-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patha-revised-way-of-generating-ssh-keys.html
254 lines (185 loc) · 16.9 KB
/
a-revised-way-of-generating-ssh-keys.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/png" href="/favicon.png">
<link rel="stylesheet" href="/css/main.css">
<link rel="canonical" href="http://stefaniuk.co.uk/a-revised-way-of-generating-ssh-keys">
<link rel="alternate" type="application/rss+xml" title="Dan Stefaniuk" href="http://stefaniuk.co.uk/feed.xml">
<!-- Begin Jekyll SEO tag v2.2.3 -->
<title>A Revised Way of Generating SSH Keys | Dan Stefaniuk</title>
<meta property="og:title" content="A Revised Way of Generating SSH Keys" />
<meta property="og:locale" content="en_US" />
<meta name="description" content="I've been using 4096-bit RSA SSH keys for quite a few years. The RSA keys are very compatible. They've been working on various operating systems as well as on mobile devices. They are also known as being slow and potentially insecure if created with a small amount of bits, especially after the year 2013. Today, I decided to do some research to find an alternative configuration. Things have moved on since my last check. Large keys are still considered secure, however the elliptic curve cryptography has become much more popular in the recent decade." />
<meta property="og:description" content="I've been using 4096-bit RSA SSH keys for quite a few years. The RSA keys are very compatible. They've been working on various operating systems as well as on mobile devices. They are also known as being slow and potentially insecure if created with a small amount of bits, especially after the year 2013. Today, I decided to do some research to find an alternative configuration. Things have moved on since my last check. Large keys are still considered secure, however the elliptic curve cryptography has become much more popular in the recent decade." />
<link rel="canonical" href="http://stefaniuk.co.uk/a-revised-way-of-generating-ssh-keys" />
<meta property="og:url" content="http://stefaniuk.co.uk/a-revised-way-of-generating-ssh-keys" />
<meta property="og:site_name" content="Dan Stefaniuk" />
<meta property="og:type" content="article" />
<meta property="article:published_time" content="2017-09-02T22:16:00+01:00" />
<script type="application/ld+json">
{"@context":"http://schema.org","@type":"BlogPosting","headline":"A Revised Way of Generating SSH Keys","datePublished":"2017-09-02T22:16:00+01:00","dateModified":"2017-09-02T22:40:49+01:00","description":"I've been using 4096-bit RSA SSH keys for quite a few years. The RSA keys are very compatible. They've been working on various operating systems as well as on mobile devices. They are also known as being slow and potentially insecure if created with a small amount of bits, especially after the year 2013. Today, I decided to do some research to find an alternative configuration. Things have moved on since my last check. Large keys are still considered secure, however the elliptic curve cryptography has become much more popular in the recent decade.","mainEntityOfPage":{"@type":"WebPage","@id":"http://stefaniuk.co.uk/a-revised-way-of-generating-ssh-keys"},"url":"http://stefaniuk.co.uk/a-revised-way-of-generating-ssh-keys"}</script>
<!-- End Jekyll SEO tag -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-74924701-1', 'auto');
ga('send', 'pageview');
</script>
<link rel='stylesheet' href='/css/terminal.css'>
</head>
<body>
<header class="site-header">
<div class="wrapper">
<a class="site-title" href="/">Dan Stefaniuk</a>
<nav class="site-nav">
<a href="#" class="menu-icon">
<svg viewBox="0 0 18 15">
<path fill="#424242" d="M18,1.484c0,0.82-0.665,1.484-1.484,1.484H1.484C0.665,2.969,0,2.304,0,1.484l0,0C0,0.665,0.665,0,1.484,0 h15.031C17.335,0,18,0.665,18,1.484L18,1.484z"/>
<path fill="#424242" d="M18,7.516C18,8.335,17.335,9,16.516,9H1.484C0.665,9,0,8.335,0,7.516l0,0c0-0.82,0.665-1.484,1.484-1.484 h15.031C17.335,6.031,18,6.696,18,7.516L18,7.516z"/>
