From 2b6be62d56d341e71ac81d9061f27d9edca2f311 Mon Sep 17 00:00:00 2001 From: brent s Date: Mon, 7 Mar 2022 02:34:27 -0500 Subject: [PATCH] ed25519, rsa ref done --- _ref/KEY_GUIDE.adoc | 20 +- _ref/KEY_GUIDE.html | 2015 +++++++++++++++++++++++- _ref/ed25519/main.adoc | 15 + _ref/ed25519/private/legacy/main.adoc | 7 + _ref/ed25519/private/main.adoc | 5 + _ref/ed25519/private/v1/encrypted.adoc | 146 ++ _ref/ed25519/private/v1/main.adoc | 3 + _ref/ed25519/private/v1/plain.adoc | 98 ++ _ref/ed25519/public.adoc | 30 + _ref/rsa/main.adoc | 6 +- _ref/rsa/private/legacy/encrypted.adoc | 76 +- _ref/rsa/private/legacy/main.adoc | 1 + _ref/rsa/private/legacy/plain.adoc | 65 +- _ref/rsa/private/main.adoc | 7 +- _ref/rsa/private/v1/encrypted.adoc | 315 +++- _ref/rsa/private/v1/main.adoc | 1 + _ref/rsa/private/v1/plain.adoc | 227 ++- _ref/rsa/public.adoc | 9 +- 18 files changed, 3013 insertions(+), 33 deletions(-) create mode 100644 _ref/ed25519/main.adoc create mode 100644 _ref/ed25519/private/legacy/main.adoc create mode 100644 _ref/ed25519/private/main.adoc create mode 100644 _ref/ed25519/private/v1/encrypted.adoc create mode 100644 _ref/ed25519/private/v1/main.adoc create mode 100644 _ref/ed25519/private/v1/plain.adoc create mode 100644 _ref/ed25519/public.adoc diff --git a/_ref/KEY_GUIDE.adoc b/_ref/KEY_GUIDE.adoc index 045b57a..3c02664 100644 --- a/_ref/KEY_GUIDE.adoc +++ b/_ref/KEY_GUIDE.adoc @@ -13,6 +13,7 @@ Last updated {localdatetime} :idprefix: :toclevels: 7 :source-highlighter: rouge +:docinfo: shared == Purpose This document attempts to present a much more detailed, thorough, and easily-understood form of the key formats used by OpenSSH. The extent of those formats' canonical documentation is https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key[the OpenSSH source tree's `PROTOCOL.key`^], which is a little lacking. @@ -35,14 +36,29 @@ A:: The key type (e.g. `ssh-rsa`, `ssh-ed25519`, etc.) B:: The public key itself, Base64footnote:[https://datatracker.ietf.org/doc/html/rfc4648]-encoded C:: The key's comment -The structures specified in the breakdowns later in this document describe the _decoded_ version of *B* *_only_*. +The structures specified in the breakdowns later in this document describe the _decoded_ version of *B* *_only_*. They are specific to each keytype and format version starting with item `2.0`. === New "v1" Format ==== Private Keys + +Private key structures have been retooled in the "v1" format. In recent OpenSSH versions, all new keys use the v1 format. They no longer are in straight PEM-compatible format. + +Refer to https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key[`PROTOCOL.key`^] for a (very) general description, or each key's specific breakdown for more detailed information. + +The v1 format offers several benefits over the legacy format, including: + +* customizable key derivation and encryption ciphers for encrypted private keys +* embedded comments +* embedded public key (no need to derive from the private key) +* "checksumming" to confirm proper decryption for encrypted keys + ==== Public Keys +All public keys in v1 continue to use the same packed binary format as <>. + == Keytype-Specific Breakdowns + include::rsa/main.adoc[] -=== ED25519 +include::ed25519/main.adoc[] diff --git a/_ref/KEY_GUIDE.html b/_ref/KEY_GUIDE.html index b427d5e..9334206 100644 --- a/_ref/KEY_GUIDE.html +++ b/_ref/KEY_GUIDE.html @@ -657,7 +657,7 @@ pre.rouge {

OpenSSH Key Structure Guide

brent saner <bts@square-r00t.net>, https://r00t2.io
-Last updated 2022-03-06 04:09:26 -0500 +Last updated 2022-03-07 02:34:27 -0500
-

The structures specified in the breakdowns later in this document describe the decoded version of B only.

