Cloud security

Securely Managing Public/Private Keys for Cloud Services

Introduction

In our daily lives, there are many services with which we have to use authentication in order to get access; be it personal services like our cloud email solutions, a social gathering service, business socializing websites, or enterprise services needed to do our jobs. Enterprises most often have to have access to the following services:

• Domain name service: it's where all the records for their domains are kept and managed. An attacker having accessed the domain name service can change all their domain records to point to his own malicious website in order to disrupt the enterprise service and possibly even attack all of the visitors of the service.
• Dedicated servers: A company usually has many dedicated services in different data centers around the word. A hacker, having gained access to a dedicated server, can disrupt the service running on that server; obtain all user credentials from login requests coming over the network or something entirely different, like installing a backdoor into the system.
• Source code hosting: Software companies often use source code hosting in order to save repositories for various projects online. This greatly simplifies the development and maintenance of source code repositories, but allows an attacker possibly to gain access and steal the source code of an application or a system.
• A website: A company can easily set up a website by using various platforms that already do most of the work for us. However, if the website allows user authentication, it should be run over TLS in order for a secure session to be established prior to entering the credentials.

All of the above services can be installed and maintained in an company's internal network and by company administrators, but there are cloud service providers offering the same kind of services for free or possibly for small subscription fee. In any case, users of the services have to access those services regularly in order to do their jobs. There are many ways a user can access the services, but in order to be most secure public/private keys are used to obtain access to the service.

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

Start Learning

Public/Private keys

To access various cloud-based services securely, we can use public-key cryptography, which uses two separate but corresponding keys –the public and private key. The public key can be publicly disclosed and is used for encrypting the message, while the private key must be kept private and is used to decrypt the message. The public-key cryptography is used in various protocols and infrastructure applications, like when connecting to a TLS-enabled website, connect to a dedicated server through SSH, access the source code repository at hosting provider, etc. Whenever we use git to push/pull source code changes from the repository or using ssh to connect to the remote server, we're using the public/private key-pairs. Therefore, it's safe to conclude that public/private keys are extensively used and they have to be properly protected to achieve the utmost security.

The public/private key pair can be generated by a tool ssh-keygen, which is part of the openssh package in Linux. In Windows, we can generate the keys by using the Putty client, which also includes the Puttygen utility used for generating the keys.

Let's generate a simple public/private key by using the ssh-keygen command below and using the -f option, which specifies the filename of the key file.

[plain]

# ssh-keygen -f mykey

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in mykey.

Your public key has been saved in mykey.pub.

The key fingerprint is:

86:79:43:6a:c2:ab:34:2b:bf:7f:e1:63:5f:83:a4:42 user@server

The key's randomart image is:

+---[RSA 4096]----+

| |

| |

| . |

| . = |

| E = S |

| . +.= o |

| o o.... o |

|.. + .= . . |

| o=o.o o. |

+-----------------+

[/plain]

The ssh-keygen command generated two files, the private key mykey and the public key mykey.pub, which has the .pub extension. The public key can be seen below and is defined of several fields [1]:

• Key format: specifies how the format of the key, where the following options are available: ssh-dss, ssh-rsa, pgp-sign-rsa and pgp-sign-dss.
• Encoded Data: a base64-encoded public key.
• Additional information: usually specifies the user and server identifier about where the key was generated.

[plain]

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Qrhb8G6e4QayTBXShd5PCUvlKmmWVarYd1lV0TZTw47C5yFC+pj/NsH/EZM7vI9LvFZ0vj8WRy1k7KmHzXZcThr6e9VzsU42YOtTAys8SXlZ8Bac/B97K3g3KspQWCv0Yd1HQMTWZ8hELHPL+6J0nhXazxQM2DgivREri8jjzLqLw+T7twwNzBCwS6kjuRYBiuHSjLYdV+EIv+a6DU1s14YlQHYuo6icic4OFouXurol4pphO+7bzlYrw/o5XA2Umt4q5tFEEogy7n+NaYyq8/+QRehR1awlQz74NMqklbmzhgHpVBMxKFpUxBKR0d8KZVxcKD4QlGlylhM1Xl8RkrQl3SQOscVv9TNYIPvxXGvxderXszsnogShARoKAix3vAXCkJO0DOgFgAX5mVyT1Eq2AR5YDoP/E2O61m716EC0J/j3hbNnNzOh63nIucF2n6w3C32dAxF6xKVlrzkvkWCH7m6sd7xtVx0KzsYXYGEdbBSMtsMCDc1n3XQdCKO05oWNd2SplpM8m8bybDR+JU6LGsgCBwGoHG7HQIvpf/OYZo9NIyli2pXYOEKoanQW3H2QRqiqPEKde5HMp4aHjGu0Kl9f6VyQC0w5dCB+7rDahfdh0e6PvVA8rCYYyXqQTbyT7mJs3v5DE5/tnjJ9bFcmqsV6wN4LDPlra7oOlw== user@server

[/plain]

The private key mykey, which doesn't have an extension, can be seen below and follows the ASN.1 syntax notation.

