improving passphrase protected private keys

Sven Kieske svenkieske at gmail.com
Fri Jul 25 19:45:04 EST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I got a proposal
for a slight different default
private key encryption protocol.

Here is my understanding what
ssh-keygen currently does.

According to this article:

http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html

when you create a new key with a
passphrase to protect it, ssh-keygen
uses a hard-coded openssl call to do this:

It encrypts the private key with AES-128 in
CBC mode, and generates the encryption key
the following way:

1. "Append the first 8 bytes of the IV
to the passphrase, without a separator
(serves as a salt)."

2. "Take the MD5 hash of the resulting string (once)."

So my proposal is, to alter this
by using PKCS 8 as defined in RFC 5208
as is described in the above article.

This currently works already by converting
your key manually:

openssl pkcs8 -topk8 -v2 des3 \
    -in test_rsa_key.old -passin 'pass:super secret passphrase' \
    -out test_rsa_key -passout 'pass:super secret passphrase'

I didn't find any contradicting documentation
or stuff inside the SSH RFCs why this is not the default
yet.

I know this is just a little hardening
and just covers cases where your encrypted
private key gets stolen and is harder to bruteforce
due to the use of PBKDF2 instead of MD5.

What do you think about this?
Is there some error in my information
which prevents this from being the default
way ssh keys are generated?

Does this not work on all supported
plattforms?

Please keep me CC'ed in your answers
as I'm not subscribed to the list.

kind regards

Sven Kieske

PS: Thanks for this awesome free software
and your work!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQGcBAEBAgAGBQJT0icgAAoJEAq0kGAWDrql8vAL/2XS8mhAy5Z1acQBVVA/pLd3
5bLecQQCMEJL8l0zsYSV/6YHBUj7TI0DJleN0qh4OJG+rmK+XIOz4CnnjxY/p/tg
dgwy/XSXEqhoVqWajSP6Q+fiYsydAxqyTa7UXIuGtzyWyqldK6x0n5ThTeNqX/LV
Qt1kLhIsD+w+0AmNN+ERI1uP72/Y1YhLluIC91lA+OrcL0RRkptXN6Vjo2WYR2e9
Edbk55N8J4Dli7YdycSs0fRykad3zjPqH/KxwOopil7+tis1dJTJIBawZaCWs0nq
7OJzF3bs+7smN5342KscO6hpSZ5igOQH2MkS3SXi8D6E5hX9KODupBtu8eZ7qvdN
4qtYno1EMaVJZUCRALmrqAxtVnkGGvDdzNC3dPGEXPgXq4QTHll9aMbWN4R3rOuC
FzMCK97u3DA2ss7+6nY7A1gRSedMPisLGn4fsCYmYn+nVBFKK9s4NXzrGocPgpsA
koNhXZCG2B0554NBNincT4gyO++fPQtUtLqKge/msw==
=lUo9
-----END PGP SIGNATURE-----

More information about the openssh-unix-dev mailing list