This involves sharing the PGP public-key thru a keyserver or distributing the key via some other method ( email, http website, busines card,etc...). It also requires you to build a PGP keypair and manage the keypair.
Most systems like a unix server, has ssh already enabled or in use. And most of these same systems have users with a keypair created ( RSA | DSA ) or they can easily create ssh keys.
So why not just use ssh?
Will I will show you just how you can sign/verify a file, by just using our ssh keys
1st
You need to convert "your public key" into a "PEM" format. The best means for doing this, is by using the openssl utility.
( the user that will signed the data )
openssl rsa -pubout -in ~kfelix/.ssh/id_rsa -outform pem > ~kfelix/.ssh/rsa_pub.pem
2ndYou can now take the newly made pem-format file, copy and send it to others systems or users. It's public so you don't have to worry about securing the file.
You could send it via email, ftp, or even via scp. In some case you could build a HTTP server within your enterprise system and have users update and publish keys locally ( this would be like a goto key-server & self-managed ;) )
I 've built system like this in past lives & when ever one needs to verify datafile signatures, they just launch a browser at the http keyserver and grab the sender public-key. You could easily modify your company directory in a sharepoint and allow for a user to publish his/her public-ssh-key into the sharepoint
3rd
Now we craft a "pem" format file against our "private-key" we keep this key 100% secure & private. It's the private-key, so let's protect it.
( the user that will signed the data )
openssl rsa -in ~~kfelix/.ssh/id_rsa -outform pem > rsa_priv.pem
Okay now just how all of this works? I will show you.
The sender will use his private-key to sign the date-file and then distribute the key, signature and data-file to the recipient(s).
Now we will sign our datafile named file and create a signature named file.sign
openssl dgst -sha1 -sign ~kfelix/.ssh/rsa_priv.pem -keyform PEM file > file.sign
And the recipient will reverse the steps, but this time by using the provided public-key against the data file. He or She will now know if the datafile is authenticated.
openssl dgst -sha1 -verify ./rsa_pub.pem -keyform PEM -signature file.sign file
NOTE: This requires the recipient to know the "previous" hashing format ( sha1 digest ) that was used earlier by the sender. If the public provided-key (pem formatted ) was tampered or the file was tampered with. The verification process will fail. Likewise , if the wrong digest was used on the verification end, it will fail.
Keypoints for taking away
- if the public-key was tampered with or modified in transit, the signature verification will fail ( common errors displayed unable to load key file | Verification Failure )
- using the ssh-public-key allows for quick signature verification with out having to craft a set of keys via PGP & per users
- This methods does not rely on public-keyserver, and is great for systems that are closed from the internet such a fully contained private network
- Users understanding of PGP ( GNU gpg ) is not require, but it does require one to craft a PEM format key. The same PEM format key can be used for all other ssh operations
NOTE: If the keypair was crafted as a DSA key, just change the "rsa" to "dsa", in any of the examples above
Yeap, that's how easy it could be with using ssh keypairs for signing datafiles
Here's a few screenshots from my server SOC1 and a enduser.
( converting a key to PEM format )
( signing data )
( verification )
Ken Felix
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( # # )=
@
/ \
No comments:
Post a Comment