NML Says

Cloud Computing

This Lesson’s References

General

  1. Cloud Computing Beginner to Expert with 3 Projects
  2. ACG Projects: Build Your Resume on Azure with Blob Storage, Functions, CosmosDB, and GitHub Actions
  3. Learn to Cloud

References re Cryptography and PKI

Aspects of Security

Asymmmetrical Encryption

Secret electronical communication employs encryption, in this day and age asymmetrical encryption. Whoever wanting to engage in that must create a key pair, ie two related keys, one, the private key is kept secret on the entity’s own device. The other, the public key is revealed on demand, kept publicly on a website, on a public key server, generally speaking somewhere where communications partners can get access to it. They can also ask for it. It is meant to be public.

The way it works is that when Alice want to send a secret message to Bob, they gets Bob’s public key, and encryps the plaintext message with that key, and sends it. The principle is that the ciphertext encrypted with Bob’s public key, can only be decrypted with Bob’s private key. This way Alice is certain that only Bob can read the message.

The other aspect of asymmetrical encryption is signing a message. After the encryption described above, Alice creates a signature with their own private key, and attaches the signature to the message. Now, if, and only if Bob can verify this signature with Alice’s public key, he can be one hundred percent sure that the message is from Alice. In today’s computing the gnupg, GNU Privacy Guard is an established standard software for asymmetrical encryption. On Windows that is gpg4win. Parallel to that OpenSSH also utilizes public/private key pairs.

Generating Key Pairs

GNU Privacy Guard
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

$ gpg --gen-key
gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Niels
Email address: arosano@protonmail.com
You selected this USER-ID:           
    "Niels <arosano@protonmail.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory '/home/nml/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/nml/.gnupg/openpgp-revocs.d/3C715373CE43262D218D2462F63B9222424D2778.rev'
public and secret key created and signed.

pub   ed25519 2023-11-22 [SC] [expires: 2026-11-21]
      3C715373CE43262D218D2462F63B9222424D2778
uid                      Niels <arosano@protonmail.com>
sub   cv25519 2023-11-22 [E] [expires: 2026-11-21]

Along the way you will be prompted for a passphrase. You will notice that the result seems to be placed in the user’s .gnupg directory, and that a revocation certificate is generated. The latter, just in case.

To send your key to a correspondent you first do

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

$ gpg --armor --export arosano@protonmail.com
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZV3cNxYJKwYBBAHaRw8BAQdAvXGnffcDtWiMz5PmCsqxPyyk1BqN7zhTopXy
Iuj3ISW0Hk5pZWxzIDxhcm9zYW5vQHByb3Rvbm1haWwuY29tPoiZBBMWCgBBFiEE
PHFTc85DJi0hjSRi9juSIkJNJ3gFAmVd3DcCGwMFCQWjmoAFCwkIBwICIgIGFQoJ
CAsCBBYCAwECHgcCF4AACgkQ9juSIkJNJ3izEgEAjeXEZk8YzmCzSaaZyK8Mi3KB
LIuKHvTgzNS+1yJw9X8A/1xXmHanjxt+PQv7JRPz/zGnBIt+FQhEKod0Ph0uMUAI
uDgEZV3cNxIKKwYBBAGXVQEFAQEHQH2TexFbMgWZQMf+2c9GASsjmLnVIQhBp01Q
4P/+j4EAAwEIB4h+BBgWCgAmFiEEPHFTc85DJi0hjSRi9juSIkJNJ3gFAmVd3DcC
GwwFCQWjmoAACgkQ9juSIkJNJ3iscQEA+DgNfKM5+rRALxjpe60frZz6/GPf+OdX
pf6m+tzv6zsA/2+UzrHwOalykJmTBHPxsxK8cDgXJAVisFKB01GXLBYM
=WulF
-----END PGP PUBLIC KEY BLOCK-----```