+

The structures specified in the breakdowns later in this document describe the decoded version of B only. They are specific to each keytype and format version starting with item 2.0.

@@ -760,11 +809,37 @@ pre.rouge {

2.2. New "v1" Format

2.2.1. Private Keys

- +
+

Private key structures have been retooled in the "v1" format. In recent OpenSSH versions, all new keys use the v1 format. They no longer are in straight PEM-compatible format.

+
+
+

Refer to PROTOCOL.key for a (very) general description, or each key’s specific breakdown for more detailed information.

+
+
+

The v1 format offers several benefits over the legacy format, including:

+
+
+
    +
  • +

    customizable key derivation and encryption ciphers for encrypted private keys

    +
  • +
  • +

    embedded comments

    +
  • +
  • +

    embedded public key (no need to derive from the private key)

    +
  • +
  • +

    "checksumming" to confirm proper decryption for encrypted keys

    +
  • +
+

2.2.2. Public Keys

- +
+

All public keys in v1 continue to use the same packed binary format as the legacy format.

+
@@ -778,7 +853,10 @@ pre.rouge {

RSA[3] is a widely-supported PKI system. It is ubiquitous, but it is recommended to use newer systems (e.g. ED25519) for OpenSSH if all clients and destinations support it.

-

The key structures have references to the RSA notations in single quotes. You can find these enumerated in RFC 8017 § 2. See also the Wikipedia article.

+

The key structures have references to the RSA notations in single quotes. You can find these enumerated in RFC 8017 § 2 or RFC 8017 § 3.2. See also the Wikipedia article.

+
+
+

It is highly recommended to use 4096-bit RSA if using RSA keys.

3.1.1. Public

@@ -797,11 +875,11 @@ pre.rouge { 5 6
0 uint32 allocator for 0.0 (4 bytes)
-    0.0 Public key type string (ASCII bytes; length defined above)
+    0.0 Public key type string (ASCII bytes)
 1 uint32 allocator for 1.0 (4 bytes)
-    1.0 Public exponent ('e')
+    1.0 Public exponent ('e') (hex numeric)
 2 uint32 allocator for 2.0 (4 bytes)
-    2.0 modulus ('n')
+    2.0 modulus ('n') (bytes)
 
@@ -871,20 +949,1922 @@ pre.rouge {

3.1.2. Private

-
3.1.2.1. Legacy
+
3.1.2.1. Legacy (Plain)
+
+
3.1.2.1.1. Structure
-

TODO

+

Legacy private keys are encoded in standard RSA PEM format (RFC 7468 § 10, APPENDIX-A).

