Fun puzzle: How to generate keypair without anyone seeing the private key?

1

This article will help you with generating pgp keypair that you can use in GoodData Single Sign-On implementation.

How to generate pgp keypair

There are many options for generating a new public/private key pair. You may use the gpg command line utility or download a desktop app for this purpose.

gpg

If you are using the gpg command line utility, generate the new keypair using following command:

gpg --gen-key

After you have generated your new key, you can export it to a file using the following command:

gpg --export -a "email@address.com" > public.key

The email address is the same as you used for generating the key pair.

Now, import the GoodData Public Key to your keystore:

gpg --import gooddata-sso.pub To download the public key, click here.

Desktop clients

The following desktop clients may be useful for generating key...

0 0
2

All of the above answers assume that the given private key - that you know nothing about and want to find out if it matches the given public key - HAS NO PASSPHRASE. If the private key has a passphrase, then both

ssh-keygen -y -f PRIVATEKEY

and

openssl (rsa or dsa) -in PRIVATEKEY -modulus -noout

ask for the passphrase. If you have an UNKNOWN private key, you don't know whether it has a passphrase or not - let alone what the passphrase is if the key has one.

So practically, it's worth trying the above commands, but if they then ask for a passphrase, you're stuck: you can't extract the public key and it's modulus to match with the second field on the public key file. Does anyone know a way round...

0 0
3

I cannot help you with the graphical user interface, as I currently do not have a Windows computer around.

But all the graphical user interfaces do is interfacing with the command line gpg.exe application (on Linux, OS X and other unixoid systems, you would simply use gpg instead), which you can also use directly (and for generating a key, use is definitely not very complicated).

Open a command prompt. If I remember correctly, the GPG4Win installer already sets the PATH variable, so you can directly run gpg.exe from any location. If you receive some error message that gpg.exe was not found, run cd C:\Path\To\Your\GnuPG-Folder, and run the command from there again.

To create a key, use the key generation wizard, which is started by running gpg.exe --gen-key. Enter the appropriate details whenever ask, but omit the password (by simply pressing the enter button; be aware no output does show up on the command line if typing passwords!).

The key generated on...

0 0
4

Real talk: passwords are bad. Passwords are notoriously hard to remember, yet easy for attackers to break. A secure password is a long, meaningless string containing a mix of letters, numbers, and symbols. Because they’re so hard to remember, it’s tempting to use the same password everywhere, which means you have to change all your passwords if just one login gets compromised.

Fortunately for us, SSH allows connections to be authenticated using keys. Key-based authentication is a huge improvement over a simple username and password combination.

Instead of a password, you have a pair of matched keys: one public, and one private. Anyone with access to the public key can use it to encrypt information, which can only be decrypted using the corresponding private key.

Watch this video for a non-technical illustration of how this works (with paint!).

First, we need some keys to use.

Did your server provide you with keys? Great! Let’s skip down a bit. Don’t...
0 0
5

I want to generate GnuPG public private key pairs. I have gpg and not gpg2 installed.So I went to terminal and did:

gpg --gen-key

output:

Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)

I selected 1 Output:

What keysize do you want? (2048)

I selected 4096 Output:

Key is valid for? (0)

I selected 0 Output:

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Name Title (some comment) " Real name: My Name Email address: example@email.com Comment: comment You selected this USER-ID: "My Name (comment) "

Output:

You need a Passphrase to protect your secret key.

I gave passphrase Output:

gpg: key XXXXXXXL marked as ultimately trusted public and secret key created and signed. pub ABCDE/XXXXXXXL 2016-06-09 Key fingerprint = XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXXL uid...
0 0
6

You already have a public key

You will always generate a keypair. It's a public and private key shown as one entry. As you can always derive a public key from a private one, anyway.

What Seahorse and GPG does is just listing keys and only denote you can use to sign/decrypt using those keys if there's a private key available for those. Once you import other's public keys you will see those are listed as public-only keys, only available for encryption and signature validation.

As you can see, Seahorse will display keypairs as a two-key icon whereas for keys only a public key is present it will show a single key.

To verify this on the command line, use

gpg --list-keys

This prints all keys in the keyring, regardless of private key availability.

gpg --list-secret-keys

Prints all keys for which a private (secret) key is...