<path fill="#424242" d="M18,13.516C18,14.335,17.335,15,16.516,15H1.484C0.665,15,0,14.335,0,13.516l0,0 c0-0.82,0.665-1.484,1.484-1.484h15.031C17.335,12.031,18,12.696,18,13.516L18,13.516z"/>
</svg>
</a>
<div class="trigger">
<a class="page-link" href="/about/">About</a>
</div>
</nav>
</div>
</header>
<div class="page-content">
<div class="wrapper">
<article class="post" itemscope itemtype="http://schema.org/BlogPosting">
<header class="post-header">
<h1 class="post-title" itemprop="name headline">A Revised Way of Generating SSH Keys</h1>
<p class="post-meta">
<time datetime="2017-09-02T22:16:00+01:00" itemprop="datePublished">2 September 2017</time>
</p>
</header>
<div class="post-content" itemprop="articleBody">
<p>I've been using 4096-bit RSA SSH keys for quite a few years. The RSA keys are very compatible. They've been working on various operating systems as well as on mobile devices. They are also known as being slow and potentially insecure if created with a small amount of bits, especially after the year 2013. Today, I decided to do some research to find an alternative configuration. Things have moved on since my last check. Large keys are still considered secure, however the <a href="https://en.wikipedia.org/wiki/Elliptic_curve_cryptography"><strong>elliptic curve cryptography</strong></a> has become much more popular in the recent decade.</p>
<p><em>"The primary benefit promised by elliptic curve cryptography is a smaller key size, reducing storage and transmission requirements, i.e. that an elliptic curve group could provide the same level of security afforded by an RSA-based system with a large modulus and correspondingly larger key: for example, a 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key."</em></p>
<p>My take on it is that if this new signature algorithm can give us similar or even <strong>better level of security</strong> (yes, its implementation is more secure than RSA) with a <strong>comparable flexibility</strong> using <strong>less resources</strong>, it is definitely time to adopt it. For anyone who is interested in a detailed explanation how exactly it works a lot of papers have been published providing mathematical rationale behind it.</p>
<p><a href="https://ed25519.cr.yp.to/"><strong>Ed25519</strong></a> is a digital signature scheme based on Twisted Edwards curves. Its has been <a href="https://github.com/openssh/openssh-portable/commit/5be9d9e3cbd9c66f24745d25bf2e809c1d158ee0#diff-e71776f50c4432cb9cd999367424de20">added to the OpenSSH codebase</a> on the 7th of December 2013. Since then no issue was reported against it.</p>
<p>The easies way to generate such an SSH key is by using the <code>ssh-keygen</code> command of the OpenSSH package:</p>
<div class="highlight"><pre><code class="language-" data-lang="">ssh-keygen -t ed25519 -o -a 100
</code></pre></div>
<p>The <code>-t ed25519</code> parameter is used to generate two asymmetrical keys based on the elliptic curve cryptography. The output is produced in the new <a href="https://tools.ietf.org/html/rfc4716">RFC4716</a> format rather than the well known PEM and the flag <code>-o</code> to support it is implied by default so it can be omitted. It enforces use of a modern key derivation function (KDF) powered by combination of <a href="https://github.com/openssh/openssh-portable/blob/f104da263de995f66b6861b4f3368264ee483d7f/openbsd-compat/bcrypt_pbkdf.c">PBKDF2 and bcrypt</a>. In practice this means that our keypair is more resistant to brute-force password cracking. This is especially true when combined with the <code>-a <rounds></code> parameter which specifies the number of key derivation function rounds to be used. Higher the number more time it takes to unlock the key.</p>
<p>Time to see the result of the above command. Here is an example of my revised way of generating SSH keys along with content of the files.</p>
<p> </p>
<div class="terminal">