+
+
+
+
3.1.2.1.2. Example
+
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+
-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEA0cey1didD//oq66foKO2IUqFAl0+EF9nMiDfu4LTM4SSoajP
+Q02jewKP/GW9M7eFcDNf3UC5BUNkWym7uNzT6JlkKREZpe6AFsl4hNIfN+uoZSXA
+5vUsqCW29+6lNALMwAHS835cMZPg2IIPQW21nudsMUH0+U4npwfc5jRButoxYnOT
+LwbpTsDE8L1SXQdNojdfBQ/Ftk+mMr2E+boFv38lQMksfvY9nNhp5JKklyrmQtGv
+2M1ChJXHKMCkspKpuIvM6ORIp5FMLmLpe1HR5HpxVFKGjCQaRhtwRnUrY69LhyEc
+XtTt2O6OuiwFZbMcOTVSkGJUZ3qDKvRT9V4LA1WAvIKIqwkwNPoGdv8lVBgNL17c
+32GTtb3eGg3zYl9pJu1bsofnm8KGrKGYG0qBWjSdKcpGLRvbPj3d0m0YPk1smCid
+XnGCyzrG3gpMy0DS5SAyUl585rmfx/HJFtfSbhQTOR3lT1AMYRNNDej+pWX9ZAQC
+82mnIdRLIXQL60BPLX/xRjHWva+0s3arfNhB1F0gxJWdMwCU7Fsd7M0m4bL519pt
+t+fwnGgoEjOGDaiPzfARfi/IZ90npNmAS9WoDt94/uQdbGWXA9naww41z2IcuY5V
+uPqeJkyqflA49GnYyiJz273fh3EnDqdudBTqAMZnUsRW/nJoNi64GldfXv0CAwEA
+AQKCAgAldEcswRkBw0oSZQIhFzmsZfarfmRXXgE5xP7NJsV4nEHl1RL0TEdU7hcx
+FCUct7Z+Wt3Rzf16wBaJ5ECc9+hpzgFBB8mRg6yg5OW8qRtjy5JsRLpVQg7wEpPB
+Xn1mdN2Dpo+4Y6YoP+PUJBx/LQxRS7ZYcRNA88BGpTO+cjQOHWjV0BbGPbCoG+jN
+pq+u5l/pB4PSjodZTo043/d+8sSV9Sh8ka59GI/VkhoN8lSqnMExyuhfh/5JV8iQ
+MRz2uRLOXT9/kUqbiGiWm5heKTSVW3sid/2HxeZfAAUiv0a47JJKlRHQqKmyop0f
+Bj8Mclcmq6uLFdNGCmyi3a6jz1+drKPovO8H9ZTKx7sujxbR1lIC1BPfzFQ1LzjT
+A+n1Yp0gR9LA83TnzysGiYpl2MJYijbB8FPbXdJOMBNO63Jrr0DrF0VdI6Vf9GbA
+HAmz+IbPD+ZTZNktzpv1MmTE+4W/7E/i22KwpJy+/6RYpkDCu3vTKS4L46BQsN4W
+Gm2EL+kdzzmyCog3Vi6b0JRNd0dlKdZQKBanGtm4m3vx6PGhQFt0OZYu/QxDlLuK
+YhlKDIpBdZTTL/PIk4xx89X826fm2DT3ZSK652YCiU35nO1VqU+hKl4gA1dhp4DN
+/wg4LGFtwVhcwr1NyAC+nsFVTYU9Wszl+qpMOK/kKy7WH1K8rQKCAQEA/wXLJPeL
+e3QG0E7TlMmOxq2yUFhu7WMybmhW5z3su9jHNxZ2qEP7Vzer4LiQNmnJiNKFQ8El
+fjywSHINW1+OJXs3M6W3vQLw03XfYt69X2kC9uhooo0/xj8++YhVL4pmI9K7uI0Y
+IkFI2I9rsV6rb7tiKdeFW9NK9AoGp5StSwrVWvgPLwWl4ipVvZhDcRK2VsD8DqNU
+5QwX5l+wnFlR77XIi7c73UwbEictp7ZGwpDDVT7EBJRhruaybRoIGKHX4etJXPGz
+J2L/YQII4H44e7L00qTvfpxNHcdaqqIdZ/Rn3hKqoQBa1lZJf3WjDq70lq26aJwC
+h34COSjbwKM/HwKCAQEA0pWEU54DE4ybznDxUZsLgD1xPYpqMTKO6yAJijwMobFv
+Py9nc25vK0u6RT1It7eIse7TilpUZPB9PDV3sL+kgH5mW1OpvvfMtmncAM68KM7R
+XXBCcpCp0ke1DBNZtNLXFR8OSoJ2Vd2+XbeF7+uRHW4UCHtZttWPke8rokVCFXGN
+JgM6ubF7QPNcZ/gSclhZORP5e4QR1tFppA3dN/ehLaU7Md45oqYRE9y5oONEdnQA
+9b5t1vMqL3TgIHuD6m1nlITmmWSQIWm7BObAz1WmBpyluz8kVeLj8yu+My6VnxNl
+0P1yEVck9mMlNqzgA6i0ilcPMJoU0M+2Fzr72yFKYwKCAQAPro2FYmuDVektWguM
+tLBA62Fxq1523oi1XVkqsxYhnvzxGEKHqlaEUHoTQYYssmigL0HenrvtfVHhwpGr
+sr6M83y7gk9AIjQo7LCl5ciDW3PBNx1oEYOAb1cyBP4oBDyvqz+744E+agFOv9MB
+fy7Pmhg5NnWO5flP9GXgXDYjzTC9fU+BtrkypSPMmtZa16m6v/c/9y87Pnkhw3Sa
+yKtPMEB6xvO5cfqgLSSTkZPcVwaL8WYgWfd/x9Pk/ZrN2PXrgIpsWriHjYDiuDtP
+grN6d9CyO0423OmpER80Ku/f+pmAgGlZqSns0DWIzvUN7BhCQ8CYui81obwFQ8vv
+lppFAoIBAD5UbxRo4rQ4nC1glKz43VCZ3xi+DWx+cHr7wpcd6wc5A5qKJ26tM053
+Xaz81Lc8JcO00vxSfERcQlU95i10q/Y0c4t4mfeiVP9xGeNLTboubR3hCmnqk7lf
+7CCk4Zp6BZuE07AOKYSE28HVflljOlKhsGBKUmWhlJs3VYz0Pvkl4QdtUUaBV+AD
+qEhFzv/1UoNofCGpF7ajyUb7q4zTSOu/ymOaSSjxSoC8hl0up6b/8wDJ2q0S0Fu3
+lldG9+a9dzkolTC16UtahjaPLmawDTJLz2o66EBbpejl+6gek76/+RUAz3B+gLxE
+4FDsnmm216lS13YlRSABOv5pQP69Pc0CggEBAI8eT3npJUQX31Gej0KvN4h0Sq0t
+eYtLF5+uEoDr+DTD0MHv6Cta0QpBKzvOljDtxqNTu8oiNkkhch4daXMOD/qfdk9y
+C+befW1llA6ni6qNF5SlJWVZoyJgasAotzdK7bAIHmJ2BVc1NH5RWYipEWrcfwGA
+JSpC9D6V5wxP0GQa3hl0X7w/2pFNfv7jZ3VeYP91xbn01r4hUdyR2ryOBd817t/N
+aLB3RLkJazg7EKadnM5elAwFZ7PKWjnAyIYH6BoUbs3YonySFPpp9Z5SxidrRpb+
+Zb7jkiz4m88ol7ezdWZyHhVMZqy4bWMCI4moTDcpqJuox6JTQiO2Ajj2pFU=
+-----END RSA PRIVATE KEY-----
+
+
+
+
+
+
+
3.1.2.2. Legacy (Encrypted)
+
+
3.1.2.2.1. Structure
+
+

