Weight: 3
Description: The candidate should be able to use public key techniques to secure data and communication.
Key Knowledge Areas:
Perform basic OpenSSH 2 client configuration and usage
Understand the role of OpenSSH 2 server host keys
Perform basic GnuPG configuration, usage and revocation
Understand SSH port tunnels (including X11 tunnels)
Terms and Utilities:
ssh
ssh-keygen
ssh-agent
ssh-add
~/.ssh/id_rsa and id_rsa.pub
~/.ssh/id_dsa and id_dsa.pub
/etc/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key and ssh_host_dsa_key.pub
~/.ssh/authorized_keys
ssh_known_hosts
gpg
~/.gnupg/
First lets start about some concepts.
Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those whom it is intended can read and process it. Encryption is a key concept in cryptography
Encryption :In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.
Decryption: The conversion of encrypted data into its original form is called Decryption. It is generally a reverse process of encryption.
Encryption algorithms are often divided into two categories, known as symmetric and asymmetric encryption.
Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.
The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.
Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key. This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public).
A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.
encryption vs signing
When encrypting, you use their public key to write a message and they use their private key to read it.
When signing, you use your private key to write message's signature, and they use your public key to check if it's really yours.
Key server (cryptographic), a server on which public keys are stored for others to use
With that introduction lets talk about SSH.
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).
Typical uses of the SSH protocol are:
providing secure access for users and automated processes
interactive and automated file transfers
issuing remote commands
managing network infrastructure and other mission-critical system components.
The way SSH works is by making use of a client-server model to allow for authentication of two remote systems and encryption of the data that passes between them.
SSH operates on TCP port 22 by default (though this can be changed if needed). The host (server) listens on port 22 (or any other SSH assigned port) for incoming connections.
SSH provides multiple mechanisms for authenticating the server and the client. Two of the commonly used authentication mechanism are password based, and key based authentication. Although password based authentication is also secure, its advisable to use key based authentication instead.
the connection is established by the SSH client connecting to the SSH server. The SSH client drives the connection setup process and uses public key cryptography to verify the identity of the SSH server. After the setup phase the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.
OpenSSH is a free, open source implementation of the SSH (Secure Shell) protocols. Open OpenSSH is so popular among system administrators because of its multi-platform capability and very useful nice features.
All communications and user credentials using OpenSSH are encrypted, they are also protected from man in the middle attacks. If a third party tries to intercept our connection, OpenSSH detects it and informs us about that.
We use Ubuntu16-1 as ssh server and Ubuntu16-2 as client.
OpenSSH has two different sets of configuration files: one for client programs (ssh, scp, and sftp) and one for the server daemon (sshd).
[email protected]:~# ls -1 /etc/sshmodulissh_configsshd_configssh_host_dsa_keyssh_host_dsa_key.pubssh_host_ecdsa_keyssh_host_ecdsa_key.pubssh_host_ed25519_keyssh_host_ed25519_key.pubssh_host_rsa_keyssh_host_rsa_key.pubssh_import_id
Thesshd_config
is the ssh daemon(or ssh server process) configuration file, Whereas, the ssh_config
file is the ssh client configuration file. The client configuration file only has bearing on when you use the ssh command to connect to another ssh host . As you can see there are public keys and private keys here with different algorithems and they can be used by SSH to encrypt the session.
Till now we have understood how ssh works. As we mentioned when ssh connection is started, the public key of ssh server is tranfered to the client(stored in ./ssh/known_hosts) and the client will use it to continue negotiation with the server and user will be required to get authenticated by sending username and password.
