In our daily lives, there are many services with which we have to use authentication in order to get access; be it personal services like our cloud email solutions, a social gathering service, business socializing websites, or enterprise services needed to do our jobs. Enterprises most often have to have access to the following services:
- Domain name service: it’s where all the records for their domains are kept and managed. An attacker having accessed the domain name service can change all their domain records to point to his own malicious website in order to disrupt the enterprise service and possibly even attack all of the visitors of the service.
- Dedicated servers: A company usually has many dedicated services in different data centers around the word. A hacker, having gained access to a dedicated server, can disrupt the service running on that server; obtain all user credentials from login requests coming over the network or something entirely different, like installing a backdoor into the system.
- Source code hosting: Software companies often use source code hosting in order to save repositories for various projects online. This greatly simplifies the development and maintenance of source code repositories, but allows an attacker possibly to gain access and steal the source code of an application or a system.
- A website: A company can easily set up a website by using various platforms that already do most of the work for us. However, if the website allows user authentication, it should be run over TLS in order for a secure session to be established prior to entering the credentials.
All of the above services can be installed and maintained in an company’s internal network and by company administrators, but there are cloud service providers offering the same kind of services for free or possibly for small subscription fee. In any case, users of the services have to access those services regularly in order to do their jobs. There are many ways a user can access the services, but in order to be most secure public/private keys are used to obtain access to the service.
To access various cloud-based services securely, we can use public-key cryptography, which uses two separate but corresponding keys –the public and private key. The public key can be publicly disclosed and is used for encrypting the message, while the private key must be kept private and is used to decrypt the message. The public-key cryptography is used in various protocols and infrastructure applications, like when connecting to a TLS-enabled website, connect to a dedicated server through SSH, access the source code repository at hosting provider, etc. Whenever we use git to push/pull source code changes from the repository or using ssh to connect to the remote server, we’re using the public/private key-pairs. Therefore, it’s safe to conclude that public/private keys are extensively used and they have to be properly protected to achieve the utmost security.
The public/private key pair can be generated by a tool ssh-keygen, which is part of the openssh package in Linux. In Windows, we can generate the keys by using the Putty client, which also includes the Puttygen utility used for generating the keys.
Let’s generate a simple public/private key by using the ssh-keygen command below and using the -f option, which specifies the filename of the key file.
# ssh-keygen -f mykey Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in mykey. Your public key has been saved in mykey.pub. The key fingerprint is: 86:79:43:6a:c2:ab:34:2b:bf:7f:e1:63:5f:83:a4:42 user@server The key's randomart image is: +---[RSA 4096]----+ | | | | | . | | . = | | E = S | | . +.= o | | o o.... o | |.. + .= . . | | o=o.o o. | +-----------------+
The ssh-keygen command generated two files, the private key mykey and the public key mykey.pub, which has the .pub extension. The public key can be seen below and is defined of several fields :
- Key format: specifies how the format of the key, where the following options are available: ssh-dss, ssh-rsa, pgp-sign-rsa and pgp-sign-dss.
- Encoded Data: a base64-encoded public key.
- Additional information: usually specifies the user and server identifier about where the key was generated.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Qrhb8G6e4QayTBXShd5PCUvlKmmWVarYd1lV0TZTw47C5yFC+pj/NsH/EZM7vI9LvFZ0vj8WRy1k7KmHzXZcThr6e9VzsU42YOtTAys8SXlZ8Bac/B97K3g3KspQWCv0Yd1HQMTWZ8hELHPL+6J0nhXazxQM2DgivREri8jjzLqLw+T7twwNzBCwS6kjuRYBiuHSjLYdV+EIv+a6DU1s14YlQHYuo6icic4OFouXurol4pphO+7bzlYrw/o5XA2Umt4q5tFEEogy7n+NaYyq8/+QRehR1awlQz74NMqklbmzhgHpVBMxKFpUxBKR0d8KZVxcKD4QlGlylhM1Xl8RkrQl3SQOscVv9TNYIPvxXGvxderXszsnogShARoKAix3vAXCkJO0DOgFgAX5mVyT1Eq2AR5YDoP/E2O61m716EC0J/j3hbNnNzOh63nIucF2n6w3C32dAxF6xKVlrzkvkWCH7m6sd7xtVx0KzsYXYGEdbBSMtsMCDc1n3XQdCKO05oWNd2SplpM8m8bybDR+JU6LGsgCBwGoHG7HQIvpf/OYZo9NIyli2pXYOEKoanQW3H2QRqiqPEKde5HMp4aHjGu0Kl9f6VyQC0w5dCB+7rDahfdh0e6PvVA8rCYYyXqQTbyT7mJs3v5DE5/tnjJ9bFcmqsV6wN4LDPlra7oOlw== user@server
The private key mykey, which doesn’t have an extension, can be seen below and follows the ASN.1 syntax notation.
