23

My brain is wrapped around the axle on public and private keys. When you create a cloud server (instance) on Amazon's EC2 service and then want to connect to it via SSH, Amazon requires you to download private a key to make the connection. Doesn't the idea behind public/private key suggest that Amazon should be require you to download a public one?

Further, if I set up an SFTP server for a customer to use, should I be installing their key on the server or giving them a key from the server? In either case, should it be a public or private key?

Seth
  • 423
  • 1
  • 4
  • 8
  • 1
    For those of us less familiar with EC2, were is Amazon requiring you to download a private key? – Zoredache Aug 20 '12 at 21:54
  • 2
    When you set up a cloud server on Amazon EC2 and then want to connect to it via SSH, the Amazon console allows you to download a private key you use to make the connection. You're required to protect the key, of course. – Seth Aug 20 '12 at 21:56
  • @Zoredache In fairness, that's an option. Someone looking to tool around quickly on a Windows box probably has never used OpenSSH before, so it's a nice quickstart. – ceejayoz Aug 20 '12 at 22:24

4 Answers4

36

Thinking more deeply about the authentication process, what needs to be kept secret? Amazon knows the public half of the key, and anybody can know the public half. The public half of the keypair, when matched with the private half, denotes that the private half was used to authenticate.

You private key that is provided to you when Amazon generates a keypair for you is only useful if you're the only one that has it. If it's not a secret, then anybody else who knows it can also authenticate to anybody who holds the public half of the keypair.

Whoever is being authenticated must hold the private half. It's ok if everybody in the world can authenticate you by holding the public half of the key, but only you should be in control of the private half.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
19

Amazon provides key generation services because some operating systems (cough, Windows, cough) may not make it easy to generate the SSH keypairs.

With SSH (and SFTP), the public key is installed in the user's authorized_keys file as the EC2 instance starts up. The private key is held only by the user and is presented to authenticate against the server.

From the documentation at:

http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/ApiReference-query-CreateKeyPair.html

it appears that Amazon generates the keypair on their servers and sends you the private key via HTTPS. This is perhaps less than perfect (ideally, you and no one else will have possession of the private key), but probably not terribly so, given that this all occurs in the context of your authenticated session and only you (and Amazon temporarily) see the private key. You can also always generate and upload your own public key for EC2 use, while keeping the private key strictly private.

For setting up SFTP users for key authentication, they should be generating SSH keys on their machines. Once they generate a key pair, they should only be sending you the public key to install in the relevant authorized_keys file. The private key, as the name implies, is private.

cjc
  • 24,533
  • 2
  • 49
  • 69
  • 5
    I regularly generate key pairs on windows machines. It's not hard, although it's done using installed software, and not by Windows itself. – Dominic Cronin Aug 20 '12 at 22:04
  • 2
    Agreed with Dominic. It's more the fact that the average windows user is terrified and lost at the sight of a CLI, and that Windows still doesn't have a "login with SSH key" option. – HopelessN00b Aug 20 '12 at 22:08
  • Oh, yes, agreed. I use Cygwin, etc., with openssh, so everything works cleanly. I imagine most Windows users doing this will be using PuTTY and have to do some key conversion. It's just more steps. – cjc Aug 20 '12 at 22:10
  • Generating key-pairs is pretty simple in the PuTTY toolset. The bigger problem is getting people to understand which half to use and when. – gWaldo Aug 20 '12 at 22:20
  • 1
    I've never actually used Amazon, but rather than blaming windows, I would assume that the reason Amazon sends you a key is that if they didn't give you a key to log in with, how would you log in to install your public key in the first place? – DerfK Aug 20 '12 at 23:01
  • 1
    @DerfK You can submit your own public key, and select that to be installed in a new EC2 instance. Selecting a particular key is part of the instance creation process. – cjc Aug 21 '12 at 02:07
2

Public key authentication works in the reverse direction to the way you're probably thinking. The public key encrypts messages and the private key decrypts them. The server stores the account holder's public key and uses it to encrypt a message. Only the holder of the private key can decrypt that message.

If you send someone a secret encrypted with their public key, if they can tell you what that secret is, then you know they hold the matching private key. The user is then authenticated.

AWS requires you to download and save your private key because they wont store it, for security reasons. Because the private key is not stored anywhere on AWS, you can be confident that your EC2 instance is secure.

JKim
  • 552
  • 3
  • 10
1

In one sense, it doesn't matter. A private/public key pair consists of two parts, and which of them is the public one is up to you. If something is encrypted with one key, you need the other one to decrypt it. If you have published one key publicly and not the other, the private key is the one you didn't publish.

Getting to your actual question: presumably the key Amazon gives you is to allow you to control your own resources, so it should not be given to other people. In this context, you have to trust Amazon to have your private key, at least for long enough to get set up.

If you want your customer to log in this way, you need them to give you a key they are prepared to share with you, so therefore their public key. You install this on the server in authorized_keys, which is effectively saying "anyone who posesses the private key matching this public one may access this resource".

Dominic Cronin
  • 670
  • 4
  • 21
  • 1
    Uhm, no that isn't true. At least with RSA/DH you encrypt with the public key and decrypt with the private, it doesn't work the other way around. Signing is not the same as encryption/decryption. – Zoredache Aug 20 '12 at 22:13
  • 1
    @ErikA No, the public key cannot be derived from the private key. Private key **files** often include both keys. If you really want to get into a discussion, I'd suggest http://crypto.stackexchange.com. Those folks can give you the really deep inner details including the actual differences of RSA keys and why which key is considered public vs. private isn't just an arbitrary flip of a coin. – Jeff Ferland Aug 21 '12 at 01:00
  • @Zoredache - I didn't know that: thanks. Do you have a link to a good reference? – Dominic Cronin Aug 22 '12 at 21:53
  • http://en.wikipedia.org/wiki/Asymmetric_key_algorithm - One key locks or encrypts the plaintext, and the other unlocks or decrypts the ciphertext. **Neither key can perform both functions.** - http://en.wikipedia.org/wiki/RSA_(algorithm) - RSA involves a public key and a private key. The **public key can be known to everyone and is used for encrypting messages**. Messages encrypted with the public key can only be decrypted using the private key. – Zoredache Aug 23 '12 at 07:56
  • Neither of those two references suggests what you are saying @Zoredache. *Of course*, once you have decided which key is private and which public, that determines the way you use it. At the point of key generation, this decision hasn't been made yet. For what it's worth, the logic around signing depends entirely on the logic around encryption, as signing *requires* encryption. – Dominic Cronin Aug 23 '12 at 17:42
  • You need to follow the links and actually look at the math for RSA. The private key is created differently from the public key. They are not calculated the same, so what would lead you to believe they are inter-changable? – Zoredache Aug 23 '12 at 19:31
  • OK - I see that the key generation algorithm is different. Why is this? For public-key encryption in the general case, the distinction between the publc and private keys is arbitrary. What benefit does RSA gain by losing this simplicity? As I said, the links you provided didn't explain this (although I am now clear that there is a difference). Now I'm looking for the why? Anyone got a good link? – Dominic Cronin Aug 24 '12 at 22:48