[ale] emailing public dsa key (good, bad or ugly?)

James P. Kinney III jkinney at localnetsolutions.com
Wed Jan 25 20:37:12 EST 2006 

On Wed, 2006-01-25 at 16:52 -0700, Michael Hirsch wrote:
> Why bother?  Why not just send the public key?  Isn't that why it's
> called "public"?  It should be safe to publish the key in an newspaper
> or blog.  Is there a risk we haven't heard of?
> 
> You solution requires him to publish his public GPG key.  Doesn't the
> same question apply? 

Your points are valid. In theory the ssh pub key is a solid, secure
thing that can't be used for anything but encryption of data that can
only be decrypted with the private key. Yes, publishing the pub key is
OK. 

As far as risks we haven't heard of, I don't know for certain that the
2-part key system is without faults. Other encryption systems are being
cracked every month. Most are by brute force. I am sure my stuff is
prime fodder for people breaking into to read (HA!).

As the original poster was concerned about the security of sending the
key openly, I was merely suggesting a methodology of ensuring the
security of the pub key in an email transit. Is it overkill? Yes. Will
it work? Yes. If the involved parties have pub keys posted and signed by
known people, that web of trust thing, then the process I posted is an
excellent way of transmitting an ssh pub key. That process establishes
clearly "I am who I claim to be AND here is the ssh pub key".

Since that pub key is used to identify an incoming connection to an ssh
server, I would want to know VERY clearly that it is for who it is
supposed to be for. Thus the added security around the transferral of
the key is justified. The connecting client has their pub key installed
on the server. The server uses that to encrypt a secret that is
decrypted by the client. The client uses the pub key of the server (sent
clear with the encrypted secret) to encrypt the secret and send it back
to the server for decryption and verification that the received secret
matches the sent secret. If someone has inserted a stolen pub key in the
connecting users ~/.ssh/authorized_keys then the security of the process
has been compromised.
> 
> Michael
> 
> On 1/25/06, James P. Kinney III <jkinney at localnetsolutions.com> wrote:
>         Email your GPG ID encrypted with his public key you got from a
>         public
>         server. Now he gets you pub key and uses it to email back
>         encrypted with
>         your pub key a phrase you used over the phone. This has
>         verified each
>         others keys and identities. Now send the ssh key encrypted
>         with his pub
>         key by email.
>         
>         On Wed, 2006-01-25 at 13:58 -0500, Sid Lane wrote:
>         > hey,
>         >
>         > I am in the process of setting up an automated file transfer
>         to an 
>         > external vendor who has agreed to scp over ssh2 but is
>         asking me to
>         > email the public key to them.
>         >
>         > is there any risk in doing this via email?  I understand the
>         basic
>         > principles of asymetric cryptography and that it shouldn't
>         be possible 
>         > to decrypt w/the public key.
>         >
>         > I was just wondering if there are any attacks/exploits that
>         knowing it
>         > make easier.  FWIW, box that will be pushing to them is
>         behind (a
>         > couple of) firewall(s) so nothing in the wild should even be
>         able to 
>         > attempt to initiate an ssh (or anything else for that
>         matter) to it.
>         >
>         > what say ye all?  o.k. to email or scp it w/password for
>         now.
>         > _______________________________________________
>         > Ale mailing list 
>         > Ale at ale.org
>         > http://www.ale.org/mailman/listinfo/ale
>         --
>         James P. Kinney III          \Changing the mobile computing
>         world/ 
>         CEO & Director of Engineering \          one Linux
>         user         /
>         Local Net Solutions,LLC        \           at a
>         time.          /
>         770-493-8244                    \.___________________________./
>         http://www.localnetsolutions.com
>         
>         GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
>         <jkinney at localnetsolutions.com>
>         Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C
>         6CA7 
>         
>         
>         -----BEGIN PGP SIGNATURE-----
>         Version: GnuPG v1.4.1 (GNU/Linux)
>         
>         iD8DBQBD19SAYZCtw4KcbKcRArP9AJ0Z/UHoDBajoUy1ojHRhnTeCOurWACfV2rU
>         I4GL6hUL1YirSELlWaJO2K0=
>         =EvQw
>         -----END PGP SIGNATURE-----
>         
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://www.ale.org/mailman/listinfo/ale
>         
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list