-----BEGIN RSA PRIVATE KEY----- MIIJKAIBAAKCAgEAtUK4W/BunuEGskwV0oXeTwlL5SppllWq2HdZVdE2U8OOwuch QvqY/zbB/xGTO7yPS7xWdL4/FkctZOyph812XE4a+nvVc7FONmDrUwMrPEl5WfAW nPwfeyt4NyrKUFgr9GHdR0DE1mfIRCxzy/uidJ4V2s8UDNg4Ir0RK4vI48y6i8Pk +7cMDcwQsEupI7kWAYrh0oy2HVfhCL/mug1NbNeGJUB2LqOonInODhaLl7q6JeKa YTvu285WK8P6OVwNlJreKubRRBKIMu5/jWmMqvP/kEXoUdWsJUM++DTKpJW5s4YB 6VQTMShaVMQSkdHfCmVcXCg+EJRpcpYTNV5fEZK0Jd0kDrHFb/UzWCD78Vxr8XXq 17M7J6IEoQEaCgIsd7wFwpCTtAzoBYAF+Zlck9RKtgEeWA6D/xNjutZu9ehAtCf4 94WzZzczoet5yLnBdp+sNwt9nQMResSlZa85L5Fgh+5urHe8bVcdCs7GF2BhHWwU jLbDAg3NZ910HQijtOaFjXdkqZaTPJvG8mw0fiVOixrIAgcBqBxux0CL6X/zmGaP TSMpYtqV2DhCqGp0Ftx9kEaoqjxCnXuRzKeGh4xrtCpfX+lckAtMOXQgfu6w2oX3 YdHuj71QPKwmGMl6kE28k+5ibN7+QxOf7Z4yfWxXJqrFesDeCwz5a2u6DpcCAwEA AQKCAgAVaO0Xxv15/MBqvPvy4ucQVNvHFMxl+nZ0nRxLO6v8FuQ890oBfFIoCxK9 Cxll++69FmDr5zDSc9PT0PRxWv55Bqy/G3Np9+5yE96X7o7jzxXrXqV9I3ageND5 Sy+cb925PvoBGZBmdtm727hNxso4lhekwcLvhXaT+9sUVq2C4sLCEYBxjvx4gLsT 58vxsUH9Kqdj1EUKkD+/ZdNd9IZJredlbQjIl4IqA0j4dwdEA8VLBkoP5CFhiyy4 fKyIq+vaurQ1QxBCxyGZSnx8epQn+SwdoXRAfkmYGSpN7QZmjFzj7Jc7NTgTHV4W FxbObIi41KIlLIewM6eE5l8cdaoq2Sk+x5HFlvzUwB6e5oS3o9N5dvWXFyeW0wfm SBFoPI+cDF7MGbliybZslrEhV6QSS5OkV7vIx2KICcBrxx9m5cfqNBcMEeoh9BH5 XuitIIY3rZDE93C+atOkeIQCV4bAu5R4qU8X9Pa0aLoZPpvuQfHLBshr9nQa0eGs VRwsKac0pStdCyin2/YGUvmQrQYpDDCL/v5RlHRy50QZ/uTGPYyDKNu0cMG5U9RF 6KRsix4OSxuPL02ahrRzl6pD0isOnX7f+4joVgXVdZpJhoVZ4aKyLsADFIbMZxv3 duIuij5cXMZWxIIKmn/Sez5fZgLgjBv1h8p5ZHIJ7BiAk/6IoQKCAQEA6VEC0u9A i7tqh8DmjarZy7ojF8Kp+3r9EKWYZ8OkP+qG641E5JoaBZ5kx7BaFIL6n8UVZQxA HZ5Ip4Q16YlP9WAo7B7PXl6Zq6sNGHvmeXBa7/HIPNU44vlEKMJPkxVV7Bh1aqHF Dx4wPDCrQfW5h92Smv1CQSlpTNW4VsJ29TFxvJ0pk2E2sUN11kyiT2SF77AlNKHn ztZd3XLuH/zt5wjko9dNudqgPa9NZUC75F3035XdayeemAtJh2aLY/M3frXm578Y faTWciNwtv7BOcmMDYXqE8jZL61gXs3dEHe4Kx+yAKWOow7tVeJz09VCDVP1c9H4 S9Myb5oQqbUkMQKCAQEAxuIY3DhFvXSuyLW1bo4JOkbx+HZ8/yCzQu/OfrFdZJtH B7yiS/zkTUqLOGSzxAjK2xnaTjfX4KY8ahJ2r+Aw318jjp6oTcCvDBTitZ+ZIBg4 TLujjEtmr56JWLRlMn4f4HAt1qaIfnS5AbTqKKuQN2zKZIFS5YJF2JjECYE5aVoL ddZ1d404ePnZdNJ1MsbW9jxWXvqHhoM2i5u8dH/ddZKLojb6qr/Ch0kZ/W0ZjFEm eui/S+sTXqtUeqOVP8a+qBnTIh8LCTpFo1p8L8JAszKlwyS3Ys9mqFhVWIBNCaQC ucnoJqigCxvIVC7z+VC+7TuOe3C9/K8YkabDzpUVRwKCAQEA5AtCb1laBTmRzk5F CoLLjczJMBgcfKihYPv6ErGugKqCZQkXJTlZ5dQDPQqpgRLkU/UWDEYFBO4IpXMc Hr8PYA408VTL6rkcCiaODjhL9LZUq+HujUb66x4n+I6zqFdaPAFMAoVLTpN7IdmQ ClBanul6ufKAJ6CKQ4dBPcuk6dMCEBCs6lhCVNBTBLqyilb+cmAAfYkiQZBU/nWv OaTGAuM2Vs3CMr31kVUemLDE9VjAVyjr2ihHYuTlYWphI7g9raOtpSWqkmPjFnx9 Vt95jTnpoe4Z9GyDm44ie4dLYyUg5UV9fhRTbhzQ7PkBrTLr9Irzhdjcj4BF877q OnXKgQKCAQBKAnFF4hrxua4hOp1dmrWMXkJFN7KkLkMHMb4iH1alzbLNCkFLDbzX llngjnjnBm6WwjQez2EiVDo/LsfEAyWsufa9aAUxifaaBFupQs70xo6M33apCpYX 3GM4A0l1VMH//z7PlgFNLZp7LBvHLrDoLy/R3t4+UhAz3gV1lAUNU1jYbQohhwfw 3OkzM+4xCxWLZECv74LnZ4Swxy+GGt8KlZIot1TonZuCRI3LZQIQ2VH8gwhM9Bmt LQyu5pjvtsHURGfxVqQAtxKbC10TWLJC/SH6UHt95bhKBTUdTgFdCQ+Km7wsRqvn 9lrCGQbpTEcAeR04imfo1C/MY8aR5aCZAoIBAEzL+Vaq0dGhhR0zyiPFblmP2k/p A1tD1XbASlVisz00D2E2xmR7HF43Xq6byO2v8R5scR/ozJp5nko/1DXgcj8MXElZ yU7YDX8FekCBYHcodvoR1v7eO0oyMS09D1eqXnPeZdZEaOprVKl2n17jsV7FhYw3 LWO6sDG9BadDKavF8cLqdQwNBE28/380OWMRTsnU6uBv+nUxPZpKVc2osZ5hcmTn 2iw2WfXV/f+8aEWNMZaO8jjGiJE3QDjgBprUZY/b4AqJ1PHkGNFWceVOhJiKNuQa kKqXQHek02udOXVXXIe66XSQV7Cs5RzJqaStrVnFcWpB/Vp2nIYc/iT/aXA= -----END RSA PRIVATE KEY-----
Password Protected Keys
