-
Notifications
You must be signed in to change notification settings - Fork 0
Asymmetric cryptography
Private key format is common for SSH and SSL. From here:
SSH private key is in fact the same as an SSL key. If the key was generated using ssh-keygen -t rsa then it is a 2048-bit RSA private key for SSL.
$ ssh-keygen -t rsa -N "" -C "" -f privkey1.pem
Generating public/private rsa key pair.
Your identification has been saved in privkey1.pem.
Your public key has been saved in privkey1.pem.pub.
The key fingerprint is:
d9:2b:f2:09:39:76:0c:90:4e:a4:ea:c0:7b:82:01:4d
The key's randomart image is:
+--[ RSA 2048]----+
| E . |
| o o . |
|. o + |
|o. o . o |
|+. . . S . |
|+.. + . |
|.+ . * + . |
| o . * o |
| o |
+-----------------+
Note: it generates public key as well.
Generate private key with openssl
:
$ openssl genrsa -out privkey2.pem 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................................+++
...................+++
e is 65537 (0x10001)
1 -----BEGIN RSA PRIVATE KEY-----
2 MIIEpAIBAAKCAQEA3+mVcuvSQPkiedXhoLUlRZSf3jE70Sy8uBldtThqaVa3ZIT8
3 77kwrdpM2Lv2gh1yP2jLvxo7nHFAXdVyp5LHa9mY2doKS8bYv/ZPfN/jgFiLMLks
4 mXGCfq0sEpXvETIKa98wqZ5r7kyWn4eUACwU6pIvtIYK6C2WIA8ReJ53kfJ9Aezc
5 f0pXmBdRG+Btbt/GaTUfzmEs5+yXwJrs6jpyh370LknwZJRT6OKWpkUUkERTrKXp
6 DE9xdXO0Izhk+L+OQ7RfdNfqnTLYkaQwXx4new87GglkC6Vm+ngRZzpwzb/w6O3f
7 zK6XLx3E40Vsqd2p5ppyAFFSDaFpXgjiUDonyQIDAQABAoIBAQDWhu9e6b3J7mgv
8 ntHLrYKGRb1dnoIXCOvO3s6/P8wEHMcckaXc7+tJxit2Q7AMPbYmNntvHu0aGA95
9 V3XAQ4q5NAOURakzrNIiKRVDKSbI4wyIpAGtCenjAHuHWwtvyCff7jiralMyP0LY
10 mYcdGx73FxSJuxtcE8EP+h/dFsasloKETF9nGogJ0i6PlQTfHl4JmO+SYfBkZM44
11 Do6G14raiW9PTIH6cbp5kh8CXiJZqsgYN3Bz0kfNOUmmd4na/JCsR2x9DrGDt3oG
12 nImjDs1PtcEe0AG9cRpnk4e5nWFnrpTVu6p/onrlo50TozItR7F0WbKuxdkS9IGA
13 nkNZyJV5AoGBAPNiaZBcwASm9sceRuhU7JK2m4PU55h6CCaQamMpbvQ/bXJDJVN8
14 6q9oCOV6fH8JiKWBrHDsYDtuEQk7C8pLmnRr2tNoQG2uobZnaQijsLdeAv8NBG76
15 dStj9YR/XnpxtQK8KExBa8CnorVaKfQ9vebqsY5CEaZMIaMD61vEeTOvAoGBAOuE
16 yb4RKgCZhqkEp53bWoTGUBYox3tFtj8NjCwWsuCJ8+7WwAzwdDy6Zmf4FvFTom+f
17 ETYgwUe5tFP33bxeAc2OuQyyCwe6/OAfwCxO6xFRuCdSFrTnfiNmYE5G7JONGzp6
18 863V+1s+9JqPGXkv2VjydFA/q2FBkfTsjHzRW6IHAoGBAJWksbFQRcPWgK7m/8QD
19 yz1dx3qkIg2PIonLi44SwKSuhvWVMVMG4CkfNzEZQYi+bOUOON9phrWjtBfP1Sz5
20 lSr10aLgW5TUpZtIM71bH+FujTsSXuJ5Xidim2dvBMEWPqxC0igopT7cE1+b42XH
21 vIZJUQhduQpdjuTzGPfgcoEDAoGABFHRKW1DKfOm5p6xPFHznQ/OFDn3PqmOqCVl
22 dsGL0lZ1ZOIHb7VRTHPWwP1p3k88YXO3axi6ssgTKJ8ZMAVBXzXI6xSw4xlo3et3
23 KNjhstWe3QnCZNsCE0AjcAwY9rPV1gK/SWbtT0UeU19ghjp8cAcyXu5sBEKhnK5h