Lets start by connecting toUbuntu16-1 from Ubuntu16-2 and see the keys:
The authenticity of host '192.168.52.146 (192.168.52.146)' can't be established.ECDSA key fingerprint is SHA256:GV/PpX9YGvMZTAbuz6w3zBDreokesZHhVSM1zrXmHLw.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.52.146' (ECDSA) to the list of known hosts.[email protected]'s password:Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage445 packages can be updated.365 updates are security updates.New release '18.04.4 LTS' available.Run 'do-release-upgrade' to upgrade to it.Last login: Fri Mar 27 15:51:55 2020 from 192.168.52.133
What is fingerprint ? a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks.
now lets compare the keys in server and client:
### server[email protected]:~$ cat /etc/ssh/ssh_host_ecdsa_key.pubecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIjnKq9Wr0C2faQCf4+gcqPN4bOMFyx1nywTjLS/mh/S30V0r/mvy9cvfWvA2LY/y7zqxg+/gMvELQznikQiaTo= [email protected]
### client[email protected]:~$ tree .ssh/.ssh/└── known_hosts0 directories, 1 file[email protected]:~$ cat .ssh/known_hosts|1|gD2R1tW6jKBSyL1A0XpynmG8Vok=|1X2nzVcwHLQGT5T8FOUxeCejtvQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIjnKq9Wr0C2faQCf4+gcqPN4bOMFyx1nywTjLS/mh/S30V0r/mvy9cvfWvA2LY/y7zqxg+/gMvELQznikQiaTo=
Its possible to omit entring user name and password and get connected to the ssh server using client public and private key.
Now lets generate public and private keys for client and copy client public key to the server.
ssh-keygen - creates a key pair for public key authentication:
[email protected]:~$ ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/home/user1/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/user1/.ssh/id_rsa.Your public key has been saved in /home/user1/.ssh/id_rsa.pub.The key fingerprint is:SHA256:rer76yQU+8Mmrg33xCA51RtnpTUVHT1cVMX7kB2+aUI [email protected]The key's randomart image is:+---[RSA 2048]----+| +.+*@|| . + . ++|| o o + .o+|| o o * Eoo.|| + + S . . .+|| + = . . +.|| . + X o || = O . || .o*+=. |+----[SHA256]-----+[email protected]:~$ tree .ssh.ssh├── id_rsa├── id_rsa.pub└── known_hosts0 directories, 3 files[email protected]:~$ cat .ssh/id_rsa.pubssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC818rxUXbwnwwxtFhUKvgtZV+Ygao1nUEHcaBvYEsXsBa4hQcV0+ITPEMHfk0zUag3sKyQZWckKmREK+lpiF+7Nrw83eKxjgHdwZC0ibxPTenklZNSBEMZMBDeq8H3bKoAfuyczX0IfVDA2Iyebsg2KYIIZQ/Otw7hAm2IH3perUqzeYliLhIYb0Gd3jyOpl4VMaPb2p+f5+fG87MnzjDplyorruhZyUcv8CMUc6XZ3dJjeiSsNNCRKLEb6Cm6msQxuCUq+Xz1n0+ay6fsaJbbhzFwNvbRH2YSzBg5BmtBXVt68U6XM3SzynWAqQaDS44Cuv3M1q88baTlOTjRkFRZ [email protected]
We haven't set passphrase in our demonstration but if we set we would be asked to enter it when we copy it to the server.
we use ssh-copy-id - configures a public key as authorized on a server
[email protected]:~$ ssh-copy-id -i .ssh/id_rsa.pub [email protected]/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys[email protected]'s password:Number of key(s) added: 1Now try logging into the machine, with: "ssh '[email protected]'"and check to make sure that only the key(s) you wanted were added.
