Public Key Cryptography

Let’s break down Public Key Cryptography in five layers of complexity.

  1. Child: Imagine you have a special box with two keys: one key can only lock the box, and the other key can only unlock it. You can give the lock key to your friends so they can put secret messages in the box and lock it. However, only you have the unlock key to open the box and read the messages. That’s what public key cryptography is like. It’s a way of sending secret messages safely!

  2. Teenager: Public key cryptography is like having a special mailbox. You give everyone an open lock (this is the public key), which they can use to lock the mailbox. Once it’s locked, only you, with your special key (this is the private key), can unlock it. This system is how secrets are sent over the internet: websites give out their public key to anyone who wants to send them a message. The sender uses this key to encrypt their message, and only the receiver with the private key can decrypt it.

  3. Undergraduate: In more technical terms, public key cryptography involves a pair of keys known as the public key and the private key. The public key, which is openly distributed, is used to encrypt the data. This encrypted data can only be decrypted using the private key. This method allows for secure communication where the sender and the receiver don’t need to have shared any secrets beforehand. RSA and Elliptic Curve Cryptography are common examples of public key cryptographic systems.

  4. Grad student: Beyond the basic understanding, public key cryptography also enables something called ‘digital signatures’. It’s not only about keeping the information secret, but also about ensuring the authenticity of the information. For example, if I sign a document with my private key, anyone with my public key can verify that the document was truly sent by me. This concept forms the basis of many secure protocols on the internet like HTTPS, SSH, and is an integral part of blockchain technologies and secure email communication.

  5. Colleague: As we both understand, public key cryptography underpins the security of modern digital communications, enabling confidentiality, message integrity, authentication, and non-repudiation. It’s essential for protocols like TLS, and technologies like blockchain. Additionally, emerging quantum computing technology poses significant challenges to existing public key algorithms like RSA and ECC, as Shor’s algorithm can factor large numbers efficiently. Thus, the future of public key cryptography lies in the development and standardization of quantum-resistant algorithms, a field known as post-quantum cryptography.

Public Key Cryptography and SSH

Imagine you want to send a secret message to your friend who is far away. But you’re afraid that someone else might intercept the letter and read it. Here’s how you’d use public key cryptography, like in SSH (Secure Shell), to solve this problem:

  1. Creation of keys: Your friend creates a pair of keys, one public and one private. They keep the private key to themselves and send you the public key.

  2. Encrypting the message: You use the public key to “lock” (encrypt) your message. Once locked with this public key, the message can only be opened with the corresponding private key.

  3. Sending the message: You then send your locked message to your friend. Even if someone intercepts the message, they won’t be able to read it because they don’t have the private key to unlock (decrypt) it.

  4. Decrypting the message: Your friend, who has the private key, uses it to unlock (decrypt) your message. Because only they have the private key, only they can read your secret message.

This is how SSH works. It uses this concept of public and private keys to ensure that communication between your computer and the server is secure. Even if someone intercepts the communication, they cannot understand it because they do not have the necessary private key to decrypt the message.

Public Key Cryptography and Remote Login

Public Key Cryptography plays a significant role in SSH (Secure Shell), a protocol used for secure remote login and other secure network services over an unsecured network. Let’s break it down into simple steps:

  1. Key Generation: Initially, both the client (the user trying to login) and the server generate their own pair of keys - a public key and a private key. They keep their private keys to themselves.

  2. Sharing Public Keys: The client shares their public key with the server, and the server adds it to a list of authorized keys. In a similar fashion, the server can share its public key with the client. This sharing typically happens once during a setup phase and not each time when logging in.

  3. Authentication: When the client wants to SSH into the server, the server will generate a random message and encrypt it with the client’s public key. This encrypted message is sent back to the client. Only the client’s private key, which only the client has, can decrypt this message.

  4. Validation: The client decrypts the received message using its private key and sends it back to the server. The server, having the original message, compares it to the one sent back by the client. If they match, it verifies that the client is indeed the legitimate owner of the public key, hence, authenticating the client.

  5. Session Encryption: For the actual SSH session, a symmetric session key is generated by the client. This session key is encrypted with the server’s public key and sent over to the server. The server decrypts it with its private key, and now both the client and server have the same session key, which they use for the remainder of the session to encrypt and decrypt messages. This is done because symmetric encryption and decryption is less CPU intensive than asymmetric encryption and decryption.

This combination of Public Key Cryptography for authentication and symmetric cryptography for communication is what makes SSH a secure and efficient protocol.

Public Key Cryptography and PEM File

A PEM file (Privacy Enhanced Mail) is a type of file that usually contains cryptographic information, such as keys or certificates. In the context of Public Key Cryptography and SSH, a PEM file is often used to store the public and/or private keys that are necessary for SSH authentication.

Here’s how it typically works:

  1. Key Generation: As a user, you generate a pair of keys (public and private) using a tool like ssh-keygen. These keys are used for SSH connections.

  2. Storing Keys: These keys are then stored in files. The private key might be saved in a file named id_rsa, and the public key in a file named id_rsa.pub. These files are usually stored in the .ssh directory in your home directory. The private key file id_rsa is typically in PEM format.

  3. Protecting the Private Key: The PEM file that contains your private key is sensitive. It should be kept secure and private because it can be used to authenticate as you when connecting to servers. This is why it’s usually recommended to protect it further with a passphrase.

  4. Sharing the Public Key: The public key (in the id_rsa.pub file), on the other hand, can be shared freely. You would add your public key to the authorized_keys file on any server that you want to SSH into.

In summary, a PEM file is often used to store the private key (in a safe and secure location) that corresponds to the public key that you add to servers for SSH authentication. The private key in the PEM file is what your SSH client uses to prove to the SSH server that you are the legitimate user.

Infrastructure Automation Tools

Many infrastructure automation tools, such as Ansible, Terraform, or cloud-specific tools like AWS CloudFormation or Google’s Deployment Manager, do use PEM files to manage SSH access to servers.

The process usually works like this:

  1. Key Generation: The automation tool generates a pair of public and private keys, often saved as PEM files. This might be done using a tool like ssh-keygen or OpenSSL.

  2. Private Key Storage: The private key is stored securely. Depending on the infrastructure and security requirements, this might be on a secure local machine, or in a secure, encrypted storage service.

  3. Public Key Deployment: The public key is added to new servers as they are created. This could be part of a startup script for the server, or the automation tool might have a specific method for adding SSH keys. For example, in AWS, you can specify a key pair to be added to an EC2 instance at the time of its creation.

  4. Server Access: Later, when access to the server is needed, the private key can be used with an SSH client to authenticate and connect to the server.

By automating the process of key generation and deployment, these tools make it much easier to manage SSH access across many servers, and help ensure that only authorized users can gain access.