2025-05-09

encryption and ssh – a theoretical yet pragmatically oriented overview

1 key types – symmetric versus asymmetric

symmetric cryptography employs a single secret key to both encrypt and decrypt data. each party must possess this key in advance – its disclosure wholly undermines confidentiality and authenticity.

asymmetric cryptography divides privilege between a public key and a private key. the public key encrypts (or verifies signatures), whereas only the private key may decrypt (or generate signatures). by restricting each key to one task, the exposure of public material poses no decryption risk – the private key remains the sole gatekeeper of confidentiality and non-repudiation.

The distinction between symmetric and asymmetric cryptography lies primarily in how the keys used for encryption and decryption are handled.

Symmetric Cryptography

  • Key Usage: Uses a single, shared secret key for both encryption and decryption.
  • Operation: The same key is employed to encrypt a message and decrypt it. Both parties involved must possess this secret key, which must be securely distributed beforehand.
  • Speed: Generally faster and more efficient, making it suitable for encrypting large volumes of data.
  • Examples: AES (Advanced Encryption Standard), DES (Data Encryption Standard), and RC4.
  • Drawbacks: Key distribution can be challenging, as securely sharing the secret key with all parties beforehand poses a risk—if the key is intercepted, the communication is compromised.

Asymmetric Cryptography

  • Key Usage: Utilizes a pair of mathematically related keys - a public key and a private key.

  • Operation:

    • The public key is openly shared and used to encrypt messages.
    • The private key is kept secret and used to decrypt messages encrypted with the corresponding public key.
    • A message encrypted with the public key can only be decrypted by the matching private key, and vice versa.

  • Speed: Significantly slower than symmetric cryptography due to its complex mathematical operations, making it less suitable for encrypting large data directly.

  • Examples: RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve Cryptography), and DSA (Digital Signature Algorithm).

  • Advantages: Solves the key distribution problem, as the public key can be freely shared without compromising the security of the private key.

Summary Comparison

| Feature | Symmetric Cryptography | Asymmetric Cryptography | | -------- | ------------------------- | -------------------------------- | | Keys | Single shared key | Public and private key pair | | Speed | Faster | Slower | | Security | Key distribution is risky | Secure key distribution | | Use Case | Bulk data encryption | Key exchange, digital signatures | | Examples | AES, DES | RSA, ECC |

In practice, the two are often used together in hybrid systems, where asymmetric cryptography establishes a secure connection (e.g., exchanging a symmetric key), and symmetric cryptography is then employed to efficiently encrypt the actual data transmission.

2 tls handshake (https connection establishment)

  1. client hello the client advertises supported cipher suites and submits a client random.

  2. server hello + certificate • the server responds with its chosen cipher suite and a server random. • it sends a certificate containing its public key, signed by a trusted ca.

  3. key exchange

    • rsa key exchange the client generates a pre-master secret and encrypts it with the server’s public key – only the server’s private key may recover it.

    • ecdhe (ephemeral diffie-hellman) both parties exchange ephemeral public keys and compute a shared secret using their private counterparts.

  4. session key derivation both compute identical symmetric keys from the shared secret and the exchanged randoms.

  5. secure communication all application-layer data (e.g. http) is symmetrically encrypted with the session key.

key roles summary

  • server public key – in certificate; for encrypting the pre-master secret.
  • server private key – for decrypting the pre-master secret or signing ephemeral parameters.
  • ephemeral keys – for forward secrecy via diffie-hellman.
  • session key – symmetric; secures bulk data.

3 ssh handshake and authentication

  1. key exchange init client and server exchange supported algorithms and random nonces.

  2. server host key the server presents its public host key to prove its identity.

  3. diffie-hellman key exchange both parties generate ephemeral key pairs and derive a shared secret.

  4. session key derivation symmetric keys are derived from the shared secret and nonces.

  5. server authentication the server signs key-exchange data with its private host key; the client verifies with the public host key.

  6. user authentication

    • password: client sends password over the encrypted channel.

    • public-key: the client signs a server challenge with its private key; the server verifies with the client’s public key.

  7. secure communication ll subsequent traffic is encrypted with the derived symmetric session key.

key roles summary

  • server public host key – verifies host identity.
  • server private host key – signs key-exchange data.
  • client public/private key pair – optional; for user authentication.
  • ephemeral keys – for secure key exchange.
  • session key – symmetric; encrypts data.

4 certificate authorities and file formats

  • root ca – ultimate trust anchor.
  • intermediate cas – bridge between root and end-entity certificates.

common formats:

  • .pem – base64-encoded certificates or keys with -----begin…end…-----.
  • .crt – certificate, often der or pem.
  • .pfx – pkcs #12 bundle (certificate + private key), usually password protected.

5 customer scenarios

  1. crt and pem you possess .crt (certificate) and .pem (private key) files; deploy according to your server’s configuration.

  2. pfx bundle you hold a .pfx containing keys and certificates; extract with openssl or import directly into windows/mac key stores.

  3. intermediates and root ca assemble certificate chains and install with update-ca-certificates (debian/ubuntu) or equivalent.

6 encryption principles – illustrative example

consider integer summands as analogue to cryptographic keys – their combination yields a sum (ciphertext), yet only an authorised party knowing the components (keys) may recover the original values (plaintext).

in blockchain (e.g. bitcoin), asymmetric signatures ensure transaction provenance, whereas hashing and merkle trees enforce immutability.

elliptic-curve cryptography offers equivalent security to rsa with markedly smaller key sizes – yielding reduced computational load and bandwidth – particularly advantageous in resource-constrained environments.

7 useful commands

  • inspect key information

    ssh-keygen -l -f /path/to/key.pub

  • generate key pair

    ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

  • remove passphrase from private key

    openssl rsa -in encrypted.key -out decrypted.key

8 ssh configuration examples

host intsrvlinuxdev01
  identityfile ~/.ssh/mykey
  user myuser
  identitiesonly yes

host server
  hostname example.com
  user myuser
  identityfile ~/.ssh/server.%r
  identitiesonly yes

  • install public key:

    ssh-copy-id -i ~/.ssh/id_rsa.pub user@host

  • debugging:

    ssh -v user@host

  • sshfs: mount remote directory via ssh.

  • sftp: secure file transfer protocol over ssh.