We’ve said that public keys can and usually have to be shared with the public in order for the other users to be able to encrypt the messages with your public key. After the messages are sent to you, you can decrypt them with your corresponding private key without providing any additional information. If an attacker is able to compromise your machine and get access to the private key, he will also be able to decrypt all the messages that were encrypted with the corresponding public key.
In most penetration tests or vulnerability assessments, we’ve come across numerous private/public keys. A penetration test is an attack on computer system or network in order to gain access to internal system and its data. After the reconnaissance phase, we’ve scanned the network for open ports in which we found a number of publicly available web applications. Despite certain security precautions used by some of the applications, we’ve been able to upload a shell on the server in order to be able to run arbitrary commands under the application or web server user. That gave us access to the actual file system, where we could search for interesting files; since we had the permissions of the web application, some directories were not browsable, so we couldn’t look inside. Despite that, we obtained certain private keys from /etc/ssh/, which didn’t have correct permissions. Normally, the files should be owned by root:root and have 600 permissions only to allow user root to access them. Since that wasn’t so in our case, the private keys were obtainable, and later we’ve figured out, they were actually used to access some other internal systems over SSH protocol. We were able to compromise the second server by using the private keys obtained on the first server.
I hope this emphasizes the importance of actually encrypting the private keys with an additional password. If that were the case on the server previously mentioned, we wouldn’t be able to compromise the second server because we would only have access to an encrypted private key. We could, however, bruteforce the password of the private key, but such operation is quite slow and normally fails, because a person encrypting the private key knows enough about security not to use a weak password that could easily get cracked. Additionally, the ssh-keygen itself will reject a weak password as we can see below, where we used a password “test” that doesn’t contain the minimum allowable number of characters.
# ssh-keygen -f mykey -b 4096 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: key_save_private: passphrase is too short (minimum four characters) Saving the key failed: mykey.
Nevertheless, the password verification isn’t good enough, since we can choose a password “test123” that will easily be accepted by the ssh-keygen tool.
# ssh-keygen -f mykey2 -b 4096 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in mykey. Your public key has been saved in mykey.pub. The key fingerprint is: 00:dc:18:e2:31:87:1e:be:d5:6a:16:2a:67:d4:81:55 server@host The key's randomart image is: +---[RSA 4096]----+ | +===E | | .+=+.. | | o.o o. | | + + .. | | . + o S | |. = + | | + o | | | | | +-----------------+
We have to choose a strong password when creating a private key in order to store the key in encrypted form on the hard drive. Any program that wishes to use the private key must provide the password that was chosen when generating the key. An encrypted version of a key can be seen below.