Now lets take a look the server side:
[email protected]:~$ cat .ssh/authorized_keysssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC818rxUXbwnwwxtFhUKvgtZV+Ygao1nUEHcaBvYEsXsBa4hQcV0+ITPEMHfk0zUag3sKyQZWckKmREK+lpiF+7Nrw83eKxjgHdwZC0ibxPTenklZNSBEMZMBDeq8H3bKoAfuyczX0IfVDA2Iyebsg2KYIIZQ/Otw7hAm2IH3perUqzeYliLhIYb0Gd3jyOpl4VMaPb2p+f5+fG87MnzjDplyorruhZyUcv8CMUc6XZ3dJjeiSsNNCRKLEb6Cm6msQxuCUq+Xz1n0+ay6fsaJbbhzFwNvbRH2YSzBg5BmtBXVt68U6XM3SzynWAqQaDS44Cuv3M1q88baTlOTjRkFRZ [email protected]
now lets check the result from the client:
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage445 packages can be updated.365 updates are security updates.New release '18.04.4 LTS' available.Run 'do-release-upgrade' to upgrade to it.Last login: Fri Mar 27 15:57:29 2020 from 192.168.52.133
and it seems okey.We can copy and paste the keys for other users if you like, but do not forget that these keys give power to users to login with out the password.
We have configured a password less ssh connection using key based authentication. But what would happened if our system compromised? An evil hacker would be able to get connected to other servers using key based authentication without knowning the passwords.
Passphrase can help us to avoid this kinds of security issues by requiring a passphrase at the beginning of every ssh key-based authentication. So let clear previous authorized_key, and start:
[email protected]:~$ vim .ssh/authorized_keys[email protected]:~$ cat .ssh/authorized_keys[email protected]:~$ exitlogoutConnection to 192.168.52.146 closed.
Now generate a new key pairs with passphrase on the client (Let it over write current private and public key):
[email protected]:~$ ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/home/user1/.ssh/id_rsa):/home/user1/.ssh/id_rsa already exists.Overwrite (y/n)? yEnter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/user1/.ssh/id_rsa.Your public key has been saved in /home/user1/.ssh/id_rsa.pub.The key fingerprint is:SHA256:NYUt7TiSY2pBH7jtmZqGDdV545CRZxTFvOg3KJ3trxo [email protected]The key's randomart image is:+---[RSA 2048]----+| . ooOo || o + =.= || . = Oo= . || + %.*.o || . [email protected] * || . o = * + || = o .Eo . || . = .. || . ...o. |+----[SHA256]-----+[email protected]:~$ tree .ssh/.ssh/├── id_rsa├── id_rsa.pub└── known_hosts0 directories, 3 files[email protected]:~$ cat .ssh/id_rsa.pubssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjF4K2XDLQIysT9QvwQKFFvJ6LeBN3XsmEO9cTZfnRPhPjKOpcwvyCPaFJwXpiSXLE+RUjy2lwghZ6sOIXezGG9+oqkVegBOJ9RonQfvg5nUCr/Khx+dT/5ZV8JEjJVYqWnrgxKiKgzFHfzInE3qKG4kN2yuanomqIPFGQs0Mk/ShmYCPEEDIxyapRWkSJMa1OeS4/Elk1gGcna0TwgNVF8zmGkg5JO3ruwia2uSbdDWxA2vVtae2qA02lFh0Gb/LJO8vR24MAwlyMMHU2UdszA4eWqQBrZtpKmQ0A4plT8EUkh2cZHgaUeMVloWDmFRyiU2LIFgC5AacnwRIFTtTD [email protected]
Now lets tranfer our new public key to the server:
[email protected]:~$ ssh-copy-id -i .ssh/id_rsa.pub [email protected]/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys[email protected]'s password:Number of key(s) added: 1Now try logging into the machine, with: "ssh '[email protected]'"and check to make sure that only the key(s) you wanted were added.
