Lifestyle, Photography, Technology, Cybersecurity, Nature, Wildlife Photography, Open-source software, Analogue Photography, 35mm Film Photography, Bird Photography, IndieWeb

Ed25519 Keys for SSH

A technical article detailing how I switched my SSH login on a remote Linux server to use Ed25519 keys.

I changed my SSH login to my remote Linux server to use Ed25519 keys. This is one of the few technical articles I wrote this year. Writing these articles helps me better understand the technologies I use.

Ed25519 is a widely used public-key signature algorithm based on elliptic curve cryptography (ECC). It was designed by Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The "ed" in its name stands for the Edwards curve, which is the elliptic curve used in the algorithm.

Ed25519 is designed to provide high security while maintaining excellent performance. It offers 128-bit security, which means it is resistant to known cryptographic attacks. The algorithm is specifically optimised for speed, making it efficient for various applications.

Ed25519 is based on the twisted Edwards curve called Curve25519, which Daniel J. Bernstein also developed. The choice of this curve offers several advantages, including resistance against certain types of side-channel attacks and efficient implementation across different platforms.

Ed25519 uses elliptic curve key pairs for signing and verification. Key generation involves selecting a random 256-bit secret scalar, which is used to compute the corresponding public key. The secret scalar should be generated using a cryptographically secure random number generator.

To create a signature using Ed25519, the signer uses their secret scalar and the message they want to sign. The algorithm applies a series of mathematical operations to produce a 64-byte signature. This signature can be verified using the corresponding public key.

Signature verification involves using the signer's public key, the received message, and the signature. The verification process applies a set of mathematical operations to confirm the authenticity and integrity of the message. If the verification is successful, the signature is valid, and the message hasn't been tampered with.

Ed25519 has gained significant adoption in various domains, including cryptography libraries, protocols, and applications. It is commonly used for secure communications, digital signatures, key exchange, and other cryptographic operations. Many popular libraries and frameworks, such as OpenSSL, libsodium, and GnuPG, support Ed25519.

Ed25519 offers advantages over older signature algorithms like RSA and DSA. It has shorter key lengths, making it more efficient in terms of computation and storage. Additionally, Ed25519 is resistant to many types of attacks, including those based on side-channel information leakage.

Ed25519 has been widely recognised as a reliable and secure signature algorithm and has found extensive use in various cryptographic applications due to its performance and security characteristics.

To generate an Ed25519 key pair on macOS for logging into my Linux server, I followed these steps:

Open the Terminal application on macOS.
The ssh-keygen command generates the Ed25519 key pair. In the Terminal, type the following command:ssh-keygen -t ed25519 -f linux_server_key
This command generates a new Ed25519 key pair with the specified filename (linux_server_key in this example).
You will be prompted to provide a passphrase for the key pair. I recommend entering a strong passphrase to protect your private key. Press Enter if you want to leave it empty (not recommended).
Two files will be generated in the current directory: linux_server_key (private key) and linux_server_key.pub (public key).
Copy the public key to your Linux server. I used the ssh-copy-id command to copy the public key to the server. In the Terminal, type the following command:ssh-copy-id -i linux_server_key.pub username@server_ip
Replace username with your username on the Linux server and server_ip with the IP address or hostname of the Linux server. This command will copy the public key to the appropriate location on the server and enable key-based authentication.
If the ssh-copy-id command is not available on your macOS, you can manually copy the contents of the linux_server_key.pub file and append it to the ~/.ssh/authorized_keys file on the Linux server.
Once the public key is copied, you can use SSH to log in to the Linux server using your private key. In the Terminal, type the following command: ssh -i linux_server_key username@server_ip
Replace username with your username on the Linux server and server_ip with the IP address or hostname of the Linux server. This command will use the specified private key for authentication when connecting to the server.
If you set a passphrase for the private key, you will be prompted to enter it before establishing the SSH connection.

That's it! You have now generated an Ed25519 key pair on macOS and configured it to log into a Linux server using SSH.

2019-10-07 00.39.03

AG Barr, Officials to Facebook: Don’t Encrypt Messaging

Officials say they are concerned about their ability to fight crime and protect citizens, while privacy advocates remain critical of government interference.

2019-08-14 07.39.19

Attorney General Barr and Encryption - Schneier on Security by Bruce Schneier

With this change, we can finally have a sensible policy conversation. Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having -- not the fake one about whether or not we can have both security and surveillance.

When I break it down, what I think the attorney general is saying to all of us law-abiding citizens, is "in the interest of finding the criminals among you we want the power to stop and frisk".

I do not trust these three-letter government agencies with this power.

I agree with Bruce:

As computers continue to permeate every aspect of our lives, society, and critical infrastructure, it is much more important to ensure that they are secure from everybody -- even at the cost of law enforcement access -- than it is to allow access at the cost of security. Barr is wrong, it kind of is like these systems are protecting nuclear launch codes.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.