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,32864DAE2AD5C5F838F6DFCEBDEA103E Q5NJXbEmvu/BFhE65KPdxQXyxTFK0uMKloSR5/XcBMggDnMpowy27amjAH77sz5U 4BDx73SENtca7EmB5f2gaHBOdA48kzYNFs0JMamwnTY1jQyLFIxrwWjtT5sR660L MXO4vwgxUlSfOg7gQgKp7finJUR7zq4CPVDvWmHAtDk6SwtfNW1DsVS1F1+hwK+2 6JpfAYD8Tmvj3D86kKnlB5U+kc0VCV+mzdvliG+y9Q5lj9Fbbx718mtXUg09WBdW YJLglWVWj4SYFWjg9Wa2XTm3oZDJ7nStvjFUO7Nz0kX+LTJ7uUHrMoXWrUtsKEtJ B5XV6dO/opa7Le1W9EZ72ixmLY/4p6dVJNDMJx3GzEqtFQ179OpDjIGaFKy28KHy Btb4sJu5TiB48es+cSM+Pgpp3D2mmV4EESN5mBUkTK0F287U+Tu/zuptmnKlgIhA u68Mb5xmU1ZMAx6c9vLMnlLnWLfLhEjDsH6ml6rbxK7o/b20Z3L7kn3vAUdnNbuc NVCotr+PMW4Dpl97j4SLCTL3Qs1XmEatvKE630cq72EBhG1tlqYULJYnSy5+mKdE n7pSXjtCSKEalfRjRneJgX3fi82qQVZ8QALviSGK+LFIbJpHhwsIt3JpfRp3qEXe HAU4WpfQQDRnunnPHY/NUdpR4H7lXNbURqkyelj2ASh+pbQK90x5QlPeSWqyI79Z oL611E7KXJCpyRkwbd/FPCi554sTdMT6AkrMQWj6+/xyBwhHhJr6DiSEVoWZjL1p F+fNwxyvMwlqsisOwwhUQiUNGQ49tKBoy1H8IovrhOhx6HxrFf5LmIU5fq/nPdda zsiR+gdS6/UA9EQalBiwm109LfYzQC8ElXhoHK2NpVRCB9CAFOCoVJ6K1Xi0WDVQ 9hHq7Jor4Ngzq6EyhSMOAeXyuD/ltZDAU1KPLgBJzzu2jdhwqNqMX25QphA4PD/u 7lTVMmCUPNZt/44PniLdwg2jcndiA+VCiuAAT//svvw9D2d/Km02NOhNnGDc0Zvo q+I3ZS18P5LsPI4QCJ7P53gMByMYrkgG4a7BxRfJtbDghqnzDeCpJie6aiXvJb6V 0xz3kE6r9tZ00QOn9RpKEkYR/fjbakvX70NUeRL22uVgkkwDpgYlWQHSzmXNyOtW VDu1aWt2PA/7i4H4Hel71bKryCqLLHLlu/setLPHmvUeDJNyQYjj2c6Tr68B0lnu Xl02sOHQq1IlQ/tdM6pqxzGIZ9Ax1qztarIxOIcEfI5UVFza60wk+vPWGTxQ26QH rYrRL5ESjebQERxdsDwk2XZPagTtKo5XhHwgybzPpQw216TZ7T1WW/13YCbirYEQ ws2gkikvaijA1dItJaZVwJhMdJecTX+xDqLI+lTv+IQnVyxOOuQayc1+WKChbsBX AEZpnPB5ran1jwyaqEVopkRKitohBiJPEAG+7nrd6VCE7CEwzZZPVqs64+YQcbac Fq1Fds7htim20OaNC7Tax9wggCFYyw6s9sA9oyqcDdbA6uOtfCmOrH+bnmt7Khwl EIl8CQ794zVR5fTDa0/dIvefLylLQ3piCjk3J+M3rqLp6oPQA4dOWRzkDKbS7h5G wOV9pQkaNdaeuPFfsJU5E7K2pC1UyJ4e25bjK/Y3Jg0Xw22LsFWDVUpOEPGpp2O4 mrRryWV/LWIFYHUAcuwKQH+cGqf62YiB5gUIiGLJAqOwjuLtM3bqpYZ+hwmuoAsl Kn3nb5eKIs83/tPPJ4mVEsJ+R0fFkp0blfv8OaGWpsMBwjKi4TndhPuCB3bA9LJ2 QNxE96wDUJ6KoqpP1CYJjIyZ6eAGVRxph1b097xfe2uVcQNrwtlMSMWpy+j/eRXW v/V1kekxOEBGixaWXnXFQNAEM8S2Sp+Jl1ZyoY52g1VKlsnJZCm1RCZl14ud+uZH BfvPxBqBXlc5mg6hA3i2cJUGF++4Jdu5FUo1RZKGW7viD81uEry92aqQBrnVZPSE FF6mlAO6eRgyTZPzGUP852Ji3I1UjTrGdYA4Vo9F9TOjo725NT3unrMUXKglSnB/ VEdE+pAVCu1W0RNiWksWR0S4KZ7nvgILiPnhJsBHNEBRr81xFLLOvX4XpcnLrud/ ysvPOMZHq13Rr+skdqRaoZj9d2m0SH4m8JhxS78NTzPd3rAmSoIkLdJ2tnLn8KYT qCxWFISRxEUYHnIjDbJoP9eVTUBdJq/82OtcJYPVjt7fcFhE/w6BiK8i4Aim7pKA