Anirban

Northern Arizona University

Talk on applications of RSA within GitHub

Abstract

Have you ever wondered where a cryptographic routine such as the RSA algorithm is actually used for a platform (of your choice) that you use on a day-to-day basis? Possessing a know-how about the algorithm and how it works is all good, but without practical applications that you can observe and distinguish an impact with, the algorithm is as good as nothing for you.

In this talk, I will be discussing about two areas where the RSA algorithm is actually used for encryption within the GitHub platform - SSH Authentication and Commit Signing. Granted you ssh into GitHub and push commits via the online platform, they will be signed by default because it is verified that it’s coming from you. But what if you were to push into your remote on GitHub from your local repository without using the online interface? Turns out the commits are not signed that way by default, and this could have actually have a number of consequences depending on your commit (whether the changes are criticial or not, which also depends on the codebase that you’re contributing/pushing too) and on who shares the authority of it. If that raises a concern that it might happen to you, don’t worry! It won’t, because I’ll be addressing how to fix that today.

Outline

  • Brief overview on RSA (notes)
    • Basic principles
    • A bit on number theory (gcd, euclidean algorithm, fermat’s theorem - yes, it involves talking about primality tests)
    • Steps involved
    • Analyzing the security point of the algorithm and discussing its viability
  • Brief overview on Git (as a version control system) and GitHub (as an online platform to host and develop software)
  • Applications of RSA within the GitHub platform
    • SSH Authentication
    • Commit Signing (steps)

Extract

Some paragraphs from my talk:

“RSA is widely used internally in a lot of platforms that you might not be aware of. As an avid open-source enthusiast, a user of the GitHub platform and also as the GitHub Campus Expert for NAU, I will be talking about two examples where RSA is used within GitHub. More specifically for the SSH and GPG keys section (can be found at https://github.com/settings/keys for your profile).”

(complete my slides and talk on ‘SSH Authentication’, then move onto ‘Commit Signing’, which is what I’ve taken as the core element for my elevator pitch here)

“In order to understand what commit signing actually means, we need to understand what a ‘commit’ is, or more specifically what it means with context to git. A ‘git’ commit (literally made via the git commit command) creates a snapshot of the changes made to a Git repository locally (only saves a new commit object in the local Git repository) which can then be pushed to the remote repository on GitHub (assuming the commit is not being made there itself) when the developer is ready to do so. It moves the tracked files from the staging area (index) to the final committed stage.

By default while making a git commit in such a manner, the commits are not signed (again, not talking about the case for direct commits on the GitHub platform itself!). When you sign a Git commit, you can prove that it was indeed you who pushed/committed the code, and not someone else. Being able to prove who changed a code segment is crucial since one could either take credit for your commit if they’re not verified/unsigned, or they could in turn blame you for a bug that they introduced, whilst it was not your commit - but tagged along from your GitHub account.”