Lets check the key we have copied on the server:
[email protected]:~$ cat .ssh/authorized_keysssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjF4K2XDLQIysT9QvwQKFFvJ6LeBN3XsmEO9cTZfnRPhPjKOpcwvyCPaFJwXpiSXLE+RUjy2lwghZ6sOIXezGG9+oqkVegBOJ9RonQfvg5nUCr/Khx+dT/5ZV8JEjJVYqWnrgxKiKgzFHfzInE3qKG4kN2yuanomqIPFGQs0Mk/ShmYCPEEDIxyapRWkSJMa1OeS4/Elk1gGcna0TwgNVF8zmGkg5JO3ruwia2uSbdDWxA2vVtae2qA02lFh0Gb/LJO8vR24MAwlyMMHU2UdszA4eWqQBrZtpKmQ0A4plT8EUkh2cZHgaUeMVloWDmFRyiU2LIFgC5AacnwRIFTtTD [email protected]
Now when we ssh to the remote server (ubuntu16-1) from our client(ubuntu16-2), we are asked to enter our local key passphrase intead of remote user account password:
Enter passphrase for key '/home/user1/.ssh/id_rsa':Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage445 packages can be updated.365 updates are security updates.New release '18.04.4 LTS' available.Run 'do-release-upgrade' to upgrade to it.Last login: Fri Mar 27 16:19:57 2020 from 192.168.52.133
lets exit and ssh again and again:
[email protected]:~$ exitlogoutConnection to 192.168.52.146 closed.Enter passphrase for key '/home/user1/.ssh/id_rsa':Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage445 packages can be updated.365 updates are security updates.New release '18.04.4 LTS' available.Run 'do-release-upgrade' to upgrade to it.Last login: Fri Mar 27 16:30:00 2020 from 192.168.52.133[email protected]:~$ exitlogoutConnection to 192.168.52.146 closed.
as you can see each time we are asked to enter passphrase and that was what we were seeking for inorder to stop a hacker if our system get compromised. There is way to stick passphrase to the current user session and keept if for next ssh connections inorder to avoid entering passphrase again and again.
The ssh-agent is a helper program that keeps track of user's identity keys and their passphrases. The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO). The SSH agent is used for SSH public key authentication.
[email protected]:~$ ssh-agentSSH_AUTH_SOCK=/tmp/ssh-7dlnU2k64PSA/agent.65150; export SSH_AUTH_SOCK;SSH_AGENT_PID=65151; export SSH_AGENT_PID;echo Agent pid 65151;
if you got an error try ssh-agent /bin/bash first.
By default, the agent uses SSH keys stored in the .ssh
directory under the user's home directory. The ssh-add command is used for adding identities to the agent. In the simplest form, just run if without argument to add the default files ~/.ssh/id_rsa
, .ssh/id_dsa
, ~/.ssh/id_ecdsa
, ~/.ssh/id_ed25519
, and ~/.ssh/identity
. Otherwise, give it the name of the private key file to add as an argument.
[email protected]:~$ ssh-addEnter passphrase for /home/user1/.ssh/id_rsa:Identity added: /home/user1/.ssh/id_rsa (/home/user1/.ssh/id_rsa)[email protected]:~$ ssh-add -l2048 SHA256:NYUt7TiSY2pBH7jtmZqGDdV545CRZxTFvOg3KJ3trxo /home/user1/.ssh/id_rsa (RSA)
-l
will list private keys currently accessible to the agent,
-D
Deletes all identities from the agent, if you like!
And then we can login to OpenSSH server (ubuntu16-1) without any password or passphrase again and again:
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-39-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage445 packages can be updated.365 updates are security updates.New release '18.04.4 LTS' available.Run 'do-release-upgrade' to upgrade to it.Last login: Fri Mar 27 16:31:26 2020 from 192.168.52.133[email protected]:~$ exitlogout
Until we exit from the bash that uses associated key with that, then we would need to enter passphrase again.
SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs (Virtual Private Networks) and access intranet services across firewalls.
SSH is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines. It can also be abused by hackers and malware to open access from the Internet to the internal network.
There are three types of SSH port forwarding:
Local port forwarding - connections from an SSH client are forwarded, via the SSH server, to a destination server.
Remote port forwarding - connections from an SSH server are forwarded, via the SSH client, to a destination server
Dynamic port forwarding - connections from various programs are forwarded, via the SSH client to an SSH server, and finally to several destination servers.