GyuxkO9Flbw1m7BiPNYLNAWznvF6rBLqr3bp9aEhzdhU2Ah4c8ETt5mE4GjBqB7G ND3PaowjqZMMAN9iu72CSxVTCGElffSZwO7RhYoXs07nJ0S4n9+ULkq1Z8SMqEZT QNV7neczYg+vAer4OaLhche3Miw76PMAR9tjzmWyq3qkEqB+wTAWv+B+3lWZ93hm Bq7k+3oHPgK3SvfskPDEoLQ49dew6ep7uUam0e3ySM/D/rNUnSRVO4JqXTK1YrOc MBjOA1i9b5L5U9xKwBkmEGxSGDkSsEFkJO2VZ4Bjz06KWK0YAtSWP+OvCJ1HHjOh aQHr60BMm24NWDVrZPUazsfj0eS/gsSvg1AvDmD/c/mwesJMQ5ha9V8NM6DYAVAY V8H5q7ODtdjIZ7YNMxv6QALLMAA5cE76JBhFMc2GHvTlG9xPUlmTFYa4onMc6wvv 0vUTDImnsrQ4zibhsyYmMG+exi2z8WeTJMboHWVcbH2axgHalk4j4ijem0wqzF8M cRGMv+gurCU+Nmmv+llgdQjHvB07/eRKVZfvo9Htt3j+FYBJ4/54o6UhOs1x2o9b naemd9BeZ51JfI0V6h0zg0O3pphmynVnqRhPSZcIRvJsci6WOZWMANp9E9T/RsUf m2jvGrn+9jdGxz3rtQYBvK0hnmIxEIkn2PTh0/fmFEsqFaLA9Ew1wt7l5jYcHbq3 8JwtY21bic4ILBVKYI4x0SlEzGX/5M+YxQnBBV1zunn8QEui7Sx5v0JBY/Rnx766 b2unDFukFHgyUUSYvchO+zmMIBuUgCDkoed5+PY6XcZUqhrXfTf/wf2PndSi741q 2w3oMjFPEeWeuWUpTvaDDA2kkn8UhQtafJomu9BCGzeOL7KKkZc45SAhtcFrpwYr -----END RSA PRIVATE KEY-----
When passing the -b option to ssh-keygen, we can specify the number of bits in the key that will be created. Normally the following sizes are supported: 1024, 2048, 4096, etc. To generate an asymmetric RSA key, two prime numbers are selected and their product is calculated. The strength of the asymmetric encryption lies in the fact that it’s very easy to calculate the product of two randomly chosen prime numbers, but it’s fairly difficult to determine which of the two prime numbers were used if we know only their product. If an attacker can determine the two prime numbers somehow, he can calculate the private RSA key and break the cryptography.
An attacker can break the RSA by bruteforcing all the keys of certain size, but every number of certain size isn’t a RSA key, because it isn’t a product of two prime numbers. Therefore, even if the size of the key is quite larger than when using a symmetric key, there are actually less possibilities, which we have to bruteforce. If a product is a number of 2048 bits in size, then both prime numbers are around 1024 bits in size. A 128-bit symmetric key provides the same strength and therefore security as a 3248-bit asymmetric key .
Therefore, it’s advisable that we choose a 4096-bit asymmetric key length when generating the keys that will be used for authentication. We can do that by using the command below.