24 /UARwC0CgYA10+LRGMJf4gWWjIm64niUWtQ3Zuo8pKGQVtqlOCDpISpQOngWnkgE
25 r0QAWg98TSNaVBuYOdYjMHN8DUbeuWa7bIdDekmbCyaUU4xM9uWfz49cIKBw4jOZ
26 sgAPYkLZTXnjWgYnjVKUMaA/UB4V9Y6HDqhsJu6fRFUyqX3vkDBT/g==
27 -----END RSA PRIVATE KEY-----
1 -----BEGIN RSA PRIVATE KEY-----
2 MIIEowIBAAKCAQEA30TjV+EkmSnI/yx180J4sMdBDEBWkxeypsnaNV9UTQomb3xp
3 VzVTWM5LjE7lAECeRuUUzFNLyP3VN5diFNjZUZGaLjDLhkLhJKjQ2vJCv3zek0co
4 VFEkzOuXEnGDaSgXGMFnR51ABZlnC5K4x0wp8Jpysyg1DqjQ1ixLFao1IJD3U5d3
5 hTJvyAop85xbE9KBZenLFL2m+m/yQtS7e3G5KtsdYgSpGFc5PHo1oik2Z6dLmkvK
6 7bqja61x6Nv3Lgoaw36YxZLRiA9i97uwy3l6fIV0PN4vh7BDRWSXdb+ik/89JdMg
7 eztpK9Dvnl8jPfkWBnBRuHULPPBornbTD7523QIDAQABAoIBAGkhG9eGaOBB36Xf
8 vo5Tr1a2C/gD14AdeX61ryzQfXZlICIAt+1ba6p2QPaJM6VByAVj2r43PokelKY/
9 fuyICxQwdiPnz/2hQjgr0WQ3DJzz5C3/JItHRgfDqvgBQTpjqTR75PDAp6O7Tt0R
10 MjaNs3Xak8WuWgVUEjm204gZBDkXiGfOZZ2KAAjqCVgKpKwr1HV6L33t3cVRUBRb
11 8xAFSOUCZQe+GSKgSAHytg0TfwyU2Jt5h0tV4hnYwRiuDos3OafvYUEUnPHgVMr9
12 RmaTT//xnXEKXG6qeL3tMzH048m3EjtITgCJduuK4VXRelNONnnSJ0yHHLX8wfXh
13 x31x1hUCgYEA8BI6NNN+EjKFX4B/xguPCdepx1PFHhGYWNJol6W7bdEcFfFwcE31
14 +rGKW2XVR/PEyX3v+0CvV9fsRwwqAdGcrLCOskrbAiAZ2Hk8LED+OGtkDqBzWRC0
15 3PD3mG73tP5r9RV+sPqnNsowRyF5+3zDsOWUi73ixGOEj+Zf6lLFuT8CgYEA7hVD
16 9pBszR8rl57jgEtY9MlV7rK3N1f/M0EWG+u+KvHbBMzxfhRO/QEHqVNNfA2Qt+om
17 vrQxkYNSYKX/66T3w3HXOh8/6Ss07HLALiQ2mOe6tVYjER/HBEUpd6eFBkrdUmn8
18 gYwD0j3GWNNp3slkXh49drLRUIV442L5Y7zzzOMCgYAxTz0fXpVVfYUBga486mDd
19 36siouUo8Oo+zDDpfQQLYVkIdMfoeUrdzBuj/D2bgslXrYNeMwIQ4+vHCAuUxg4N
20 NlKI8nEbdaZ5XSVr3YmZ4wzxKCmpEJJlkyT37Ur5pQxdkaWtCj7QNSVHZuvcKNs0
21 +WLSdRUfy2UN/X6T7Z5pFwKBgQCxTXjtmCTOpVXrdlJqarJ2qbGrL8CuIIRXATOb
22 23YluTOoYY++mxUv6aJxAS6FIf0SWfg8sSjw+uFQRI9QR+yTyqXEDR2lYZ3qMJLa
23 SfG28WvkO5+l0wp9LZxyFXlFdF9aTr/TIhh+a67Y26jOVyC9zrtrOEQVOTEL9dtP
24 4ZmWjQKBgDuDxk9nhKY1GFwAaS5cCXLJ6gjvstAwGsYMipZrhUk5yqVpp1+5NsTv
25 lpMTp1nEzpfnR/Q6oodCCn96CXm5WTnmVOSAfKtRmN/EbPTLccPQfIG8SoG1r5QD
26 J8xymYVXDrkVOVt/2lE9yuEs3AV28Zw/0w4ZYKgheVWewWpfRIgQ
27 -----END RSA PRIVATE KEY-----
$ openssl rsa -in privkey2.pem -pubout -out ssl.pub
writing RSA key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf6ZVy69JA+SJ51eGgtSVFlJ/eMTvRL...
Note: SSH public key is one-line entry for convenient addition to .ssh/authorized_keys
.
1 -----BEGIN PUBLIC KEY-----
2 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA30TjV+EkmSnI/yx180J4
3 sMdBDEBWkxeypsnaNV9UTQomb3xpVzVTWM5LjE7lAECeRuUUzFNLyP3VN5diFNjZ
4 UZGaLjDLhkLhJKjQ2vJCv3zek0coVFEkzOuXEnGDaSgXGMFnR51ABZlnC5K4x0wp