[plain]

-----BEGIN RSA PRIVATE KEY-----

MIIJKAIBAAKCAgEAtUK4W/BunuEGskwV0oXeTwlL5SppllWq2HdZVdE2U8OOwuch

QvqY/zbB/xGTO7yPS7xWdL4/FkctZOyph812XE4a+nvVc7FONmDrUwMrPEl5WfAW

nPwfeyt4NyrKUFgr9GHdR0DE1mfIRCxzy/uidJ4V2s8UDNg4Ir0RK4vI48y6i8Pk

+7cMDcwQsEupI7kWAYrh0oy2HVfhCL/mug1NbNeGJUB2LqOonInODhaLl7q6JeKa

YTvu285WK8P6OVwNlJreKubRRBKIMu5/jWmMqvP/kEXoUdWsJUM++DTKpJW5s4YB

6VQTMShaVMQSkdHfCmVcXCg+EJRpcpYTNV5fEZK0Jd0kDrHFb/UzWCD78Vxr8XXq

17M7J6IEoQEaCgIsd7wFwpCTtAzoBYAF+Zlck9RKtgEeWA6D/xNjutZu9ehAtCf4

94WzZzczoet5yLnBdp+sNwt9nQMResSlZa85L5Fgh+5urHe8bVcdCs7GF2BhHWwU

jLbDAg3NZ910HQijtOaFjXdkqZaTPJvG8mw0fiVOixrIAgcBqBxux0CL6X/zmGaP

TSMpYtqV2DhCqGp0Ftx9kEaoqjxCnXuRzKeGh4xrtCpfX+lckAtMOXQgfu6w2oX3

YdHuj71QPKwmGMl6kE28k+5ibN7+QxOf7Z4yfWxXJqrFesDeCwz5a2u6DpcCAwEA

AQKCAgAVaO0Xxv15/MBqvPvy4ucQVNvHFMxl+nZ0nRxLO6v8FuQ890oBfFIoCxK9

Cxll++69FmDr5zDSc9PT0PRxWv55Bqy/G3Np9+5yE96X7o7jzxXrXqV9I3ageND5

Sy+cb925PvoBGZBmdtm727hNxso4lhekwcLvhXaT+9sUVq2C4sLCEYBxjvx4gLsT

58vxsUH9Kqdj1EUKkD+/ZdNd9IZJredlbQjIl4IqA0j4dwdEA8VLBkoP5CFhiyy4

fKyIq+vaurQ1QxBCxyGZSnx8epQn+SwdoXRAfkmYGSpN7QZmjFzj7Jc7NTgTHV4W

FxbObIi41KIlLIewM6eE5l8cdaoq2Sk+x5HFlvzUwB6e5oS3o9N5dvWXFyeW0wfm

SBFoPI+cDF7MGbliybZslrEhV6QSS5OkV7vIx2KICcBrxx9m5cfqNBcMEeoh9BH5

XuitIIY3rZDE93C+atOkeIQCV4bAu5R4qU8X9Pa0aLoZPpvuQfHLBshr9nQa0eGs

VRwsKac0pStdCyin2/YGUvmQrQYpDDCL/v5RlHRy50QZ/uTGPYyDKNu0cMG5U9RF

6KRsix4OSxuPL02ahrRzl6pD0isOnX7f+4joVgXVdZpJhoVZ4aKyLsADFIbMZxv3

duIuij5cXMZWxIIKmn/Sez5fZgLgjBv1h8p5ZHIJ7BiAk/6IoQKCAQEA6VEC0u9A

i7tqh8DmjarZy7ojF8Kp+3r9EKWYZ8OkP+qG641E5JoaBZ5kx7BaFIL6n8UVZQxA

HZ5Ip4Q16YlP9WAo7B7PXl6Zq6sNGHvmeXBa7/HIPNU44vlEKMJPkxVV7Bh1aqHF

Dx4wPDCrQfW5h92Smv1CQSlpTNW4VsJ29TFxvJ0pk2E2sUN11kyiT2SF77AlNKHn

ztZd3XLuH/zt5wjko9dNudqgPa9NZUC75F3035XdayeemAtJh2aLY/M3frXm578Y

faTWciNwtv7BOcmMDYXqE8jZL61gXs3dEHe4Kx+yAKWOow7tVeJz09VCDVP1c9H4

S9Myb5oQqbUkMQKCAQEAxuIY3DhFvXSuyLW1bo4JOkbx+HZ8/yCzQu/OfrFdZJtH

B7yiS/zkTUqLOGSzxAjK2xnaTjfX4KY8ahJ2r+Aw318jjp6oTcCvDBTitZ+ZIBg4

TLujjEtmr56JWLRlMn4f4HAt1qaIfnS5AbTqKKuQN2zKZIFS5YJF2JjECYE5aVoL

ddZ1d404ePnZdNJ1MsbW9jxWXvqHhoM2i5u8dH/ddZKLojb6qr/Ch0kZ/W0ZjFEm

eui/S+sTXqtUeqOVP8a+qBnTIh8LCTpFo1p8L8JAszKlwyS3Ys9mqFhVWIBNCaQC

ucnoJqigCxvIVC7z+VC+7TuOe3C9/K8YkabDzpUVRwKCAQEA5AtCb1laBTmRzk5F

CoLLjczJMBgcfKihYPv6ErGugKqCZQkXJTlZ5dQDPQqpgRLkU/UWDEYFBO4IpXMc

Hr8PYA408VTL6rkcCiaODjhL9LZUq+HujUb66x4n+I6zqFdaPAFMAoVLTpN7IdmQ

ClBanul6ufKAJ6CKQ4dBPcuk6dMCEBCs6lhCVNBTBLqyilb+cmAAfYkiQZBU/nWv

OaTGAuM2Vs3CMr31kVUemLDE9VjAVyjr2ihHYuTlYWphI7g9raOtpSWqkmPjFnx9

Vt95jTnpoe4Z9GyDm44ie4dLYyUg5UV9fhRTbhzQ7PkBrTLr9Irzhdjcj4BF877q

OnXKgQKCAQBKAnFF4hrxua4hOp1dmrWMXkJFN7KkLkMHMb4iH1alzbLNCkFLDbzX

llngjnjnBm6WwjQez2EiVDo/LsfEAyWsufa9aAUxifaaBFupQs70xo6M33apCpYX

3GM4A0l1VMH//z7PlgFNLZp7LBvHLrDoLy/R3t4+UhAz3gV1lAUNU1jYbQohhwfw

3OkzM+4xCxWLZECv74LnZ4Swxy+GGt8KlZIot1TonZuCRI3LZQIQ2VH8gwhM9Bmt

LQyu5pjvtsHURGfxVqQAtxKbC10TWLJC/SH6UHt95bhKBTUdTgFdCQ+Km7wsRqvn

9lrCGQbpTEcAeR04imfo1C/MY8aR5aCZAoIBAEzL+Vaq0dGhhR0zyiPFblmP2k/p

A1tD1XbASlVisz00D2E2xmR7HF43Xq6byO2v8R5scR/ozJp5nko/1DXgcj8MXElZ

yU7YDX8FekCBYHcodvoR1v7eO0oyMS09D1eqXnPeZdZEaOprVKl2n17jsV7FhYw3

LWO6sDG9BadDKavF8cLqdQwNBE28/380OWMRTsnU6uBv+nUxPZpKVc2osZ5hcmTn

2iw2WfXV/f+8aEWNMZaO8jjGiJE3QDjgBprUZY/b4AqJ1PHkGNFWceVOhJiKNuQa

kKqXQHek02udOXVXXIe66XSQV7Cs5RzJqaStrVnFcWpB/Vp2nIYc/iT/aXA=

-----END RSA PRIVATE KEY-----

[/plain]

Password Protected Keys