0 0
7

Consider the private key and actual key, and the public key a padlock. Whoever you hand over the padlock can close something (for example, a vault containing the secret message), and only you (keeping the private key safe) can open it again.

And remember the padlock is digital: it is easy to replicate it an unlimited number of times. In fact, you often share it in some public directory to everybody who wants to have it.

My "basic" understanding is that I can generate the public and private keys, encode the file using the public key and our partner can decrypt using the private key we give them. But this sounds a bit strange to me that we would be sharing the private key. There is just one trusted partner.

It's the other way round: The recipient generates the key pair, and passes the public key ("padlock") to you. Now, only the recipient can decrypt the message, as he's the only one holding the private key.

Additionally, you don't have to care...

0 0
8

Create a private-public key pair using Certificate Creation tool

The Certificate Creation tool generates X.509 certificates. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name.

The applications required in this section:

Makecert.exe can be downloaded from: http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.80%29.aspx Pvk.exe can be downloaded from http://www.drh-consultancy.demon.co.uk/pvktool.zip Ssh-keygen (which is part of openssh) can be downloaded from http://www.openssh.com FileZilla can be downloaded from http://filezilla-project.org/download.php FreeSSHd can be downloaded from http://www.freesshd.com

Follow these steps to create a private-public key pair using Certificate Creation tool:

PutMakecert.exe application on C: drive. Open a command line window. Type C:\makecert -r -n "CN=Top" -sv D:\top.pvk...
0 0
9

About SSH Keys

SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.

Step One—Create the RSA Key Pair

The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):

ssh-keygen -t rsa

Step Two—Store the Keys and Passphrase

Once you have entered the Gen Key command, you will get a few more questions:

...
0 0
10

Nugget's general treatise on public-key authentication

why do I want to use public key authentication?

Passwords aren't the most secure things in the world. Even if a user picks a 'secure' password that's stronger than their dog's name, the password is still susceptible to a brute-force attack. Brute force attacks via ssh against user passwords are quite common on the Internet and several prevalent worms and zombies perform automated attacks incessantly against any internet-connected host. Even a secure password is at risk to these attacks, done by hand or by worm. Allowing password access to a system with many users is an invitation for a security breach.

Additionally, if you've got accounts on a large number of hosts it's tempting to reuse the same password on more than one host to reduce the number of passwords that your fingers have to memorize. Each shared password on a remote system puts you more at risk of a brute force attack on that host's password...

0 0
11
The standard solution to this problem is a smart card. This is shaped like a credit card, but with a tiny, heavily locked down computer inside. That tiny computer is used only for key generation and encryption / decryption, and additionally to make backups of your secret key (but only in a controlled way; eg at key generation time you can back up the key encrypted with a strong password of your choice, and other smart cards can import it; or a separate passphrase is required to make such a backup; etc).

Smart cards were designed for this precise purpose, and the industry standard practice is to use them to transport and back up keys. They are much cheaper than using a separate computer, and likely to be more secure as well; plus you can integrate them with your work on an online machine without worry about the key being compromised. Of course, if you can get away with only using the key offline, having a separate computer for that purpose wouldn't hurt. That way an attacker can't...

0 0
12

You are attempting to answer the question you are asking in the question. Let me get to the root of what you are asking.

From what I understand, you would like to create a 2 party escrow - buyer sends money in a way that can't be retrieved unless both parties are satisfied.

This can be done in two ways in Bitcoin - one through the use of multisignature transactions, other - through split-key addresses.

The first approach is to send the money to 2-of-2 multisignature combination of addresses - one held by the buyer, and another - by the seller. When they reach consensus, they create a transaction, each signs it and money is transferred. The disadvantage of this approach is that if they don't reach consensus, there is no way to settle the money dispute. If you would introduce some third party acting like an escrow and create 2-of-3 multisignature address, then you would need a consensus of any 2 involved parties. If the buyer and seller agree on a consensus,...

0 0
13
...
0 0
14

It may be that it just doesn't like the very short keys you're using.

I found the desktop version of that article which may help, as it has a full example.

EDIT:

The OP realised from the example that you have to tell CryptGenKey how long the keys are, which you do by setting the top 16-bits of the flags to the number of bits you want to use. If you leave this as 0, you get the default key length. This is documented in the Remarks section of the device documentation, and with the dwFlags parameter in the desktop documentation.