<nav>
<a href="#" class="close">close</a>
<a href="#" class="minimize">minimize</a>
<a href="#" class="deactivate">deactivate</a>
</nav>
<h3 class="title">Terminal</h3>
<pre>
<span class='command'>ssh-keygen -t ed25519 -a 100 -C "my-key-comment" -f my-key-name</span>
<span class='output'>Generating public/private ed25519 key pair.</span>
<span class='output'>Enter passphrase (empty for no passphrase):</span>
<span class='output'>Enter same passphrase again:</span>
<span class='output'>Your identification has been saved in my-key-name.</span>
<span class='output'>Your public key has been saved in my-key-name.pub.</span>
<span class='output'>The key fingerprint is:</span>
<span class='output'>SHA256:GIh0NDZ6WhZLyFJxq8dpbJ7aAwfEpJdgBsgxs/5NziM my-key-comment</span>
<span class='output'>The key's randomart image is:</span>
<span class='output'>+--[ED25519 256]--+</span>
<span class='output'>|*@*+X |</span>
<span class='output'>|==OO B |</span>
<span class='output'>|.+= B . |</span>
<span class='output'>|...O . o |</span>
<span class='output'>| .o.B.. S |</span>
<span class='output'>| o=*. |</span>
<span class='output'>| Eo= |</span>
<span class='output'>| oo . |</span>
<span class='output'>| . .. |</span>
<span class='output'>+----[SHA256]-----+</span>
<span class='command'>puttygen my-key-name -C "my-key-comment" -o my-key-name.ppk</span>
<span class='output'>Enter passphrase to load key:</span>
<span class='command'>ls -la my-key-name*</span>
<span class='output'>-rw------- 1 dan staff 464 3 Sep 21:27 my-key-name</span>
<span class='output'>-rw------- 1 dan staff 304 3 Sep 21:27 my-key-name.ppk</span>
<span class='output'>-rw-r--r-- 1 dan staff 96 3 Sep 21:27 my-key-name.pub</span>
<span class='command'>cat my-key-name</span>
<span class='output'>-----BEGIN OPENSSH PRIVATE KEY-----</span>
<span class='output'>b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABA+HlsP7o</span>
<span class='output'>3Jzj8b+N+WhbEuAAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIErbaYC9ZHLEtCY3</span>
<span class='output'>uDDl0LqRwlxLSGoHO1IBrvhzikyVAAAAoD632B3FjYbZmkLco+r7BVIvK3r1Cn2dJE8Q4N</span>
<span class='output'>l9IES8bieUYPxDi3uu3gaIcWwygdHTM5zFMqWePJgNP2M0jvfLkQLbaJd816D/BYwUGcTR</span>
<span class='output'>3Mgo7Rnf1qqoen70rwl67bbTaN8D0M5dNL5EkYdKvOoiRhoyQEIdptNOWF6rjwMyfloWw9</span>
<span class='output'>JMKCOfYrSUB4pDf6mgbWw7+60IUrIc+BeAQgc=</span>
<span class='output'>-----END OPENSSH PRIVATE KEY-----</span>
<span class='command'>cat my-key-name.pub</span>
<span class='output'>ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErbaYC9ZHLEtCY3uDDl0LqRwlxLSGoHO1IBrvhzikyV my-key-comment</span>
<span class='command'>cat my-key-name.ppk</span>
<span class='output'>PuTTY-User-Key-File-2: ssh-ed25519</span>
<span class='output'>Encryption: aes256-cbc</span>
<span class='output'>Comment: my-key-comment</span>
<span class='output'>Public-Lines: 2</span>
<span class='output'>AAAAC3NzaC1lZDI1NTE5AAAAIErbaYC9ZHLEtCY3uDDl0LqRwlxLSGoHO1IBrvhz</span>
<span class='output'>ikyV</span>
<span class='output'>Private-Lines: 1</span>
<span class='output'>63bsFlto1i20tXwFu3xveXsGtDD7hEmsM0FrIGqviHn4O2xXG9Pwjmhmwf+z8rJe</span>
<span class='output'>Private-MAC: 72102d9a0f158f653577df276fcf329b482df329</span>
</pre>
</div>
</div>
</article>
<div id="disqus_thread"></div>
<script>
var disqus_config = function () {
this.page.identifier = '/a-revised-way-of-generating-ssh-keys';
this.page.title = 'A Revised Way of Generating SSH Keys';
};
(function() {
var d = document, s = d.createElement('script');
s.src = '//stefaniuk.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer class="site-footer">
<div class="wrapper">
<div class="footer-col-wrapper">
<div class="footer-col footer-col-1">
<ul class="contact-list">
<li>Dan Stefaniuk</li>
<li><a href="mailto:daniel.stefaniuk@gmail.com">daniel.stefaniuk@gmail.com</a></li>
</ul>
</div>
<div class="footer-col footer-col-2">
<ul class="social-media-list">
<li>