Like other command ssh has also some options.Lets take a look at most usefull switches:
SSH commands | Description |
ssh -V | Shows ssh client version |
Connect to the remote host, add "-v" for verbose mode | |
ssh -l login_name server1.example.com | Specifies the user to log in as on the remote machine. |
ssh [email protected] <command> | Running <command> on the remote host over ssh |
ssh -X [email protected] | Enable Xforwarding on the clients side, X11Forwarding should be enabled on the server side in sshd_config file. |
Encryption is important because it allows you to securely protect data that you don't want anyone else to have access to.
GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.
for demonstration, we use two users on ubuntu16, user1 and user2.
okey, lets login via user1 and start creating keypairs using gpg --gen-key
command:
[email protected]:~$ gpg --gen-keygpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.gpg: keyring `/home/user1/.gnupg/secring.gpg' createdPlease select what kind of key you want:(1) RSA and RSA (default)(2) DSA and Elgamal(3) DSA (sign only)(4) RSA (sign only)Your selection? 1RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048)Requested keysize is 2048 bitsPlease specify how long the key should be valid.0 = key does not expire<n> = key expires in n days<n>w = key expires in n weeks<n>m = key expires in n months<n>y = key expires in n yearsKey is valid for? (0)Key does not expire at allIs this correct? (y/N) yYou need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment and Email Address in this form:"Heinrich Heine (Der Dichter) <[email protected]>"Real name: RealUser1Email address: [email protected]Comment: created by user1You selected this USER-ID:"RealUser1 (created by user1) <[email protected]>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? oYou need a Passphrase to protect your secret key.We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy..++++++++++We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.Not enough random bytes available. Please do some other work to givethe OS a chance to collect more entropy! (Need 74 more bytes)....+++++gpg: key 6D187851 marked as ultimately trustedpublic and secret key created and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1upub 2048R/6D187851 2020-03-28Key fingerprint = 8772 5C1E 3F2F 88DB DBB7 7F37 E06C 3317 6D18 7851uid RealUser1 (created by user1) <[email protected]>sub 2048R/F00A0A74 2020-03-28
it create keys inside ~/.gupg directory.
lets see the created key-pair using gpg --list-key
commmand:
[email protected]:~$ gpg --list-key/home/user1/.gnupg/pubring.gpg------------------------------pub 2048R/6D187851 2020-03-28uid RealUser1 (created by user1) <[email protected]>sub 2048R/F00A0A74 2020-03-28
Then we need to share our public key to other people. To export our public key file we need to run:
[email protected]:~$ gpg --export RealUser1 > user1.pub
lets put in /tmp directory for user2:
[email protected]:~$ mv user1.pub /tmp/
now login as user2 and import user1 public key via gpg --import
:
[email protected]:~$ gpg --import /tmp/user1.pubgpg: directory `/home/user2/.gnupg' createdgpg: new configuration file `/home/user2/.gnupg/gpg.conf' createdgpg: WARNING: options in `/home/user2/.gnupg/gpg.conf' are not yet active during this rungpg: keyring `/home/user2/.gnupg/secring.gpg' createdgpg: keyring `/home/user2/.gnupg/pubring.gpg' createdgpg: /home/user2/.gnupg/trustdb.gpg: trustdb createdgpg: key 6D187851: public key "RealUser1 (created by user1) <[email protected]>" importedgpg: Total number processed: 1gpg: imported: 1 (RSA: 1)
next create a sample file for encrypting:
[email protected]:~$ vim user2file[email protected]:~$ cat user2filewater boils at 100 degrees celsius!