Legacy private keys are encoded in standard RSA PEM format (RFC 7468 § 11, APPENDIX-A).

-

TODO -===== v1

+

The Proc-Type field is defined in RFC 1421 § 4.6.1.1.
+The DEK-Info field is defined in RFC 1421 § 4.6.1.3.

+
+
+
+
3.1.2.2.2. Example
+
+

The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is testpassword.

+
+
+

As shown by the header’s fields, it is encrypted using AES128-CBC with the IV of 822FAE7B2F5921CBD9143EDE93B22DFA.

+
+
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+
-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,822FAE7B2F5921CBD9143EDE93B22DFA
+
+2vAiqYbBxVV+2LszZQ4ybpMIopqtL+mT6PZ/DNJWD9t7wUUynXS6fMBA45CRrsRI
+VTtb1m+ZBo80WaY7PvbYUuX7BS4lWoJ9VFRwtVVPgN4CBOP8ILgQFvywY+yKZW/j
+IB9m29XHN4GVxMZctsgUXfiff49juI4P0uVTRxwJ44HtqBFIYyRtQhhK4pcC7KlD
+J4X7Fl4J6KRWXBktmZGy6wTLXcfekMwUAbgPuvswhsovjXbTjh0eJVMQbqyFg4N/
+hKEkeOznyVuZbAFnNB5johN/HlpoifGcmNh169FsZzuwMuDUOg//JmH2HgwYLCpy
+JQgnsd6AqtlbZkTsoI4Mky0+a8A5y9iMl6Qw1AESt1ISb2k+iKtqXq0EkSzheB6a
+aMtcSp7iIP5SKoV81Hl0L9Mnr8Ni/4HDNKLxi7msixN2v69ctB/m45bL3PMErVcm
+7knY6Ps8jha/zGKVEQlEkCa7S/P5snb/MyMualc3PN/sAvWfcxLUi97pPU0HUZCX
+RS1HR2Fc+FqfMAX+B+Zfr/cmlTSirrPQr387CDospv6UyzGgf6O5ZmGTp47T91mc
+i/4GRHFUQ39nM9sD79fofk3Gdo/manhL1mFvti8Vy2jRXbwXuWhZNTy9J+gRkjR2
+X1NfRDaZlWfcDgUplqqZEbPFElRL8w00PTA4ZOWAt1a5jtQaNXh7JvnlC3oWDSW7
+RgAyAfvvUjigslfobMmMAbQt6gPcCHjnGMst11Xqcvw0c/+8sXVb5LOzAupOlb9B
+lhPvgAuhr0k5azseCD0Y1uyahh5rcIcaN08KaLI1t/nWUYwvSfGx1ej14q1F/Y+Q
+eDmS1695jWngX+FF1GdDzPRWYQhjeBl4V1dV+aTxLamWS8Oz4jk0pkzTwdl1yKDB
+I60t6uhFpummMbKIqvFtOkpqdLjGXZ8bSVbgHu7uPyycJ+PZCgpn/fYxqJNvIhsO
+x4QzKz1p6cFg0hxYKAcKqgIZUbmEu0MRr/VHDaR5K8AlSlVNz8ur62O4YEOslUFC
+Tv8d0LBd80OyrhpoJhK7fplVbFx2jkmVkLSjbwTPWz7HxLO3u/fQ1+higQHbAGqg
+75i4gpQVUDQE4KwPXjsjwhU1jrYyk2snnwmRa6yfYd61CI1lGJOycgm1tS90NNKA
+/sZmBG2u/t+UFDX+cBIkdA6B4CwRaPmvo27jv1Mk3u4N/zp+FR9IUxCnc8Z3Fo7F
+IKZAAEhtZniXG0t82aIXHdw7bQtH9eZsP/Il9ozaNW5Oky51AH/SCZT24vnOyc/U