# ssh-keygen -f mykey2 -b 4096
An example private key consisting of 1024 bits can be seen below:
-----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDN7tW5GRy5wNHrAEOpko80fd6zrABqVQFsAQaqi0h8TgNScfX0 ynSzrBlqTEenHp6QUAS45OJ1gNDAxGlbX+pLVX+je2sr7aTrGrCeYxVhms0vln8x 8Nrfk2Axh1B0UHrPRx+TXg3rZcfq/3U1A8k9DUb4jsoBHdNHhiyBZRUZwQIDAQAB AoGAYrkOqG/Lf5laiShVR6PFF0sISmY4xMD/r4FGatfe5giYOxv652FvVPs6K+Vp rEpXhaN2wBSqI96fNOpz/6QZsyroe95UkXOPYp7iwEiTjQYp5/ixdfmiMBOnBwDX /UDA9KJCEK6uGXzeB+t+iwLhECbV9oTYPHGI8fff/2slCwkCQQD5BiQ0BVy1Cfi3 SgICwcV7/MJW+cK6Ur/5T2OXgSa74WIEAx2l07ChebwrHoBpTXLFxTgpqmkySf0x 2ipUvEY7AkEA07OrQZe19e4OlC5YnxGtiyUeNKwmMj6Uh5vwC9Cv/QIzh8t1iMhE fOYGuleZAIfsLThGwI5qKWLVvQKK3FuUMwJBANaEu9s0Y1Bxbpg2YNUPJ5hPfPp/ 3Ye0kTurcBerYjqnRVA/fuLDIX146OgcNnKADUbhRihebJCtvDedwKmOJtECQQC+ tVYLSr3Sg9eCSZXwBh7OAGwLiyEFljZ7S1CddCt1wqvlIrYIuFBqK1XYO91LCycJ PW8PO7wK+EwPbuDkzWLdAkEA4bx5fINl3NWLBvievrBDTXyZo6whxrB5tZK9Po8G Lxm/OrMACYuyUcTMkgYhE12DFCQ61VXJbU7F3u5GY5LTdw== -----END RSA PRIVATE KEY-----
An example private key consisting of 1024 bits can be seen below:
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAqkzWjlcyEC31pMRU6BnnzbyFGXm1uFx8vGrh/1bUImmJvuO8 s0Pg2vgt7iiLsOFyabaHR0kxanwDAjxG9Q0E+GkB02HL393TX8eVey0P75YbQMtL kHOCNCq8XL4BJSd6ML0PcSu1VYhCXLojnnCznjwX8IqHAmtd+qLSTsFmDsi2+QUq +REuy/nxs+0PxSJNszPcBYSlB3Kp9/uCC/EOKJXkkMsaNewqEd3epvGhevs/5/3Z Eu+f7d6F5QzCNVtcYHPY7mON+o9pEWCVfiH/0ILfcw4oF052E9VQ0Ks+zLVmv+b5 6ZzpuDy4m1b+rQ78+EH+zIW7HChuRuvxRMoFbQIDAQABAoIBAQCOz2zFZN24r7Hl ADdrg/3di4/aMzRubDC2GLN4Wqn+SZ6Xk4b0laGEPsbVhu7N3+EAQW7kGr7z2xby 0vV2HfrjDbvYNZSwIOdW1JnH95v7gFdOWKz/b73qXUQkSbnQHHDdWk4Oy2Z/WYq9 E+M2xK/7q80vjBt3re3bdpsCLDCXh98D2xrcg8JZ7OvBjedcomUC2ne871O4fFYF mDX9YuJCqXMtJ9WN6qFyNEuM3TW5KBW6Uc7ldHfSSkKYwzTBeRhVi6e4r33fMaY0 GIr2yICLWBoTxDdzHyVtC0xbXzqtTCn2bvUHlW+Sxe0TKGrWrWrgQlNOHxIEmkZB QlNiDDKBAoGBAN3IUnnc80ZqXvlIJ9/dKKZ9SnGHypiGI2aR5kLV6IT9bc0UTgNM KRM8swbc4+1k5PmdAi2nwJXvLV18ClEhNxfiXNXLaZD3O3F2HTqnI/CCwrRBuId6 Hm9VUjZjV4cdr5YDCxkf7dzK4EgtpyfYWroRgpeVtLocg7idaoI/sAtdAoGBAMST IeonnDG16TzAzQSOKwo+z6nJx3+WzUWbZgeYXwKulOfgrgFuXjnBV/soUhdK93iZ OQU9WdmyNwStgzQGw6jOc5c+e0tvAcXsov11EoCuwd3xf5wgbnhmqCzZ9LXro6wv /lwfX0B2paMmcFvLxMpVITmxbN0FXLgkdUqqllFRAoGAKPUgvh6e0sc8KN85de86 3ZxPzi2crZRAH2YcVwV3/m9rAq+YRKWhBEt2aHMMqL+0RaDIUTQkrcvQ3e3VXew7 Z27HZDg/k6UE1kxQ048gZP9RA8cLVAGqczcXirHH7Uz/Kz3+o7Iw1FCnIM1FjGc5 QhmPu3zLNn+jl8mCbPFkCoUCgYAiD8ykolByXK8Zk97ylx/mGpQpO4mSFjNjiFXZ oxFziYTL2SbNoK47G8F/B7GRz6+p+gLjYYocKsFV0isV7MYijgOBhZYfsBCCl0p2 2L5oBeAZ8SrHhucdfcxOWUYJ79bgk0Bj/hunM+fnqVV20ow68x1avd+7PJ6gWdDp Kz34wQKBgQC8X1yjXlagP+Js8mIiY6IeKQMKNwOGDCf0atCBZsfyz6SJ/1Ueiqpg oFJCACx+mYkLEcks43BJ1bvXdzUMtFu7yBRZGJvmUYgiu4yFlFIgqzSoef8rMAjY FM0oX88NeiKMjnEM4klMR+L8zjcvcg2ek5qwrbtfqyR4ld2EphOVRw== -----END RSA PRIVATE KEY-----
An example private key consisting of 4096 bits can be seen below:
-----BEGIN RSA PRIVATE KEY----- MIIJKgIBAAKCAgEAs97b02xeA+uwL+JKi1cSs+7HjlZAw6fi5SwQZhipILjHlCuU LDxOa//YgxK+XId9YkIos8wrMh1VwewsHT3XlpxFLL3sVZuTYM2Tngb0/6kCW7zp DQb8FZCIy9dn7BhL4Klym5ltyCaf7OgktyfE/vGV7+cqcrVF84lb3ZZ2wq7v3mq7 dKd+RCQ/RlfeVIzmluCZDIAZbPtHBwtW2dI53PPD8gmZm88Sg9hmxLwogxx6atrW FOYYiOjnM4ceRVhfp55xF1O71fN42L/pdW41LtnTzFWmCAqJOpQjpV3ZqYd30Xnn 6XLDQ3zTerblCmzaK/N6QEiswD1QVrbLJ1qr67QREBlEHoAtbdQ5hiWNUPWb3FGZ FrdL34e6aKoWJ++QUbCY+t9YjsQNN+b876VhYmEjpXccPN17BoaMkhE+xspmnCIE VallHH17bo//QptJMYZsI4H1fWSmYY2eUs8doUYcQJSRqcpG8KlQHXLwCmP2NsSH uEf3Vur2neOAT9e98CpMX9tEj3eMQaVxI+CfUadx91Xp+4BBadki0zS25mkHwMYu bav8qUyuR/KQqIyiM802CuJPR8ZTGT6RUrPNklF7HqDjU4p1Ga0gzIqYOuZwSHYj cTINs5ywkNOWCUKZrdpcquB0AIWVDXZu0z0gx40S+zOcw85DRnrKhEODdMUCAwEA AQKCAgBrnfwyTBUYDWzVyXPGWKt1AnldHRgUuB8V9L4/B6QxUrz+VvCJYu+cyG+X RKCmpd4L6v+FS7PQgSKtKwvd1wFlOExfD6cWNUYBVh5rH0h4qnshvi5FwBcVI+vk 4hVoecT0Pw22MR8w8IMg8Gf/OYkw7AREjC+mf/TBWD6hnoOhyZ70mTFdA1WVmYZO JQZ92eug+/I2O3J69QCzI0Ksgo5iN2rWJo5EXal7Pv+F1/n5MBHCWvpZeK3XRFoI R2CCJvTcSfzp8wxgXxK/xFr/CphBVszU5a24A+3FIZsONs+jEc1LhL+Puj0/5LB3 LHRvP19tinhre8/4GPc3WpjEDAjttR3o89WIAJdlT5Ry2NAbskwdcC/I8sq/lnve Da1vYOTO+5KbT+IR+WvIQPf3O4sBRJxJChM+qfGOHHjsge+I8h2/s6F98zukYtxg UIcBQM9G1hHwZm5alqZJz60CSgj+zkVa8ir6CU4+WsbJ3RIByI1aRoJ1bdABflc7 dR4yhhm6UNEa6ivZJpwqHWKelTLDem7CwqqWjnk5eFG6/eOKW7W10uqTR/YZnSj0 9GcQS7/MOGjcw8FfxdNh7vNnQJnTV0lRX3rwn0L1NtDKmyX74Qww7eT8EV9UUZWi l7MHObyUAWkVAqfTi+Cm2RKaUPkguJ3625chAUIdvUL3bs6zwQKCAQEA4qquCP5H JRFRLJpA35y6XEXfeW58uyjwR6Mx5BR/6j0i0goI8ttutMN51qa1F/BzqlWOvJvq t13OwkCAMnfM0pAaMWl8PjNeU/HLJ6S/TB60TEK4utuQAhfWCbiJlsi66UF/rYQX TA0//AO+HsP58YrcZ4uNyzvk0L60tlBsAqMybLCfThm1dvOOo9Rd6lylrmSNXsMA 231MGtB9se2CBkTTxJPppHkc4jG6YeDUEkQGlENRoN7xUd3uXEPV6QJzTIqS81AJ rhpKWEd32UsnUAmF0lkQjb7UzQwGCFZ+HJOCjzv/qwzoDoCZ0G9pHHtZuo/PHfgE 0MNdqWJ9Br/IdQKCAQEAyyXaJirM0v0Z0koPiiVxJAV+/mC+aWdznq7mbup3OqTu RWiv5sy5nQk2zwcrn9ge/zZNr3jn6U27m9njWoRWhA77kzjz9cOIcK7t94i+oYXo T1sNZpTWhWvaxLC9amzUMP48bHTCHmGLRf/AwjqGxVqChcxUeoQgF5bO1/nGdstp 7VnC0KuEx3e0X65In6W6gTBf0SIFs/XBPyVtUuaxEjp9ivds7v1BF3uASIYr/AW2 PZiZZ3l+gEsY/jKt0RYwgKzghVYgURro3EaAmVmDf0NQ0rGgjLrlxyLTw5D6PmkO QpMH2oydell5zo7ecMViAcNcLagPDNW/9wbw1q3xEQKCAQEAu8SMWyLZqNlJl1tJ NnRM5Td0wtFGPnzRX2bPY5Ofy1lNyRVLCHPCp7fu7GQ5TFWCW654icHXlIL/TmfE Swp3AE8jg59Qru46y+tXUcXmOpaM4Ue8Y/6Ss0kvo+ndAK3UOHpr3D+6VOP9BzXK fw31taREpPo0QhGhoVL5vLWuZBjxIpzFuxsM+jcVCJ5aFlUdYvQlMET2Jt0K+IOS PJz1w1+s1gF54Sf7R13OelqXE3KKyLNjoZJN8nWYiZIgV+ARx2xcA3dgLXvV7n91 xum87U6WLwRc9C8LdbjqHmoYGnAQDbu0NeyBJ9JcmRBR0KhWUnfjKX5V7uKIalMO I1MoKQKCAQEAiF0oSmaAh0COjLJaLAlmIR/vVyHprydaXTJaTCnnTt5XcxAKw4q5 Lch5mg7eIbYZWIdDLn6ibeFYBg4Ep0YeLRdBmFmqqVZPyBQkePy5ugMBJgOgwzM1 rOnxOAbLnxzecuS1+reFdo9TxfEfm0FeJivTYaz/KB54zFzXC/MGXce9my2dsCTy RFL+KRv8c+3ze7TVHLURzvMwfQrKj9N7GRlaHGZqISKvBuxH+GbYL5xF8KL2lpbf a479f+TU+H1EoZtqOxbNKqQ9m19YA5gqxMqS/lttwgnTJBEkxSoUUMCEafv4UaQC MZbORPFyL5DPcQ+KWLtvHtZ8vX1TPUgVgQKCAQEAnRCS8+3Y1TzyYcbXu7OvXlqg tNVnlMG+Ke0P+nNz9GosYGBCLdrF3+hLcn7kbMuKQLCy3a1siJQ3xKrufZDXNWTB Z7KL81ZCbkBBfaYJbdAmfGCt1zKlZ4xZwVO5QS+9A3lC9ntLt3+iDpsF6BRyZFg8 EJ/pRaCoGRgKrvwIyE0ajR5mAEqPjpd7n9d5DlzlS0NpZnc32+5KBePSk/6T0d7H hKk8ckEJtDhYAjFTnjn3ttfcid2CL2G2inN7Yh9wN1wuG4qR+dHfvxqOPI59aidz cuX8EZFXIphNYEDF+DL2dGgMlwoH6j+Ja3o3dwibm5QNef5m3pXIqEYa9Oau5A== -----END RSA PRIVATE KEY-----
We can see the size of the private key actually increases when specifying different key sizes. By using a larger key size, we’re actually increasing the number of possibilities, which also increases the bruteforce time.
