Public-Key-Cryptography Notes
1. Public and Private Keys
1.1. Differences
| Public Keys | Private Keys |
|---|---|
Are used to encrypt |
Are used for decryption |
Are shared publicly |
Only the owner has the key |
Can be used for encrypting or signing |
Used to decrypt or validate a signature |
Cannot be used to derive the related private key |
Cannot be used to derive the related public key |
2. Types of Cryptography
4. Generating an SSH Public/Private Key Pair
4.1. Generate the Public/Private Key Pair
-
Generate the
key pairon the local server. This is the server where the communication will be initiated from.-
Initiate key generation with the ssh-keygen command for one of the following algorithms in order of preference:
EdDSA (Edwards-curve Digital Signature Algorithm)ssh-keygen -t ed25519ECDSA (Elliptic Curve Digital Signature Algorithm)ssh-keygen -t ecdsa -b 521RSA (Rivest–Shamir–Adleman)ssh-keygen -t rsa -b 4096 -
Select a
file namefor the key. Can use the default name and path. -
Choose a strong
passphrasewhich is used for encrypting the key, so that it cannot be used even if someone obtains the private key file. This is not required but is highly recommended.Exampleuser@localserver:~$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/home/user/.ssh/id_ed25519): (1) Enter passphrase (empty for no passphrase): (2) Enter same passphrase again: (3) Your identification has been saved in /home/user/.ssh/id_ed25519 (4) Your public key has been saved in /home/user/.ssh/id_ed25519.pub (5) The key fingerprint is: SHA256:xXh8X2yiTzmzebt7eu6+Jxb9uwCSMgixo18cjhfceQ4 user@localserver The key's randomart image is: +--[ED25519 256]--+ | . | | + . .+ . | | + + E..= . . +| | . * + +o.. o = | | . . * oS+ .. *. | | . o o . .o.=.| | . .+.o| | +.*| | ..#%| +----[SHA256]-----+1 default location 2 a strong passphrase was provided 3 passphrase again 4 private key file name 5 public key file name -
This will result in the generation of both a
publicandprivatekey:user@localserver:~$ ls -l .ssh total 28 -rw------- 1 user group 403 Nov 18 07:59 authorized_keys -rw------- 1 user group 464 Nov 28 10:23 id_ed25519 (1) -rw-r--r-- 1 user group 104 Nov 28 10:23 id_ed25519.pub (2) -rw------- 1 user group 2610 Nov 18 08:39 id_rsa (3) -rw-r--r-- 1 user group 576 Nov 18 08:39 id_rsa.pub (4) -rw------- 1 user group 3360 Nov 18 08:26 known_hosts1 the EdDSA private key created in this example 2 the EdDSA public key created in this example 3 a previously created RSA private key 4 a previously created RSA public key
-
4.2. Transfering the Public key to Remote Servers
-
The contents of the
public keyneed to be added to the/home/user/.ssh/authorized_keysfile at the remote server. This can be done in a few different ways.
4.2.1. Via the ssh-copy-id command
-
Use the
ssh-copy-idcommandcommandssh-copy-id -i ~/.ssh/id_ed25519.pub user@remotehostexample via thessh-copy-idcommanduser@localhost:~$ ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remotehost /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_ed25519.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys user@remotehost's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'user@remotehost'" and check to make sure that only the key(s) you wanted were added.
4.2.2. Via Direct Edit of the Remote authorized_keys file
-
First cat the contents of
public keyfile:Commanduser@localhost:~$ cat .ssh/id_ed25519.pubExampleuser@localhost:~$ cat .ssh/id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZSjvyr8Xkl/ZthPMkmbkskx6JRt69WtuioviJUQlmM user@remotehost -
Now add the contents to the end of the
/home/user/.ssh/authorized_keysfile on the remote server