We've said that public keys can and usually have to be shared with the public in order for the other users to be able to encrypt the messages with your public key. After the messages are sent to you, you can decrypt them with your corresponding private key without providing any additional information. If an attacker is able to compromise your machine and get access to the private key, he will also be able to decrypt all the messages that were encrypted with the corresponding public key.

In most penetration tests or vulnerability assessments, we've come across numerous private/public keys. A penetration test is an attack on computer system or network in order to gain access to internal system and its data. After the reconnaissance phase, we've scanned the network for open ports in which we found a number of publicly available web applications. Despite certain security precautions used by some of the applications, we've been able to upload a shell on the server in order to be able to run arbitrary commands under the application or web server user. That gave us access to the actual file system, where we could search for interesting files; since we had the permissions of the web application, some directories were not browsable, so we couldn't look inside. Despite that, we obtained certain private keys from /etc/ssh/, which didn't have correct permissions. Normally, the files should be owned by root:root and have 600 permissions only to allow user root to access them. Since that wasn't so in our case, the private keys were obtainable, and later we've figured out, they were actually used to access some other internal systems over SSH protocol. We were able to compromise the second server by using the private keys obtained on the first server.

I hope this emphasizes the importance of actually encrypting the private keys with an additional password. If that were the case on the server previously mentioned, we wouldn't be able to compromise the second server because we would only have access to an encrypted private key. We could, however, bruteforce the password of the private key, but such operation is quite slow and normally fails, because a person encrypting the private key knows enough about security not to use a weak password that could easily get cracked. Additionally, the ssh-keygen itself will reject a weak password as we can see below, where we used a password "test" that doesn't contain the minimum allowable number of characters.

[plain]

# ssh-keygen -f mykey -b 4096

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

key_save_private: passphrase is too short (minimum four characters)

Saving the key failed: mykey.

[/plain]

Nevertheless, the password verification isn't good enough, since we can choose a password "test123" that will easily be accepted by the ssh-keygen tool.

[plain]

# ssh-keygen -f mykey2 -b 4096

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in mykey.

Your public key has been saved in mykey.pub.

The key fingerprint is:

00:dc:18:e2:31:87:1e:be:d5:6a:16:2a:67:d4:81:55 server@host

The key's randomart image is:

+---[RSA 4096]----+

| +===E |

| .+=+.. |

| o.o o. |

| + + .. |

| . + o S |

|. = + |

| + o |

| |

| |

+-----------------+

[/plain]

We have to choose a strong password when creating a private key in order to store the key in encrypted form on the hard drive. Any program that wishes to use the private key must provide the password that was chosen when generating the key. An encrypted version of a key can be seen below.