Reducing the Login Time
Whenever we start to use public/private keys, we may soon be annoyed by having to provide the password for the private keys all the time. In order to solve that issue, we can use ssh-agent, which is a daemon, whose sole purpose is to cache our decrypted private keys in memory for the duration of the session. The ssh command can communicate with the ssh-agent to provide the private keys, so the user doesn’t need to repeatedly provide the password.
Two environmental variables SSH_AUTH_SOCK and SSH_AGENT_PID are used in the shell in order to tell programs the settings of the ssh-agent process. Once the ssh-agent is started and the environmental variables are applied to the current shell, we can use ssh-add to add a private key to the cache.
# ssh-add mykey Identity added: mykey (rsa w/o comment)
Then we can list the keys by using the “ssh-add -l” command as presented below.
# ssh-add -l 4096 39:ca:ec:af:b8:9f:79:7d:27:83:5f:fc:e1:2a:72:fd rsa w/o comment (RSA)
Afterwards, we can easily ssh to the cloud server by using the cached version of private key without providing the password. This gives us the best possible security, since all the keys stored on the filesystem are encrypted, but a cached copy of a private key is stored by ssh-agent for the duration of the session.
# ssh -i mykey user@host
Backing Up Keys
When having a number of private/public key pairs that we rely on, we have to have a secure backup solution. Failing to do so can result in being locked out of a cloud service or disable a way to decrypt the already encrypted files. The result of losing the private/public key pairs can be devastating, which is why we have to ensure we have a proper backup in place.
We can also use private/public keys as part of our backup solution as was described by this article. In the article, private/public keys are created and used by the bacula daemon in order to backup an encrypted version of files to the remote location. A part of the files can also be the private/public keys we created eariler.
The use of public/private keys has mushroomed, and is now being used by a number of protocols and applications. The primary reason for that is improving security, since keys provide a much better security than a password that was chosen by a user. Therefore, the importance of public/private keys is becoming more and more important and is being used to authentication to various cloud-based services.
In order to provide cloud services, we have to ensure we’re properly protecting our public/private keys, which can give an attacker keys to the kingdom. We’ve looked at various ways of how further to protect the keys in order to make the attacker’s job much more difficult. We have to keep in mind that an attacker having gained a private key can possibly log in to various cloud systems or decrypt possibly leaked encrypted data.
 The Secure Shell (SSH) Transport Layer Protocol, https://tools.ietf.org/html/rfc4253#section-6.6.
 Why some cryptographic keys are much smaller than others, https://blog.cloudflare.com/why-are-some-keys-small/.