Sunday, December 7, 2014

Using ssh keys for signing data files by socpuppets

With PGP, we can  sign files for identification & authenticity.

This involves sharing the PGP public-key thru a keyserver or distributing the key via some other method ( email, http website, busines card,etc...). It also requires you to build a PGP keypair and manage the keypair.

Most systems  like a unix server,  has ssh already enabled or in use. And most of these same systems have users with a keypair created ( RSA | DSA ) or they can easily create ssh keys.

So why not just use  ssh?

Will I will show you just how you can sign/verify a file, by just using our ssh  keys


You need to convert "your public key" into a "PEM" format. The best means for doing this, is by using the openssl utility.

the user that will  signed the data  )
openssl rsa -pubout -in ~kfelix/.ssh/id_rsa  -outform pem > ~kfelix/.ssh/rsa_pub.pem 
You can now take the newly made pem-format file,  copy and send it to others systems or users. It's public so you don't have to worry about securing the file.

You could send it via  email, ftp, or even via scp. In some case you could build a HTTP server within your enterprise system and have users update and publish keys locally ( this would be like a goto  key-server & self-managed ;) )

I 've built system like this in past lives  & when ever one needs to verify datafile signatures, they just  launch a  browser at the http keyserver and grab the sender public-key. You could easily modify your company directory in a sharepoint and allow for a user to publish his/her public-ssh-key into the sharepoint


Now we craft a "pem" format file against  our "private-key" we keep this key 100% secure & private. It's the private-key,  so  let's protect it.

the user that will  signed the data  )
openssl rsa -in ~~kfelix/.ssh/id_rsa -outform pem > rsa_priv.pem

Okay now just how all of this works? I will show you.

The sender will use his private-key to sign the date-file and then distribute the key, signature and data-file to the recipient(s).

Now we will  sign our datafile named file and create a signature named file.sign

openssl dgst -sha1 -sign ~kfelix/.ssh/rsa_priv.pem -keyform PEM  file > file.sign

And  the recipient will reverse the steps, but this time by using the provided public-key against the data file. He or She will now know if the datafile is authenticated.

openssl dgst -sha1 -verify ./rsa_pub.pem -keyform PEM  -signature file.sign file

NOTE: This requires the  recipient to know the  "previous" hashing format ( sha1 digest )   that was used earlier by the sender.  If  the public provided-key (pem formatted ) was tampered or the file was tampered with. The  verification process will fail. Likewise , if the wrong digest was used on the verification end, it will fail.

Keypoints for taking away

  • if the  public-key was tampered with or modified in transit, the  signature verification will fail ( common errors displayed  unable to load key file   | Verification Failure )
  • using the ssh-public-key allows for quick signature verification with out having to craft a set of  keys via PGP & per users
  • This methods does not rely on public-keyserver,  and is great for systems that are closed from  the internet  such a fully contained private network
  • Users understanding of PGP ( GNU gpg ) is not require, but it does require one to craft a PEM format key. The same PEM format key can be used for all other ssh operations

NOTE: If the keypair was crafted as a DSA key, just change the "rsa" to "dsa", in any of the examples above

 Yeap, that's how easy it could be with using ssh keypairs for signing datafiles

Here's a few screenshots from my server SOC1 and a enduser.

( converting a key to PEM format )

( signing data )  

( verification )  

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      /   \

No comments:

Post a Comment