5 8Jpysyg1DqjQ1ixLFao1IJD3U5d3hTJvyAop85xbE9KBZenLFL2m+m/yQtS7e3G5
6 KtsdYgSpGFc5PHo1oik2Z6dLmkvK7bqja61x6Nv3Lgoaw36YxZLRiA9i97uwy3l6
7 fIV0PN4vh7BDRWSXdb+ik/89JdMgeztpK9Dvnl8jPfkWBnBRuHULPPBornbTD752
8 3QIDAQAB
9 -----END PUBLIC KEY-----
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 11499 -nodes
- Note: maximum value for
-days
: 11499 (-1 will not work)
Don't forget to replace following sections (see man req
):
[ req_distinguished_name ]
C=RU
ST=Moscow
L=Moscow
O=Self-Signed by midenok
CN=midenok
[ req_attributes ]
openssl x509 -in cert.pem -text -noout
SSL and SSH both provide the cryptographic elements to build a tunnel for confidential data transport with checked integrity. For that part, they use similar techniques, and may suffer from the same kind of attacks, so they should provide similar security (i.e. good security) assuming they are both properly implemented. That both exist is a kind of NIH syndrome: the SSH developers should have reused SSL for the tunnel part (the SSL protocol is flexible enough to accommodate many variations, including not using certificates).
They differ on the things which are around the tunnel. SSL traditionally uses X.509 certificates for announcing server and client public keys; SSH has its own format. Also, SSH comes with a set of protocols for what goes inside the tunnel (multiplexing several transfers, performing password-based authentication within the tunnel, terminal management...) while there is no such thing in SSL, or, more accurately, when such things are used in SSL they are not considered to be part of SSL (for instance, when doing password-based HTTP authentication in a SSL tunnel, we say that it is part of "HTTPS", but it really works in a way similar to what happens with SSH).
Conceptually, you could take SSH and replace the tunnel part with the one from SSL. You could also take HTTPS and replace the SSL thing with SSH-with-data-transport and a hook to extract the server public key from its certificate. There is no scientific impossibility and, if done properly, security would remain the same. However, there is no widespread set of conventions or existing tools for that.
So we do not use SSL and SSH for the same things, but that's because of what tools historically came with the implementations of those protocols, not due to a security related difference. And whoever implements SSL or SSH would be well advised to look at what kind of attacks were tried on both protocols.