[plain]

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,32864DAE2AD5C5F838F6DFCEBDEA103E

Q5NJXbEmvu/BFhE65KPdxQXyxTFK0uMKloSR5/XcBMggDnMpowy27amjAH77sz5U

4BDx73SENtca7EmB5f2gaHBOdA48kzYNFs0JMamwnTY1jQyLFIxrwWjtT5sR660L

MXO4vwgxUlSfOg7gQgKp7finJUR7zq4CPVDvWmHAtDk6SwtfNW1DsVS1F1+hwK+2

6JpfAYD8Tmvj3D86kKnlB5U+kc0VCV+mzdvliG+y9Q5lj9Fbbx718mtXUg09WBdW

YJLglWVWj4SYFWjg9Wa2XTm3oZDJ7nStvjFUO7Nz0kX+LTJ7uUHrMoXWrUtsKEtJ

B5XV6dO/opa7Le1W9EZ72ixmLY/4p6dVJNDMJx3GzEqtFQ179OpDjIGaFKy28KHy

Btb4sJu5TiB48es+cSM+Pgpp3D2mmV4EESN5mBUkTK0F287U+Tu/zuptmnKlgIhA

u68Mb5xmU1ZMAx6c9vLMnlLnWLfLhEjDsH6ml6rbxK7o/b20Z3L7kn3vAUdnNbuc

NVCotr+PMW4Dpl97j4SLCTL3Qs1XmEatvKE630cq72EBhG1tlqYULJYnSy5+mKdE

n7pSXjtCSKEalfRjRneJgX3fi82qQVZ8QALviSGK+LFIbJpHhwsIt3JpfRp3qEXe

HAU4WpfQQDRnunnPHY/NUdpR4H7lXNbURqkyelj2ASh+pbQK90x5QlPeSWqyI79Z

oL611E7KXJCpyRkwbd/FPCi554sTdMT6AkrMQWj6+/xyBwhHhJr6DiSEVoWZjL1p

F+fNwxyvMwlqsisOwwhUQiUNGQ49tKBoy1H8IovrhOhx6HxrFf5LmIU5fq/nPdda

zsiR+gdS6/UA9EQalBiwm109LfYzQC8ElXhoHK2NpVRCB9CAFOCoVJ6K1Xi0WDVQ

9hHq7Jor4Ngzq6EyhSMOAeXyuD/ltZDAU1KPLgBJzzu2jdhwqNqMX25QphA4PD/u

7lTVMmCUPNZt/44PniLdwg2jcndiA+VCiuAAT//svvw9D2d/Km02NOhNnGDc0Zvo

q+I3ZS18P5LsPI4QCJ7P53gMByMYrkgG4a7BxRfJtbDghqnzDeCpJie6aiXvJb6V

0xz3kE6r9tZ00QOn9RpKEkYR/fjbakvX70NUeRL22uVgkkwDpgYlWQHSzmXNyOtW

VDu1aWt2PA/7i4H4Hel71bKryCqLLHLlu/setLPHmvUeDJNyQYjj2c6Tr68B0lnu

Xl02sOHQq1IlQ/tdM6pqxzGIZ9Ax1qztarIxOIcEfI5UVFza60wk+vPWGTxQ26QH

rYrRL5ESjebQERxdsDwk2XZPagTtKo5XhHwgybzPpQw216TZ7T1WW/13YCbirYEQ

ws2gkikvaijA1dItJaZVwJhMdJecTX+xDqLI+lTv+IQnVyxOOuQayc1+WKChbsBX

AEZpnPB5ran1jwyaqEVopkRKitohBiJPEAG+7nrd6VCE7CEwzZZPVqs64+YQcbac

Fq1Fds7htim20OaNC7Tax9wggCFYyw6s9sA9oyqcDdbA6uOtfCmOrH+bnmt7Khwl

EIl8CQ794zVR5fTDa0/dIvefLylLQ3piCjk3J+M3rqLp6oPQA4dOWRzkDKbS7h5G

wOV9pQkaNdaeuPFfsJU5E7K2pC1UyJ4e25bjK/Y3Jg0Xw22LsFWDVUpOEPGpp2O4

mrRryWV/LWIFYHUAcuwKQH+cGqf62YiB5gUIiGLJAqOwjuLtM3bqpYZ+hwmuoAsl

Kn3nb5eKIs83/tPPJ4mVEsJ+R0fFkp0blfv8OaGWpsMBwjKi4TndhPuCB3bA9LJ2

QNxE96wDUJ6KoqpP1CYJjIyZ6eAGVRxph1b097xfe2uVcQNrwtlMSMWpy+j/eRXW

v/V1kekxOEBGixaWXnXFQNAEM8S2Sp+Jl1ZyoY52g1VKlsnJZCm1RCZl14ud+uZH

BfvPxBqBXlc5mg6hA3i2cJUGF++4Jdu5FUo1RZKGW7viD81uEry92aqQBrnVZPSE

FF6mlAO6eRgyTZPzGUP852Ji3I1UjTrGdYA4Vo9F9TOjo725NT3unrMUXKglSnB/

VEdE+pAVCu1W0RNiWksWR0S4KZ7nvgILiPnhJsBHNEBRr81xFLLOvX4XpcnLrud/

ysvPOMZHq13Rr+skdqRaoZj9d2m0SH4m8JhxS78NTzPd3rAmSoIkLdJ2tnLn8KYT

qCxWFISRxEUYHnIjDbJoP9eVTUBdJq/82OtcJYPVjt7fcFhE/w6BiK8i4Aim7pKA

GyuxkO9Flbw1m7BiPNYLNAWznvF6rBLqr3bp9aEhzdhU2Ah4c8ETt5mE4GjBqB7G

