwfQrKj9N7GRlaHGZqISKvBuxH+GbYL5xF8KL2lpbf
a479f+TU+H1EoZtqOxbNKqQ9m19YA5gqxMqS/lttwgnTJBEkxSoUUMCEafv4UaQC
MZbORPFyL5DPcQ+KWLtvHtZ8vX1TPUgVgQKCAQEAnRCS8+3Y1TzyYcbXu7OvXlqg
tNVnlMG+Ke0P+nNz9GosYGBCLdrF3+hLcn7kbMuKQLCy3a1siJQ3xKrufZDXNWTB
Z7KL81ZCbkBBfaYJbdAmfGCt1zKlZ4xZwVO5QS+9A3lC9ntLt3+iDpsF6BRyZFg8
EJ/pRaCoGRgKrvwIyE0ajR5mAEqPjpd7n9d5DlzlS0NpZnc32+5KBePSk/6T0d7H
hKk8ckEJtDhYAjFTnjn3ttfcid2CL2G2inN7Yh9wN1wuG4qR+dHfvxqOPI59aidz
cuX8EZFXIphNYEDF+DL2dGgMlwoH6j+Ja3o3dwibm5QNef5m3pXIqEYa9Oau5A==
-----END RSA PRIVATE KEY-----

We can see the size of the private key actually increases when specifying different key sizes. By using a larger key size, we’re actually increasing the number of possibilities, which also increases the bruteforce time.

Reducing the Login Time

Whenever we start to use public/private keys, we may soon be annoyed by having to provide the password for the private keys all the time. In order to solve that issue, we can use ssh-agent, which is a daemon, whose sole purpose is to cache our decrypted private keys in memory for the duration of the session. The ssh command can communicate with the ssh-agent to provide the private keys, so the user doesn’t need to repeatedly provide the password.
Two environmental variables SSH_AUTH_SOCK and SSH_AGENT_PID are used in the shell in order to tell programs the settings of the ssh-agent process. Once the ssh-agent is started and the environmental variables are applied to the current shell, we can use ssh-add to add a private key to the cache.

# ssh-add mykey
Identity added: mykey (rsa w/o comment)

Then we can list the keys by using the “ssh-add -l” command as presented below.

# ssh-add -l
4096 39:ca:ec:af:b8:9f:79:7d:27:83:5f:fc:e1:2a:72:fd rsa w/o comment (RSA)

Afterwards, we can easily ssh to the cloud server by using the cached version of private key without providing the password. This gives us the best possible security, since all the keys stored on the filesystem are encrypted, but a cached copy of a private key is stored by ssh-agent for the duration of the session.

# ssh -i mykey user@host

Backing Up Keys

When having a number of private/public key pairs that we rely on, we have to have a secure backup solution. Failing to do so can result in being locked out of a cloud service or disable a way to decrypt the already encrypted files. The result of losing the private/public key pairs can be devastating, which is why we have to ensure we have a proper backup in place.

We can also use private/public keys as part of our backup solution as was described by this article. In the article, private/public keys are created and used by the bacula daemon in order to backup an encrypted version of files to the remote location. A part of the files can also be the private/public keys we created eariler.

Conclusion

The use of public/private keys has mushroomed, and is now being used by a number of protocols and applications. The primary reason for that is improving security, since keys provide a much better security than a password that was chosen by a user. Therefore, the importance of public/private keys is becoming more and more important and is being used to authentication to various cloud-based services.

In order to provide cloud services, we have to ensure we’re properly protecting our public/private keys, which can give an attacker keys to the kingdom. We’ve looked at various ways of how further to protect the keys in order to make the attacker’s job much more difficult. We have to keep in mind that an attacker having gained a private key can possibly log in to various cloud systems or decrypt possibly leaked encrypted data.

References

[1] The Secure Shell (SSH) Transport Layer Protocol, https://tools.ietf.org/html/rfc4253#section-6.6.
[2] Why some cryptographic keys are much smaller than others, https://blog.cloudflare.com/why-are-some-keys-small/.