For the Diffie-Hellman key-exchange algorithm, the Base provider defaults to 512-bit keys and the Enhanced provider (which is the default) defaults to 1024-bit keys, on Windows XP and later. There doesn't seem to be any documentation for the default lengths on CE.

The code should therefore be:

BYTE p[64] = { 139 }; // little-endian, all other bytes set to 0 BYTE g[64] = { 5 }; CRYPT_DATA_BLOB pblob; pblob.cbData = sizeof(...
0 0
15

You can connect to GitHub using SSH.

About SSH

Using the SSH protocol, you can connect and authenticate to remote servers and services. With SSH keys, you can connect to GitHub without supplying your username or password at each visit.

Checking for existing SSH keys

Before you generate an SSH key, you can check to see if you have any existing SSH keys.

Generating a new SSH key and adding it to the ssh-agent

After you've checked for existing SSH keys, you can generate a new SSH key to use for authentication, then add it to the ssh-agent.

Adding a new SSH key to your GitHub account

To configure your GitHub account to use your new (or existing) SSH key, you'll also need to add it to your GitHub account.

Testing your SSH connection

After you've set up your SSH key and added it to your GitHub account, you can test your connection.

Working with SSH key passphrases

You can secure...

0 0
16
SSH with Keys HOWTO: SSH with Keys in a console window Next Previous Contents

This first short wil learn us how to generate a key without a passphrase, and use it in a console.

When you want to use ssh with keys, the first thing that you will need is a key. If you want to know more about how this mechanism works you can have a look in chapter 3, SSH essentials. Hence there are 2 versions, we will show examples for the both of them.

To create the most simple key, with the default encryption, open up a console, and enter the following command :

[dave@caprice dave]$ ssh-keygen

Wil output the following :

Generating public/private rsa1 key pair. Enter file in which to save the key (/home/dave/.ssh/identity): /home/dave/.ssh/identity Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/dave/.ssh/identity. Your public key has been saved in /home/dave/.ssh/identity.pub. The key fingerprint is:...
0 0
17

If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.

You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar):

openssl genrsa -aes128 -passout pass:foobar 2048

However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.

A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:

openssl genrsa -aes128 -passout file:passphrase.txt 2048

Or supply the passphrase on standard input:

openssl genrsa -aes128 -passout stdin 2048

You can also used a named pipe with the file: option, or a file descriptor.

To then obtain the matching public key, you need to use openssl rsa, supplying the same passphrase with the...

0 0
18

why do I want to use public key authentication?

Passwords aren't the most secure things in the world. Even if a user picks a 'secure' password that's stronger than their dog's name, the password is still susceptible to a brute-force attack. Brute force attacks via ssh against user passwords are quite common on the Internet and several prevalent worms and zombies perform automated attacks incessantly against any internet-connected host. Even a secure password is at risk to these attacks, done by hand or by worm. Allowing password access to a system with many users is an invitation for a security breach.

Additionally, if you've got accounts on a large number of hosts it's tempting to reuse the same password on more than one host to reduce the number of passwords that your fingers have to memorize. Each shared password on a remote system puts you more at risk of a brute force attack on that host's password file, and means that if one host is compromised ...

0 0
19

Several people have brought up the fact that ssh host keys are rarely rotated as an argument for not rotating ssl keys. That just seems like another problem to solve. (I apologize for a slightly off-topic answer, but several people here mentioned it so it seems appropriate)

See my answer above for why one might wish to rotate keys.

The following will be particularly useful for everyone who, for compliance reasons, is required to rotate ssh host keys, but who worries about the usability impact on end users.

1) Deploy an ssh_ca (Remarkably complete instructions in man ssh-keygen)

ssh-keygen -f ssh_ca -b 4096

2) Distribute the certificate to your users: Add certificate authority line to ~/.ssh/known_hosts

@cert-authority *.domain.name ssh-rsa AAAAB3[...]== Comment

3) Sign your host keys (be sure to restrict each to an individual host)

ssh-keygen -s ssh_ca -I host.domain.name -h -n host.domain.name -V +52w /etc/ssh/ssh_host_rsa_key.pub

4)...

0 0