Anirban

Northern Arizona University

Talk on applications of RSA within GitHub

Abstract

Have you ever wondered where a cryptographic routine such as the RSA algorithm is actually used within a platform (of your choice) that you use on a day-to-day basis? Possessing know-how about the algorithm and how it works is all good, but without practical applications that you can observe and distinguish an impact with, the algorithm is as good as nothing for you.

In this talk, I will be discussing two areas where the RSA algorithm is used for encryption within GitHub - SSH Authentication and Commit Signing. Granted you ssh into GitHub and push commits via the online platform, they will be signed by default because it is verified that those commits are coming from you. But what if you were to push into your remote on GitHub from your local repository without using the online interface? Turns out the commits are not signed that way by default, and this could have a varying number of consequences depending on the nature of your commit (whether the changes are critical or not, which also depends on the codebase that you’re contributing/pushing too) and on who shares the authority of it. If that raises a concern that it might happen to you, don’t worry! It won’t, because I’ll be addressing how to fix that today.

Outline

  • Brief overview on RSA (notes)
    • Basic principles
    • A bit on number theory (GCD, Euclidean algorithm, Fermat’s theorem - yes, primality tests are a requisite!)
    • Steps involved
    • Analyzing the security point of the algorithm and discussing its viability
  • Brief overview of Git (as a version control system) and GitHub (as an online platform to host and develop software)
  • Applications of RSA within the GitHub platform
    • SSH Authentication
    • Commit Signing (steps)

Extract

Some paragraphs from my talk:

“RSA is widely used internally in a lot of platforms that you might not be aware of. As an avid open-source enthusiast, a user of the GitHub platform, and as the GitHub Campus Expert for NAU, I will be talking about two examples where RSA is used within GitHub. More specifically for the SSH and GPG keys section (can be found at Settings > Keys).”

(proceed to complete my slides and presentation/talk on ‘SSH Authentication’, then move on to ‘Commit Signing’, which is what I’ve taken as the core element for my elevator pitch here!)

“In order to understand what commit signing means, we need to understand what a ‘commit’ is, or more specifically what it means with context to git. A ‘git’ commit (literally made via the git commit command) creates a snapshot of the changes made to a Git repository locally (only saves a new commit object in the local Git repository) which can then be pushed to the remote repository on GitHub (assuming the commit is not being made there itself) when the developer is ready to do so. It moves the tracked files from the staging area (index) to the final committed stage.

While making a git commit in such a manner, the commits are not signed (again, not talking about the case for direct commits through the GitHub platform itself!) by default. When you sign a git commit, you can prove that it was indeed you who pushed/committed the code, and not someone else. Being able to prove who changed a code segment is crucial since one could either take credit for your commits if they’re not verified/signed, or they could in turn blame you for a bug that they introduced, whilst it was not your commit - but tagged along from your GitHub account.”