ND3PaowjqZMMAN9iu72CSxVTCGElffSZwO7RhYoXs07nJ0S4n9+ULkq1Z8SMqEZT

QNV7neczYg+vAer4OaLhche3Miw76PMAR9tjzmWyq3qkEqB+wTAWv+B+3lWZ93hm

Bq7k+3oHPgK3SvfskPDEoLQ49dew6ep7uUam0e3ySM/D/rNUnSRVO4JqXTK1YrOc

MBjOA1i9b5L5U9xKwBkmEGxSGDkSsEFkJO2VZ4Bjz06KWK0YAtSWP+OvCJ1HHjOh

aQHr60BMm24NWDVrZPUazsfj0eS/gsSvg1AvDmD/c/mwesJMQ5ha9V8NM6DYAVAY

V8H5q7ODtdjIZ7YNMxv6QALLMAA5cE76JBhFMc2GHvTlG9xPUlmTFYa4onMc6wvv

0vUTDImnsrQ4zibhsyYmMG+exi2z8WeTJMboHWVcbH2axgHalk4j4ijem0wqzF8M

cRGMv+gurCU+Nmmv+llgdQjHvB07/eRKVZfvo9Htt3j+FYBJ4/54o6UhOs1x2o9b

naemd9BeZ51JfI0V6h0zg0O3pphmynVnqRhPSZcIRvJsci6WOZWMANp9E9T/RsUf

m2jvGrn+9jdGxz3rtQYBvK0hnmIxEIkn2PTh0/fmFEsqFaLA9Ew1wt7l5jYcHbq3

8JwtY21bic4ILBVKYI4x0SlEzGX/5M+YxQnBBV1zunn8QEui7Sx5v0JBY/Rnx766

b2unDFukFHgyUUSYvchO+zmMIBuUgCDkoed5+PY6XcZUqhrXfTf/wf2PndSi741q

2w3oMjFPEeWeuWUpTvaDDA2kkn8UhQtafJomu9BCGzeOL7KKkZc45SAhtcFrpwYr

-----END RSA PRIVATE KEY-----

[/plain]

Key Strength

When passing the -b option to ssh-keygen, we can specify the number of bits in the key that will be created. Normally the following sizes are supported: 1024, 2048, 4096, etc. To generate an asymmetric RSA key, two prime numbers are selected and their product is calculated. The strength of the asymmetric encryption lies in the fact that it's very easy to calculate the product of two randomly chosen prime numbers, but it's fairly difficult to determine which of the two prime numbers were used if we know only their product. If an attacker can determine the two prime numbers somehow, he can calculate the private RSA key and break the cryptography.

An attacker can break the RSA by bruteforcing all the keys of certain size, but every number of certain size isn't a RSA key, because it isn't a product of two prime numbers. Therefore, even if the size of the key is quite larger than when using a symmetric key, there are actually less possibilities, which we have to bruteforce. If a product is a number of 2048 bits in size, then both prime numbers are around 1024 bits in size. A 128-bit symmetric key provides the same strength and therefore security as a 3248-bit asymmetric key [2].

Therefore, it's advisable that we choose a 4096-bit asymmetric key length when generating the keys that will be used for authentication. We can do that by using the command below.

[plain]

# ssh-keygen -f mykey2 -b 4096

[/plain]

An example private key consisting of 1024 bits can be seen below:

[plain]