every thing is ready for encrypting user2 file:
### list keys[email protected]:~$ gpg --list-key/home/user2/.gnupg/pubring.gpg------------------------------pub 2048R/6D187851 2020-03-28uid RealUser1 (created by user1) <[email protected]>sub 2048R/F00A0A74 2020-03-28
### encrypt[email protected]:~$ gpg --output user2secret --recipient Realuser1 --encrypt user2filegpg: F00A0A74: There is no assurance this key belongs to the named userpub 2048R/F00A0A74 2020-03-28 RealUser1 (created by user1) <[email protected]>Primary key fingerprint: 8772 5C1E 3F2F 88DB DBB7 7F37 E06C 3317 6D18 7851Subkey fingerprint: 28DD 00C2 443C EA3B CD1A 9D5F 901E 5A02 F00A 0A74It is NOT certain that the key belongs to the person namedin the user ID. If you *really* know what you are doing,you may answer the next question with yes.Use this key anyway? (y/N) y
### take a look at inside encrypted file![email protected]:~$ cat user2secret��Z�t�}�D?�Y���Ky��Ƹ�TB$+��!�M�z�(�s}jc�_�#,$u�z��]�K�Kܮ�H�g���m˚�o���^;J��IvI������ �&(���W��Y'Y�Mm,���*���F)��-��$vj�Um����M���(Xr�����I�+H�ko�%k^��Lߍ5h�7�s�[�N.2 o�fe�d ���Ż�[Dӿ�'�^�fⳐKn{AS&#,��̊ښ��}�5�!01e;Ē�h�j1������Jkt��VY6���k�H�߳�rt�-nA?gzȬ��#j1)](�L�1Ey���CJ�Ĭ�cуk��QP�I2y_���8G�[email protected]:~$
time to send user 2 secret to user1:
[email protected]:~$ mv user2secret /tmp/
Log in as user1 and try to decrypt user2 secret:
[email protected]:~$ gpg --out from_user2 --decrypt /tmp/user2secretYou need a passphrase to unlock the secret key foruser: "RealUser1 (created by user1) <[email protected]>"2048-bit RSA key, ID F00A0A74, created 2020-03-28 (main key ID 6D187851)gpg: encrypted with 2048-bit RSA key, ID F00A0A74, created 2020-03-28"RealUser1 (created by user1) <[email protected]>"
lets see what is user2 secret information?
[email protected]:~$ cat from_user2water boils at 100 degrees celsius!
If your private key becomes known to others, you will need to disassociate the old keys from your identity, so that you can generate new ones. To do this, you will require a revocation certificate. We’ll do this now and store it somewhere safe.
[email protected]:~$ gpg --output revoke_User1.crt --gen-revoke [email protected]sec 2048R/6D187851 2020-03-28 RealUser1 (created by user1) <[email protected]>Create a revocation certificate for this key? (y/N) yPlease select the reason for the revocation:0 = No reason specified1 = Key has been compromised2 = Key is superseded3 = Key is no longer usedQ = Cancel(Probably you want to select 1 here)Your decision? 0Enter an optional description; end it with an empty line:>Reason for revocation: No reason specified(No description given)Is this okay? (y/N) yYou need a passphrase to unlock the secret key foruser: "RealUser1 (created by user1) <[email protected]>"2048-bit RSA key, ID 6D187851, created 2020-03-28ASCII armored output forced.Revocation certificate created.Please move it to a medium which you can hide away; if Mallory getsaccess to this certificate he can use it to make your key unusable.It is smart to print this certificate and store it away, just in caseyour media become unreadable. But have some caution: The print system ofyour machine might store the data and make it available to others!
The --output
option must be followed by the filename of the certificate you wish to create. The --gen-revoke
option causes gpg
to generate a revocation certificate. You must provide the email address that you used when the keys were generated.
