SSH Public and Private Keys

CS 463 Lecture, Dr. Lawlor

Rather than building your own crypto infrastructure from scratch, you can use public and private keys for network authentication with SSH, the secure shell.

You can generate an elliptic curve digital signature algorithm private key with:
	ssh-keygen -t ecdsa -b 521 -f ~/.ssh/id_ecdsa
You can dump the contents of an elliptic curve private key with:
	openssl ec -in ~/.ssh/id_ecdsa -noout -text 
For the private key we generated in class, this dumps:
Private-Key: (521 bit)
priv:
    19:5c:95:f3:02:07:bb:b1:ea:48:16:1f:11:2f:1b:
    c7:89:d9:ae:d2:b3:a5:80:51:92:3f:9e:d2:bc:0b:
    17:12:75:8c:22:7f:50:3d:7c:77:e6:3d:07:75:02:
    4b:f9:8c:31:fc:41:fa:d4:65:df:52:2c:49:42:a3:
    a0:b4:52:4f:18
pub: 
    04:00:e0:cf:e3:99:0a:c5:06:e4:bf:af:96:92:bd:
    af:2c:8d:53:d0:18:96:db:fd:7e:69:18:28:bd:e4:
    69:f0:27:dc:9b:53:4a:2a:85:62:14:58:2f:6c:5e:
    d7:6f:49:79:42:b9:ca:f0:b8:4d:02:03:b7:f5:4c:
    82:ed:cb:aa:83:a5:f5:00:56:73:2d:8d:62:61:29:
    72:ec:56:21:f9:6f:69:09:5a:f5:09:4a:da:80:17:
    a9:13:93:61:9b:c0:3b:48:e3:de:24:1a:7f:35:97:
    d9:b3:65:08:56:87:a9:9d:e5:1d:db:2a:04:ff:a5:
    92:9b:c0:28:15:a1:a4:83:b9:0f:12:02:f3
ASN1 OID: secp521r1
We can verify this using the following code for my ecc_lib library (Zip or Tar-gzip, updated again for the parameters of this curve).
 
  ECcurve_secp521r1 curve;
	
  ECcoord priv; priv.readHex(
    "19:5c:95:f3:02:07:bb:b1:ea:48:16:1f:11:2f:1b:"
    "c7:89:d9:ae:d2:b3:a5:80:51:92:3f:9e:d2:bc:0b:"
    "17:12:75:8c:22:7f:50:3d:7c:77:e6:3d:07:75:02:"
    "4b:f9:8c:31:fc:41:fa:d4:65:df:52:2c:49:42:a3:"
    "a0:b4:52:4f:18");
  std::cout<<"ECDSA private key="<<priv.hex()<<"\n";

  ECpoint pub=curve.start.multiply(priv,curve);
  std::cout<<"ECDSA public key="<<pub.x.hex()<<" , "<<pub.y.hex()<<"\n";
So the key looks fine, but my old Ubuntu 10.04 server doesn't support ECDSA authentication.  For that machine, I need to generate an RSA key:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa
Note you need way more bits for the same security with an RSA key.  You might as well use enough bits, because on modern hardware, an RSA exchange with a ridiculously huge 8192 bit key only takes 0.1 seconds longer than a bare-minimum 768 bit key.

To log in to the server using this key, add contents of ~/.ssh/id_rsa.pub to the server's ~/.ssh/authorized_keys file.  You can then log in using the private key (which should stay protected on your local machine, not go out to the server).