-----BEGIN RSA PRIVATE KEY-----

MIICXgIBAAKBgQDN7tW5GRy5wNHrAEOpko80fd6zrABqVQFsAQaqi0h8TgNScfX0

ynSzrBlqTEenHp6QUAS45OJ1gNDAxGlbX+pLVX+je2sr7aTrGrCeYxVhms0vln8x

8Nrfk2Axh1B0UHrPRx+TXg3rZcfq/3U1A8k9DUb4jsoBHdNHhiyBZRUZwQIDAQAB

AoGAYrkOqG/Lf5laiShVR6PFF0sISmY4xMD/r4FGatfe5giYOxv652FvVPs6K+Vp

rEpXhaN2wBSqI96fNOpz/6QZsyroe95UkXOPYp7iwEiTjQYp5/ixdfmiMBOnBwDX

/UDA9KJCEK6uGXzeB+t+iwLhECbV9oTYPHGI8fff/2slCwkCQQD5BiQ0BVy1Cfi3

SgICwcV7/MJW+cK6Ur/5T2OXgSa74WIEAx2l07ChebwrHoBpTXLFxTgpqmkySf0x

2ipUvEY7AkEA07OrQZe19e4OlC5YnxGtiyUeNKwmMj6Uh5vwC9Cv/QIzh8t1iMhE

fOYGuleZAIfsLThGwI5qKWLVvQKK3FuUMwJBANaEu9s0Y1Bxbpg2YNUPJ5hPfPp/

3Ye0kTurcBerYjqnRVA/fuLDIX146OgcNnKADUbhRihebJCtvDedwKmOJtECQQC+

tVYLSr3Sg9eCSZXwBh7OAGwLiyEFljZ7S1CddCt1wqvlIrYIuFBqK1XYO91LCycJ

PW8PO7wK+EwPbuDkzWLdAkEA4bx5fINl3NWLBvievrBDTXyZo6whxrB5tZK9Po8G

Lxm/OrMACYuyUcTMkgYhE12DFCQ61VXJbU7F3u5GY5LTdw==

-----END RSA PRIVATE KEY-----

[/plain]

An example private key consisting of 1024 bits can be seen below:

[plain]

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAqkzWjlcyEC31pMRU6BnnzbyFGXm1uFx8vGrh/1bUImmJvuO8

s0Pg2vgt7iiLsOFyabaHR0kxanwDAjxG9Q0E+GkB02HL393TX8eVey0P75YbQMtL

kHOCNCq8XL4BJSd6ML0PcSu1VYhCXLojnnCznjwX8IqHAmtd+qLSTsFmDsi2+QUq

+REuy/nxs+0PxSJNszPcBYSlB3Kp9/uCC/EOKJXkkMsaNewqEd3epvGhevs/5/3Z

Eu+f7d6F5QzCNVtcYHPY7mON+o9pEWCVfiH/0ILfcw4oF052E9VQ0Ks+zLVmv+b5

6ZzpuDy4m1b+rQ78+EH+zIW7HChuRuvxRMoFbQIDAQABAoIBAQCOz2zFZN24r7Hl

ADdrg/3di4/aMzRubDC2GLN4Wqn+SZ6Xk4b0laGEPsbVhu7N3+EAQW7kGr7z2xby

0vV2HfrjDbvYNZSwIOdW1JnH95v7gFdOWKz/b73qXUQkSbnQHHDdWk4Oy2Z/WYq9

E+M2xK/7q80vjBt3re3bdpsCLDCXh98D2xrcg8JZ7OvBjedcomUC2ne871O4fFYF

mDX9YuJCqXMtJ9WN6qFyNEuM3TW5KBW6Uc7ldHfSSkKYwzTBeRhVi6e4r33fMaY0

GIr2yICLWBoTxDdzHyVtC0xbXzqtTCn2bvUHlW+Sxe0TKGrWrWrgQlNOHxIEmkZB

QlNiDDKBAoGBAN3IUnnc80ZqXvlIJ9/dKKZ9SnGHypiGI2aR5kLV6IT9bc0UTgNM

KRM8swbc4+1k5PmdAi2nwJXvLV18ClEhNxfiXNXLaZD3O3F2HTqnI/CCwrRBuId6

Hm9VUjZjV4cdr5YDCxkf7dzK4EgtpyfYWroRgpeVtLocg7idaoI/sAtdAoGBAMST

IeonnDG16TzAzQSOKwo+z6nJx3+WzUWbZgeYXwKulOfgrgFuXjnBV/soUhdK93iZ

OQU9WdmyNwStgzQGw6jOc5c+e0tvAcXsov11EoCuwd3xf5wgbnhmqCzZ9LXro6wv

/lwfX0B2paMmcFvLxMpVITmxbN0FXLgkdUqqllFRAoGAKPUgvh6e0sc8KN85de86

3ZxPzi2crZRAH2YcVwV3/m9rAq+YRKWhBEt2aHMMqL+0RaDIUTQkrcvQ3e3VXew7

Z27HZDg/k6UE1kxQ048gZP9RA8cLVAGqczcXirHH7Uz/Kz3+o7Iw1FCnIM1FjGc5

QhmPu3zLNn+jl8mCbPFkCoUCgYAiD8ykolByXK8Zk97ylx/mGpQpO4mSFjNjiFXZ

oxFziYTL2SbNoK47G8F/B7GRz6+p+gLjYYocKsFV0isV7MYijgOBhZYfsBCCl0p2

2L5oBeAZ8SrHhucdfcxOWUYJ79bgk0Bj/hunM+fnqVV20ow68x1avd+7PJ6gWdDp

Kz34wQKBgQC8X1yjXlagP+Js8mIiY6IeKQMKNwOGDCf0atCBZsfyz6SJ/1Ueiqpg

oFJCACx+mYkLEcks43BJ1bvXdzUMtFu7yBRZGJvmUYgiu4yFlFIgqzSoef8rMAjY

FM0oX88NeiKMjnEM4klMR+L8zjcvcg2ek5qwrbtfqyR4ld2EphOVRw==

-----END RSA PRIVATE KEY-----

[/plain]

An example private key consisting of 4096 bits can be seen below:

[plain]