+RQPP8g+59bjeriG/QAZ/Ezv6TilW06i/0xOo9i8ZyJdtPLuQ9q9ijNydCCqB/yE/
+Q/VTYQxHV1GBmpb89p//VpeqKmyTFISGK3r+nTHelVLgy8zDLWSSRkDQEu2n+7ou
+RwRli6ZrqsMBqhsBPcD/SzerRaq3AkstQ21C1fDpnBoXdRzx52wQcd3mKmspRLgc
+w/V2zaJqzjKaqfqNaT3xBTns0BGUBMCzaE+YtSHe2+NiHnxioU8H2wQz0CM2rjJE
+LBjfw4raTwrOSOufo7JqjMr5JrUeTy8Gqv1Wq8YrqmsPPrXmhhasxYrV/aqN96/m
+UZgWVjD0G3NOHDcQ+yPQrjodPEbokeLb1y+Hw8os53sirWwKkUnPKK1tpZtsmCjR
+wJTcaZVhGVdgWvxZnBGGvkDdxJBGisFc+IgnEWjgVxLiHkeXoyskgdB9zwYzNgJl
+B0NuxgGnLpcNpTz11tPAvpJYHIFTgW/cjMfGh47hfJxCAyEa4qdlwk6YbvUHDEml
+qzFMP70LbS18ck6SiP1ITVgxznT4CwuWXUdXTI1T1F9AY9u0Y5NPlB5SN7e/1Pq4
+1sf9NhUjgIVrxXoILUXDVreEcZj8B2zQOS4HcbQnQlUZuIbVKgot7UnHtTmALEu7
+YIYqKKr0GZCBpNi+qkBQd0RFsMNV6241X+BIwnHSIKBJ08PJ4O6H0RxK6KSshZV3
+bZGJcDrARHd/VbEmUE3pJbbesgwrOBvY9mh1iGHfYyoCabagdgEbXAqgAGKihvQ7
+l4J28BI4rbCU23U5BtBEGhHwhFC9tvkwx8/ImbzIwKqRXRN1fJys0ReYONWkOv7J
+OBU3kvjhKUivcbAG6guz6hwP9I+450dE2Q4V54LabeQSZ3rfBk+SCXR6w6aX5us9
+ydLVqtUxvhyqP5/61seNWwDmvdB8A9DFKHuxPqhVKxhumfoe0T+zkOUmuVRLafIv
+AGCxIVQBm1DEnuG/c6cMlgzw9qITrMgJAzqpyQDBslAxfa45+ViPHYFIpPhd+iGg
+aaj6q9Clkl3tLoZvZ1D827zMfpq1Kaog9VsxQSiaAmpC5e/N+QaPunPIZTyDtaPj
+5H7uCm27yHGG5z8yehmlDcPc2I1TjN24Dfzxi6AaiEZ/BAaUv8pTs3r4n2BAtzPm
+u0zE1vw5UsZ59QmsHRgBO6z8IYA+HhNt+sd0krYfuJ1MUiSH03uhYAiGFoqHngAN
+7w18EcsJPFUL1NTMy4dK6SaZFxIvPItbzf49Bwc03ruUt7Zy95Odz7UsjyD4msSE
+q8/DAtzFPgztBlNieUH4N0w5Qu4x3hSx3/xgp9e+7njQo7mE+yySh7NPV27HaFKz
+htsnuMaOzVMis9WLOq6egrsEaJ6BM3WRSPBa8ZjHdWYeVQ6WFLs2v7wX/j19Q9GZ
+bdWkI1wBHcyz4MLUeJESFt3uqrHeNTLm5BWaGCeqtHeeHhoAquAJdjceLcDW7Le4
+tkQj3FxLFUCKlZt9H/gyDKwDhHShONFDWPbItKHrHlmSftsOiWNt7X9r9MEaxyWh
+KIJcTV2JsrhDHcNHUDniSi0qYhVsAkLSng6xxy/A4bQIz0Jhp42+Sk0aJVj+DaBa
+5K0ctJ1f/YoQv7SjOJAMEvoGLCVPFLFbWQpDhtvfpgB7g9/qpJKL5/ixDDgfRf58
+NN9CdVs/JPpuZiSmR86gAgHrDblaBcIOtUoKBPfZweiJKowN2li934JZRs2xuamv
+HQEqEb9jJPj+eDv9FlCgCzBTdkiaLuuqU9agB6Ji8NMFDedj7rErkCUZ8tE9wqfY
+ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L
+-----END RSA PRIVATE KEY-----
+
+
+
+
+

