Digital Signatures
Encryption (opens in a new tab) is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information.
Symmetric-key (opens in a new tab) encryption involves using a single key to encrypt and decrypt data, while asymmetric-key (opens in a new tab) (public-key) encryption uses two keys, one public and one private. Each type of encryption has its own strengths and weaknesses, and the choice between the two depends on the specific needs of the user.1
The security of the public-key system depends on the secrecy of the private key, which must not become known to any other. Modern encryption techniques ensure security because modern computers are inefficient at cracking the encryption. In a public-key encryption scheme:
- anyone can encrypt messages using a public key, but only the holder of the paired private key can decrypt such a message, and
- anyone can verify messages using a public key, but only the holder of the paired private key can sign such a message.
Passkeys
Passphrase
Generate a secure passphrase and copy it to your clipboard using pwgen and xclip:
sudo dnf install pwgen xclip
pwgen -s 32 1 | tee >(xclip -sel c)
# mCiIVukNJukuZiApUUfeR7suQ2hvjZHLKeys
Generate your Ed25519 (opens in a new tab)2 SSH public/private key pair using ssh-keygen and use the passphrase copied earlier:
ssh-keygen -t ed25519 -C "[email protected]"
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_ed25519
Your public key has been saved in id_ed25519.pub
The key fingerprint is:
SHA256:qyzDJRybalzUZWLBJCIzcQrVe7Y/51NZBeVQhA+VFeU [email protected]
The key's randomart image is:
+--[ED25519 256]--+
|*o+..oo. oO%|
|.* ...+ o o=.|
|. + + +E|
| + + . .|
| o * .S o |
| * o . o |
| . + o .. . |
| + +. .o o |
| . oo +.. |
+----[SHA256]-----+-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBLVRIm4W
L5YbHxvHduhZReAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIB+JIm2jYn+aJbf4
qZwwSaruUjcFvtf895MNSAt2iO0cAAAAoFsMsCl2sxhw0vewIGQH/BfWtG20L6ZUcODVGg
qGM3bGcYxni1xyWv9FEGILiWGTXALxK1s9PHlI/5tipbPq7bAAAzINqkJJ9d9UGHAi7dBL
K8TGNifTAErEw81UEZFzyYxEVZNk/dgqjJ74fkGI02/LyG0L2ueVRAQsSjM8mSJYlmP567
doK8j2/LR0NoE723lpyFeVgrHVmFk2cLbTJQw=
-----END OPENSSH PRIVATE KEY-----ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+JIm2jYn+aJbf4qZwwSaruUjcFvtf895MNSAt2iO0c [email protected]Signature
Sign a secret content, from standard input, using ssh-keygen sign; you will be prompted for your passphrase:
echo "Secret." | ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n file > secret.txt.sig
# Signing data on standard inputA secret file can also be signed by providing it as an argument to ssh-keygen sign:
echo "Secret." > secret.txt
ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n file secret.txt
# Signing file secret.txt
# Write signature to secret.txt.sig-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgH4kibaNif5olt/ipnDBJqu5SNw
W+1/z3kw1IC3aI7RwAAAAEZmlsZQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUx
OQAAAECgPuYpggNMYjUZ56WQac0N59WbcvV6M2cOWFAN4ObB5xOYirQ5jqL9bbBoNiNnJ5
evok8oT/ROyN6qYVKiragA
-----END SSH SIGNATURE-----Verification
Check the secret content and its signature using ssh-keygen check-novalidate:
echo "Secret." | ssh-keygen -Y check-novalidate -f ~/.ssh/id_ed25519.pub -n file -s secret.txt.sig
ssh-keygen -Y check-novalidate -f ~/.ssh/id_ed25519.pub -n file -s secret.txt.sig < secret.txt
# Good "file" signature with ED25519 key SHA256:qyzDJRybalzUZWLBJCIzcQrVe7Y/51NZBeVQhA+VFeUThe process fails when you use a different secret content, a different signature, or a different public key:
echo "s3cret." | ssh-keygen -Y check-novalidate -f ~/.ssh/id_ed25519.pub -n file -s secret.txt.sig
# Signature verification failed: incorrect signature
# Could not verify signature.Identity principals, that is, email addresses and their associated public keys, that are allowed to sign (allowed signers) can be added to ~/.ssh/allowed_keys:
ssh-keygen -l -f ~/.ssh/id_ed25519.pub
# 256 SHA256:qyzDJRybalzUZWLBJCIzcQrVe7Y/51NZBeVQhA+VFeU [email protected] (ED25519)
cat ~/.ssh/id_ed25519.pub
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+JIm2jYn+aJbf4qZwwSaruUjcFvtf895MNSAt2iO0c [email protected]
echo "[email protected] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+JIm2jYn+aJbf4qZwwSaruUjcFvtf895MNSAt2iO0c" >> ~/.ssh/allowed_keys
ssh-keygen -Y find-principals -f ~/.ssh/allowed_keys -s secret.txt.sig
# [email protected]Verify the secret content and its signature, and whether the signer is allowed to sign its content, using ssh-keygen verify:
ssh-keygen -Y verify -f ~/.ssh/allowed_keys -I [email protected] -n file -s secret.txt.sig < secret.txt
#Good "file" signature for [email protected] with ED25519 key SHA256:qyzDJRybalzUZWLBJCIzcQrVe7Y/51NZBeVQhA+VFeUThis process can be used anytime you need to verify your identify, that is, provide a proof that you are the holder of the the private key of a principal. This is your digital signature.3
Resources
- Generating a new SSH key and adding it to the ssh-agent (opens in a new tab)
- Comparing SSH Keys - RSA, DSA, ECDSA, or EdDSA? (opens in a new tab)
- It’s Now Possible To Sign Arbitrary Data With Your SSH Keys (opens in a new tab)
- How do passkeys work? (opens in a new tab)
Footnotes
-
Types of Encryption: Symmetric or Asymmetric? RSA or AES? (opens in a new tab) ↩
-
Ed25519 is an elliptic curve signing algorithm using EdDSA with SHA-512 (opens in a new tab) and Curve25519 (opens in a new tab). ↩
-
See WebAuthn (opens in a new tab) and passkeys (opens in a new tab), which satisfy both password and 2FA/2SV requirements, for more information. ↩