-----BEGIN RSA PRIVATE KEY-----

MIIJKgIBAAKCAgEAs97b02xeA+uwL+JKi1cSs+7HjlZAw6fi5SwQZhipILjHlCuU

LDxOa//YgxK+XId9YkIos8wrMh1VwewsHT3XlpxFLL3sVZuTYM2Tngb0/6kCW7zp

DQb8FZCIy9dn7BhL4Klym5ltyCaf7OgktyfE/vGV7+cqcrVF84lb3ZZ2wq7v3mq7

dKd+RCQ/RlfeVIzmluCZDIAZbPtHBwtW2dI53PPD8gmZm88Sg9hmxLwogxx6atrW

FOYYiOjnM4ceRVhfp55xF1O71fN42L/pdW41LtnTzFWmCAqJOpQjpV3ZqYd30Xnn

6XLDQ3zTerblCmzaK/N6QEiswD1QVrbLJ1qr67QREBlEHoAtbdQ5hiWNUPWb3FGZ

FrdL34e6aKoWJ++QUbCY+t9YjsQNN+b876VhYmEjpXccPN17BoaMkhE+xspmnCIE

VallHH17bo//QptJMYZsI4H1fWSmYY2eUs8doUYcQJSRqcpG8KlQHXLwCmP2NsSH

uEf3Vur2neOAT9e98CpMX9tEj3eMQaVxI+CfUadx91Xp+4BBadki0zS25mkHwMYu

bav8qUyuR/KQqIyiM802CuJPR8ZTGT6RUrPNklF7HqDjU4p1Ga0gzIqYOuZwSHYj

cTINs5ywkNOWCUKZrdpcquB0AIWVDXZu0z0gx40S+zOcw85DRnrKhEODdMUCAwEA

AQKCAgBrnfwyTBUYDWzVyXPGWKt1AnldHRgUuB8V9L4/B6QxUrz+VvCJYu+cyG+X

RKCmpd4L6v+FS7PQgSKtKwvd1wFlOExfD6cWNUYBVh5rH0h4qnshvi5FwBcVI+vk

4hVoecT0Pw22MR8w8IMg8Gf/OYkw7AREjC+mf/TBWD6hnoOhyZ70mTFdA1WVmYZO

JQZ92eug+/I2O3J69QCzI0Ksgo5iN2rWJo5EXal7Pv+F1/n5MBHCWvpZeK3XRFoI

R2CCJvTcSfzp8wxgXxK/xFr/CphBVszU5a24A+3FIZsONs+jEc1LhL+Puj0/5LB3

LHRvP19tinhre8/4GPc3WpjEDAjttR3o89WIAJdlT5Ry2NAbskwdcC/I8sq/lnve

Da1vYOTO+5KbT+IR+WvIQPf3O4sBRJxJChM+qfGOHHjsge+I8h2/s6F98zukYtxg

UIcBQM9G1hHwZm5alqZJz60CSgj+zkVa8ir6CU4+WsbJ3RIByI1aRoJ1bdABflc7

dR4yhhm6UNEa6ivZJpwqHWKelTLDem7CwqqWjnk5eFG6/eOKW7W10uqTR/YZnSj0

9GcQS7/MOGjcw8FfxdNh7vNnQJnTV0lRX3rwn0L1NtDKmyX74Qww7eT8EV9UUZWi

l7MHObyUAWkVAqfTi+Cm2RKaUPkguJ3625chAUIdvUL3bs6zwQKCAQEA4qquCP5H

JRFRLJpA35y6XEXfeW58uyjwR6Mx5BR/6j0i0goI8ttutMN51qa1F/BzqlWOvJvq

t13OwkCAMnfM0pAaMWl8PjNeU/HLJ6S/TB60TEK4utuQAhfWCbiJlsi66UF/rYQX

TA0//AO+HsP58YrcZ4uNyzvk0L60tlBsAqMybLCfThm1dvOOo9Rd6lylrmSNXsMA

231MGtB9se2CBkTTxJPppHkc4jG6YeDUEkQGlENRoN7xUd3uXEPV6QJzTIqS81AJ

rhpKWEd32UsnUAmF0lkQjb7UzQwGCFZ+HJOCjzv/qwzoDoCZ0G9pHHtZuo/PHfgE

0MNdqWJ9Br/IdQKCAQEAyyXaJirM0v0Z0koPiiVxJAV+/mC+aWdznq7mbup3OqTu

RWiv5sy5nQk2zwcrn9ge/zZNr3jn6U27m9njWoRWhA77kzjz9cOIcK7t94i+oYXo

T1sNZpTWhWvaxLC9amzUMP48bHTCHmGLRf/AwjqGxVqChcxUeoQgF5bO1/nGdstp

7VnC0KuEx3e0X65In6W6gTBf0SIFs/XBPyVtUuaxEjp9ivds7v1BF3uASIYr/AW2

PZiZZ3l+gEsY/jKt0RYwgKzghVYgURro3EaAmVmDf0NQ0rGgjLrlxyLTw5D6PmkO

QpMH2oydell5zo7ecMViAcNcLagPDNW/9wbw1q3xEQKCAQEAu8SMWyLZqNlJl1tJ

NnRM5Td0wtFGPnzRX2bPY5Ofy1lNyRVLCHPCp7fu7GQ5TFWCW654icHXlIL/TmfE

Swp3AE8jg59Qru46y+tXUcXmOpaM4Ue8Y/6Ss0kvo+ndAK3UOHpr3D+6VOP9BzXK

fw31taREpPo0QhGhoVL5vLWuZBjxIpzFuxsM+jcVCJ5aFlUdYvQlMET2Jt0K+IOS

PJz1w1+s1gF54Sf7R13OelqXE3KKyLNjoZJN8nWYiZIgV+ARx2xcA3dgLXvV7n91

xum87U6WLwRc9C8LdbjqHmoYGnAQDbu0NeyBJ9JcmRBR0KhWUnfjKX5V7uKIalMO

I1MoKQKCAQEAiF0oSmaAh0COjLJaLAlmIR/vVyHprydaXTJaTCnnTt5XcxAKw4q5

Lch5mg7eIbYZWIdDLn6ibeFYBg4Ep0YeLRdBmFmqqVZPyBQkePy5ugMBJgOgwzM1

rOnxOAbLnxzecuS1+reFdo9TxfEfm0FeJivTYaz/KB54zFzXC/MGXce9my2dsCTy

RFL+KRv8c+3ze7TVHLURzvMwfQrKj9N7GRlaHGZqISKvBuxH+GbYL5xF8KL2lpbf

a479f+TU+H1EoZtqOxbNKqQ9m19YA5gqxMqS/lttwgnTJBEkxSoUUMCEafv4UaQC

MZbORPFyL5DPcQ+KWLtvHtZ8vX1TPUgVgQKCAQEAnRCS8+3Y1TzyYcbXu7OvXlqg

tNVnlMG+Ke0P+nNz9GosYGBCLdrF3+hLcn7kbMuKQLCy3a1siJQ3xKrufZDXNWTB

Z7KL81ZCbkBBfaYJbdAmfGCt1zKlZ4xZwVO5QS+9A3lC9ntLt3+iDpsF6BRyZFg8

EJ/pRaCoGRgKrvwIyE0ajR5mAEqPjpd7n9d5DlzlS0NpZnc32+5KBePSk/6T0d7H

hKk8ckEJtDhYAjFTnjn3ttfcid2CL2G2inN7Yh9wN1wuG4qR+dHfvxqOPI59aidz

cuX8EZFXIphNYEDF+DL2dGgMlwoH6j+Ja3o3dwibm5QNef5m3pXIqEYa9Oau5A==

-----END RSA PRIVATE KEY-----

[/plain]

