- Install
$ wget "https://github.com/str4d/rage/releases/download/v0.9.1/rage_0.9.1_amd64.deb" $ sudo apt install ./rage_0.9.1_amd64.deb -y
- Create key-pair
$ rage-keygen -o key.txt Public key: age1rjdtmp2f5zn3ljcd92cfajgtevwtvfnsmxvx7tqmy7lpftwfhs5qwz66rh
- Create file and encrypt using Mahdi's key
$ echo "test" > plaintext $ cat plaintext test $ cat plaintext | rage -r age195v6c8pkyt5erx5nl4malpuuec2gc8z3xewfkylvnan34g6q6u9sdzmckn > crypt.age
- Send email to Mahdi and Samuel with the file crypt.age and with the text only Mahdi can decrypt the attached file..
- Cleanup
rm rage_0.9.1_amd64.deb plaintext* crypt.age sudo apt remove -y rage
- Connect
ssh oscaande104@hex.cse.kau.se
, got fingerprintECDSA key fingerprint is SHA256:pB1lZf5IkBmBfLJXvuycTzHPhaFe6c87VOtsZg7Hl6Q
and selecting yes to trust this. Inputing KAUID password and being greeted with;Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-208-generic x86_64) ...
- The connection works, now
exit
. - Generate key
oscar@DESKTOP-CCRNBR0:~$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. ... The key's randomart image is: +--[ED25519 256]--+ |EB. ... | |O+o. . . | |+*O . o . | |o*oO o o + . | |+.o.* S . * o | | o... . + . . | | .o . . | | o o o | | ++ . . | +----[SHA256]-----+
- Login to the server again using password, and input ssh key fingerprint
from
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJiu26bcFkazLEhtFaeGALRQNXLlhzRB5v0Cql5DAFU2 oscar@DESKTOP-CCRNBR0
.ssh/id_ed25519.pub
from the client to∼/.ssh/authorized_keys
on the server using vim. Exit
ssh session.- Login using
ssh oscaande104@hex.cse.kau.se -v
to see the debug log, the log saysdebug1: Will attempt key: /home/oscar/.ssh/id_ed25519 ED25519 SHA256:d1YLzrcaFACqljDzDPqUwEGIrWZ0AKTg8+s3ugREvAE
and thendebug1: Server accepts key: /home/oscar/.ssh/id_ed25519 ED25519 SHA256:d1YLzrcaFACqljDzDPqUwEGIrWZ0AKTg8+s3ugREvAE
which results indebug1: Authentication succeeded (publickey).
. - Cleanup
rm .ssh/id_ed25519*; truncate .ssh/known_hosts --size 0
PGP (Pretty Good Privacy) is a public-key encryption protocol that estblishes rules for key-pair creation, encryption, decryption and signing. With PGP a user can prove thier identity by signing messages with thier private key as well as encrypting the plaintext message using the recipient's public key.
If a user for security reasons needs to rotate keys, i.e. generate a new keys and prove that thier new key is thier own, they can easiliy do that. Just by signing thier new public key using thier old private key. Altough if the user is doing this becouse thier key is stolen, trust might be breached anyway.
PGP is a by now old and also very capable standard for encrypting, signing och decrypting messages using public and private keys. The PGP protocol is implemented by GPG and many others and it's implementation varies between use cases, "in the wild" you will find various setups of algorithms. This leads us into RAGE which is a rust implementation of AGE, AGE is like PGP altough less complex and with fewer options. In the world of secure communication fewer option is good, becouse there is always the psychological aspect of information security, if being secure is too difficult people don't do it right.
SSH is a encryption protocol as well as a transport protocol, it is domain specific and is intended for use with sending commands to Linux and other BSD based systems. Note that SSH is avaliable for Windows as well, but usually protocols like RDP is prefered for that specific platform. SSH has several implementations altough the most popular is OpenSSH.
SSH is widely used and is simple to setup, altough a bit tricky to secure. Best practise is to dissallow passwords and only allow authentication using public keys. As with GPG the key pair generation on the client and the public key matching on the server leaves administrators and users with endless options and choosing the correct algorithm for your use case can be difficult. I find that sticking with ed25519
is a solid option, if you are trying to connect to a outdated server that has not updated it's server implementation since 2014 you can resort to using the RSA
algorithm preferably with a bit length no smaller than 2048 bits.
This document is the work of Oscar Andersson for the course DVGC20 at KAU.