[email protected]:~$ cat revoke_User1.crt-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1Comment: A revocation certificate should followiQEfBCABAgAJBQJef1iqAh0AAAoJEOBsMxdtGHhRuU0H/RHrxodSkniRE+iD15PWdfcWcPZVAv9m2SWzmPN0vU/ywgUE5G60pNsOC6bxWbtmxbxm/PutCA+ipC/KPTcZRwZvU8ge0PLulrQ5km9xea2295b2dOBEPCzOkgv6BTeAMADrBmi2shhLqUWeoRRr7H6oTC6RFr76o1jPb9UUMVDh840ttMlpYPAlir6JqCvwSL2ZJE58vWSuC/rou1ds4Z1Q0EFjpMQ5S1TmukVF4h4xxGsiZpgoubKJb++1CtYfqoPgCV/yiQFjaSGdiQbL0uqjfEERjOUUc5FKAY9fmvfAjmRzUBhit1U9wWiQ7O+JBxzMUDda3eas5OzpweeK0Lw==z2hv-----END PGP PUBLIC KEY BLOCK-----
By encrypting a document using your private key, you let everyone to try to open it using your public key and if they succeed, they will be sure that you have signed it using YOUR private key! gpg
has a specific command to sign documents:
[email protected]:~$ vim notice[email protected]:~$ cat noticeLets start learning LPIC-2![email protected]:~$ gpg --clearsign noticeYou need a passphrase to unlock the secret key foruser: "RealUser1 (created by user1) <[email protected]>"2048-bit RSA key, ID 6D187851, created 2020-03-28
here the --clearsign tells the gpg to include the clear text message in the output file too. The output file will be originalfile.asc
:
[email protected]:~$ cat notice.asc-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1Lets start learning LPIC-2!-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQEcBAEBAgAGBQJef2DyAAoJEOBsMxdtGHhReQoH/j33csnEJUlS6IqdlzeIDyw3D6HVli8TaywfdZLTCXhSRHNM7NISCIsPdULHVs1J8vwYKLqshNOlx7F+HNAmkYtvWqHlNL03x2TOEca+qr31iUFdtpRKrMsQ3mpai2aaI8MoILO1gRYGMZ717O31YGGhyQ5Teft6q2QorWXpbACN0JlWcKs5OiFCgcCOOp2RHnjM4NtCJEmI+ZGBuqVJL98PAa/fP5AteexMuj4GwRfC542f9Tsaw03je4SlAcgq7cJ+iwpy5vHGwN0sPwbRoqbSABL1zaTA2TZmnS5Jx5ii8IyndObuVHtDUEGROaqxiVWZ/JrMAAfAjtv/mnL79HQ==W+EU-----END PGP SIGNATURE-----
copy notice.asc file to /tmp and other users can verify that a document is singed correctly:
[email protected]:~$ gpg --verify /tmp/notice.ascgpg: Signature made Sat 28 Mar 2020 07:06:34 PM +0430 using RSA key ID 6D187851gpg: Good signature from "RealUser1 (created by user1) <[email protected]>"gpg: WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner.Primary key fingerprint: 8772 5C1E 3F2F 88DB DBB7 7F37 E06C 3317 6D18 7851
and that's all folks!
.
.
.
https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences
https://hackernoon.com/symmetric-and-asymmetric-encryption-5122f9ec65b1
https://economictimes.indiatimes.com/definition/decryption
https://support.microsoft.com/en-us/help/246071/description-of-symmetric-and-asymmetric-encryption
https://en.wikipedia.org/wiki/Key_server
https://www.ssh.com/ssh/protocol
https://www.hivelocity.net/kb/what-is-openssh/
https://www.ssh.com/ssh/agent
https://www.ssh.com/ssh/tunneling
https://www.ssh.com/ssh/tunneling/example
https://www.ssh.com/ssh/command
https://www.taoeffect.com/espionage/EspionageHelp/pages/faq-encryption.html
https://www.privex.io/articles/what-is-gpg/
https://www.howtogeek.com/427982/how-to-encrypt-and-decrypt-files-with-gpg-on-linux/
https://jadi.gitbooks.io/lpic1/content/1103_securing_data_with_encryption.html
.