or even better, place it in a file to send:
```bash
$ gpg --armor --output arosanos_public.key --export arosano@protonmail.com

The option –armor makes the command create output in ASCII, not in binary, making it much easier to use for any recipient.

Man in the Middle Attack

This section has been included here after a discussion in class. It would normally appear as part of a module on communication security.

Whatis?

A man in the middle attack is a situation where two entities, let us call them Alice and Bob, want to communicate secretly, and electronically, but an evil entity, let us call them Eve, or Mallory, inserts themselves in the middle of the communication channel, and unbeknownst to the Alice and Bob, eavesdrops and manipulates the communication.

Example Flow

It might be useful to read the section called “Asymmmetrical Encryption” if you are not already familiar with asymmetrical encryption.

The following paraphrases the example from https://en.wikipedia.org/wiki/Man-in-the-middle_attack: Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to intercept the conversation to eavesdrop (breaking confidentiality) with the option to deliver a false message to Bob under the guise of Alice (breaking non-repudiation). Mallory would perform a man-in-the-middle attack as described in the following sequence of events:

  1. Alice sends the following message to Bob, it is intercepted by Mallory: “ Hi Bob, it’s Alice. Give me your key, please. ”
  2. Mallory relays this message to Bob; Bob cannot tell it is not really from Alice: “ Hi Bob, it’s Alice. Give me your key, please. ”
  3. Bob responds with his encryption key, Mallory intercepts: “ [Bob’s key] ”
  4. Now the fun begins, Mallory replaces Bob’s key with her own, and relays this to Alice, claiming that it is Bob’s key: “ [Mallory’s key] ”
  5. Alice encrypts a message with what she believes to be Bob’s key, thinking that only Bob can read it: “ Meet me at the bus stop! ” [encrypted with Mallory’s key]
  6. However, because it was actually encrypted with Mallory’s key, Mallory can decrypt it, read it, modify it (if desired), re-encrypt with Bob’s key, and forward it to Bob: “ Meet me at the van down by the river! ” [encrypted with Bob’s key]
  7. Bob thinks that this message is a secure communication from Alice.

The example shows the need for Alice and Bob to have a means to ensure that they are truly each using each other’s public keys, and not the public key of an attacker. Otherwise, such attacks are generally possible, in principle, against any message sent using public-key[9] technology.

Secure Shell, SSH

Whatis?

Secure shell is meant for being able to manage/manipulate your resources on a remote computer via the internet. In the old days we logged on remotely via telnet in order to do that. Telnet operates unencrypted ie in plain text. SSH has a layer of security built in so that the communication is encrypted.

To support encryption SSH utilizes asymmetric encryption. For more info on asymmetric encryption read the section called “Asymmmetrical Encryption”.

SSH Key Generation

In asymmetric encryption we operate with not just a key for encryption, but rather a key pair. A public key for our communication partners to know, and a private key to be kept absolutely private. In order to do that the first step of usage is to generate a key pair. This is done from a terminal:

OpenSSH Key Generation
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

$ ssh-keygen -t ed25519 -b 4096 -C "{arosano@protonmail.com}"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/nml/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/nml/.ssh/id_ed25519
Your public key has been saved in /home/nml/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:NEC5J7gKopNIWwXuwX6092o3THrewFwNHsDSEPEHL1s {arosano@protonmail.com}
The key's randomart image is:
+--[ED25519 256]--+
|     .o=*o       |
|   .  .o.o+      |
|  o .. .+o E     |
|   +.oo...* +    |
|  o +..oS. o .   |
|o. +.o .o..      |
|=oo.. . =+       |
|=..    o *o      |
| .    ..=...     |
+----[SHA256]-----+

resulting in

1
2
3
4
5

 $ ls -Rl .ssh
.ssh:
total 24
-rw-------    1 nml      nml            464 Nov 22 12:57 id_ed25519
-rw-r--r--    1 nml      nml            106 Nov 22 12:57 id_ed25519.pub

The public key in id_ed25519.pub must then be placed on any server with whom you wish to communicate by means of SSH. On entry, when that public key matches your private key, you will be granted access with need for a password on that server. You may have to provide the passphrase re above. But that is for reading the private key on your own computer. That passphrase, as seen above, is optional, but highly recommended. The public key illustrated:

1
2

 $ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyTluEWmqKYySVZq35hEGnbex4CNR2+VAuLd21v/8oF {arosano@protonmail.com}

The ed25519 algorithm is from an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields[10]. There are other algorithms than ed25519 to choose from in SSH. ed25519 seems to be the default if none are given on the CLI.

Cryptographic Hashing

Whatis?

A cryptographic hash function is a function taking input of a binary string of arbitrary length digesting that into a binary output of fixed length n. The value n depends on the algorithm. The input to the function is called a message. The output of the function is called a digest.

There are certain properties required of a good cryptographic hash function:

The usage of cryptographic hash functions can be summarized as:

We have, inspired by the referenced Wikipedia article, used the word infeasible. The article defines it as

almost certainly beyond the reach of any adversary who must be prevented from breaking the system for as long as the security of the system is deemed important.

They also state that

even a thousand-fold advantage in processing power [of the attacker] can be neutralized by adding a dozen bits to the [digest length].

Prezzes

Today you will present your efforts, and we shall discuss the work to wrap up this module.

Summary

Summary and Outlook

We have in these 5 sessions tried to engage you into getting to know the cloud by doing cloud. The formal evaluation of that is an exam to be held in January. The exam is oral, and the problems to prepare will be published in ample time before the exam.

In an oral exam, you will talk about the problems. You will discuss the problems, and you will present possible solutions to those problems. The term ‘problems’ signifies the problems we have given to you. The subjects of these problems will be about another category of problems. Those you intend to solve by applying Cloud Computing, and the tools you are using to execute Cloud Computing.

Some keywords of what we have discussed in class, and of what potential exam problems will be about. We have been informed that there should be about 6 problems, they will focus on aspects of the areas listed below related your practical work with them. According to the curriculum they must also be discussed relative to your upcoming exam project.

Evaluation

We shall evaluate informally, and also talk about the curriculum requirements vis-a-vis exams.