We can see the size of the private key actually increases when specifying different key sizes. By using a larger key size, we're actually increasing the number of possibilities, which also increases the bruteforce time.

Reducing the Login Time

Whenever we start to use public/private keys, we may soon be annoyed by having to provide the password for the private keys all the time. In order to solve that issue, we can use ssh-agent, which is a daemon, whose sole purpose is to cache our decrypted private keys in memory for the duration of the session. The ssh command can communicate with the ssh-agent to provide the private keys, so the user doesn't need to repeatedly provide the password.
Two environmental variables SSH_AUTH_SOCK and SSH_AGENT_PID are used in the shell in order to tell programs the settings of the ssh-agent process. Once the ssh-agent is started and the environmental variables are applied to the current shell, we can use ssh-add to add a private key to the cache.

[plain]

# ssh-add mykey

Identity added: mykey (rsa w/o comment)

[/plain]

Then we can list the keys by using the "ssh-add -l" command as presented below.

[plain]

# ssh-add -l

4096 39:ca:ec:af:b8:9f:79:7d:27:83:5f:fc:e1:2a:72:fd rsa w/o comment (RSA)

[/plain]

Afterwards, we can easily ssh to the cloud server by using the cached version of private key without providing the password. This gives us the best possible security, since all the keys stored on the filesystem are encrypted, but a cached copy of a private key is stored by ssh-agent for the duration of the session.

[plain]

# ssh -i mykey user@host

[/plain]

Backing Up Keys

When having a number of private/public key pairs that we rely on, we have to have a secure backup solution. Failing to do so can result in being locked out of a cloud service or disable a way to decrypt the already encrypted files. The result of losing the private/public key pairs can be devastating, which is why we have to ensure we have a proper backup in place.

We can also use private/public keys as part of our backup solution as was described by this article. In the article, private/public keys are created and used by the bacula daemon in order to backup an encrypted version of files to the remote location. A part of the files can also be the private/public keys we created eariler.

Conclusion

The use of public/private keys has mushroomed, and is now being used by a number of protocols and applications. The primary reason for that is improving security, since keys provide a much better security than a password that was chosen by a user. Therefore, the importance of public/private keys is becoming more and more important and is being used to authentication to various cloud-based services.

In order to provide cloud services, we have to ensure we're properly protecting our public/private keys, which can give an attacker keys to the kingdom. We've looked at various ways of how further to protect the keys in order to make the attacker's job much more difficult. We have to keep in mind that an attacker having gained a private key can possibly log in to various cloud systems or decrypt possibly leaked encrypted data.

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

Start Learning

References

[1] The Secure Shell (SSH) Transport Layer Protocol, https://tools.ietf.org/html/rfc4253#section-6.6.
[2] Why some cryptographic keys are much smaller than others, https://blog.cloudflare.com/why-are-some-keys-small/.