<a href="https://github.com/stefaniuk"><span class="icon icon--github"><svg viewBox="0 0 16 16"><path fill="#828282" d="M7.999,0.431c-4.285,0-7.76,3.474-7.76,7.761 c0,3.428,2.223,6.337,5.307,7.363c0.388,0.071,0.53-0.168,0.53-0.374c0-0.184-0.007-0.672-0.01-1.32 c-2.159,0.469-2.614-1.04-2.614-1.04c-0.353-0.896-0.862-1.135-0.862-1.135c-0.705-0.481,0.053-0.472,0.053-0.472 c0.779,0.055,1.189,0.8,1.189,0.8c0.692,1.186,1.816,0.843,2.258,0.645c0.071-0.502,0.271-0.843,0.493-1.037 C4.86,11.425,3.049,10.76,3.049,7.786c0-0.847,0.302-1.54,0.799-2.082C3.768,5.507,3.501,4.718,3.924,3.65 c0,0,0.652-0.209,2.134,0.796C6.677,4.273,7.34,4.187,8,4.184c0.659,0.003,1.323,0.089,1.943,0.261 c1.482-1.004,2.132-0.796,2.132-0.796c0.423,1.068,0.157,1.857,0.077,2.054c0.497,0.542,0.798,1.235,0.798,2.082 c0,2.981-1.814,3.637-3.543,3.829c0.279,0.24,0.527,0.713,0.527,1.437c0,1.037-0.01,1.874-0.01,2.129 c0,0.208,0.14,0.449,0.534,0.373c3.081-1.028,5.302-3.935,5.302-7.362C15.76,3.906,12.285,0.431,7.999,0.431z"/></svg>
</span></a>
</li>
<li>
<a href="https://stackoverflow.com/users/472150"><span class="icon icon--stackoverflow"><svg viewBox="0 0 512 512"><g><path d="M109.6,301.5c0,56.8,0,113.4,0,170.4c85.8,0,171.1,0,257.1,0c0-56.8,0-113.5,0-170.5c11.3,0,22,0,33.1,0 c0,67.8,0,135.6,0,203.6c-107.9,0-215.5,0-323.5,0c0-67.9,0-135.5,0-203.5C87.1,301.5,98,301.5,109.6,301.5z"/><path d="M333,397.4c0,13.9,0,27.3,0,41.2c-65,0-129.9,0-195.2,0c0-13.5,0-27.2,0-41.2C202.9,397.4,267.6,397.4,333,397.4z"/><path d="M185.6,177.3c7.2-12.2,14-23.8,21.3-36c56.2,33.1,112.2,66.1,168.8,99.5c-7.1,12-14,23.8-21.2,36.1 C298.1,243.7,242.1,210.6,185.6,177.3z"/><path d="M340.1,329.2c-63.2-17-125.9-33.8-189.2-50.9c3.6-13.5,7.2-26.7,10.8-40.4c63.1,17,126,33.8,189.3,50.9 C347.3,302.4,343.7,315.6,340.1,329.2z"/><path d="M391.1,15.9c14-2.4,27.3-4.7,41.2-7.1c11.2,64.4,22.3,128.5,33.5,193c-13.7,2.4-27.2,4.7-41.2,7.2 C413.4,144.7,402.3,80.7,391.1,15.9z"/><path d="M417.1,211.6c-11.8,8-23,15.7-34.6,23.5c-36.8-54-73.5-107.7-110.4-161.9c11.5-7.9,22.9-15.6,34.6-23.6 C343.5,103.7,380.2,157.4,417.1,211.6z"/><path d="M338.1,343.4c-1.3,14.2-2.6,27.7-3.8,41.7c-65.2-6-130-12-195.2-18c1.3-14.1,2.6-27.6,3.9-41.7 C208,331.4,272.7,337.4,338.1,343.4z"/></g></svg>
</span></a>
</li>
<li>
<a href="https://twitter.com/danstefaniuk"><span class="icon icon--twitter"><svg viewBox="0 0 16 16"><path fill="#828282" d="M15.969,3.058c-0.586,0.26-1.217,0.436-1.878,0.515c0.675-0.405,1.194-1.045,1.438-1.809c-0.632,0.375-1.332,0.647-2.076,0.793c-0.596-0.636-1.446-1.033-2.387-1.033c-1.806,0-3.27,1.464-3.27,3.27 c0,0.256,0.029,0.506,0.085,0.745C5.163,5.404,2.753,4.102,1.14,2.124C0.859,2.607,0.698,3.168,0.698,3.767 c0,1.134,0.577,2.135,1.455,2.722C1.616,6.472,1.112,6.325,0.671,6.08c0,0.014,0,0.027,0,0.041c0,1.584,1.127,2.906,2.623,3.206 C3.02,9.402,2.731,9.442,2.433,9.442c-0.211,0-0.416-0.021-0.615-0.059c0.416,1.299,1.624,2.245,3.055,2.271 c-1.119,0.877-2.529,1.4-4.061,1.4c-0.264,0-0.524-0.015-0.78-0.046c1.447,0.928,3.166,1.469,5.013,1.469 c6.015,0,9.304-4.983,9.304-9.304c0-0.142-0.003-0.283-0.009-0.423C14.976,4.29,15.531,3.714,15.969,3.058z"/></svg>
</span></a>
</li>
<li>
<a href="https://uk.linkedin.com/in/dstefaniuk"><span class="icon icon--linkedin"><svg viewBox="0 0 67 67"><path fill="#828282" d="M49.837,48.137V36.425c0-6.275-3.35-9.195-7.816-9.195 c-3.604,0-5.219,1.983-6.119,3.374V27.71h-6.79c0.09,1.917,0,20.427,0,20.427h6.79V36.729c0-0.609,0.044-1.219,0.224-1.655 c0.49-1.22,1.607-2.483,3.482-2.483c2.458,0,3.44,1.873,3.44,4.618v10.929H49.837z M21.959,24.922c2.367,0,3.842-1.57,3.842-3.531 c-0.044-2.003-1.475-3.528-3.797-3.528s-3.841,1.524-3.841,3.528c0,1.961,1.474,3.531,3.753,3.531H21.959z M33,64 C16.432,64,3,50.568,3,34C3,17.431,16.432,4,33,4s30,13.431,30,30C63,50.568,49.568,64,33,64z M25.354,48.137V27.71h-6.789v20.427 H25.354z"/></svg>
</span></a>
</li>
</ul>
</div>
<div class="footer-col footer-col-3">
<p>A blog about software development.
</p>
</div>
</div>
</div>
</footer>
</body>
</html>