See the plaintext example for the decrypted (non-password-protected) version of this key.

+
+
+
+
+
3.1.2.3. v1 (Plain)
+
+ + + + + +
+
Tip
+
+
+

Since plaintext/unencrypted keys do not have a cipher or KDF (as there’s no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).

+
+
+
+
+
3.1.2.3.1. Structure
+
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+
0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public exponent ('e')
+		4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes)
+			4.0.0.2.0 modulus ('n')
+    4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes)
+        4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes)
+        4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes)
+        4.0.1.2 copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes)
+            4.0.1.2.0 copy of 4.0.0.0.0 (ASCII bytes)
+        4.0.1.3 copy of 4.0.0.2; allocator for 4.0.1.3.0 (4 bytes)
+            4.0.1.3.0 copy of 4.0.0.2.0 (bytes)
+        4.0.1.4 copy of 4.0.0.1; allocator for 4.0.1.4.0 (4 bytes)
+            4.0.1.4.0 copy of 4.0.0.1.0 (bytes)
+        4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes)
+            4.0.1.5.0 private exponent ('d')
+        4.0.1.6 uint32 allocator for 4.0.1.6.0 (4 bytes)
+            4.0.1.6.0 CRT helper value ('q^(-1) % p')
+        4.0.1.7 uint32 allocator for 4.0.1.7.0 (4 bytes)
+            4.0.1.7.0 prime #1 ('p')
+        4.0.1.8 uint32 allocator for 4.0.1.8.0 (4 bytes)
+            4.0.1.8.0 prime #2 ('q')
+        4.0.1.9 uint32 allocator for 4.0.1.9.0 (4 bytes)
+            4.0.1.9.0 comment for key #n string (ASCII bytes)
+        4.0.1.10 sequential padding
+
+
+
+
+ + + + + +
+
Note
+
+
+

Chunk 3.0.0 to 3.0.1: These blocks are not present in unencrypted keys (see the encrypted key structure for what these look like). 3.0 reflects this, as it’s always going to be 00000000 (0).

+
+
+

Chunk 4.0: This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).

+
+
+

Chunk 4.0.0.1.0, 4.0.0.2.0, 4.0.1.3.0, 4.0.1.4.0: Note that the ordering of e/n in 4.0.0 is changed to n/e in 4.0.1.

+
+
+

Chunk 4.0.1.10: The padding used aligns the private key (4.0.1.0 to 4.0.1.9.0) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.

+
+
+
+
+
+
3.1.2.3.2. Example
+
+

The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is test.

+
+
+
id_rsa Format
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+
-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZPzCyuf3Ur8swDJGPKnfW
+RBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/t0LHoZaGb9MYSs6Wdhrd
+oPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdTp4JaiblSdfnAJeIVNDxs
+iM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J58aeCQNuKu9psUHFMljZl
+CnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2OkKzFyfuk1udnUH+6ufOn
+9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8D00jNn/HcDdBZ7fwkm+2
+/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ/NjK0FqsKusj2/GaN+SA
+oAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs8yloZc1mQ8iSTVZuv0lx
+gJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEho/B0WqTQWGMxczJXhVpc
+7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuNrOB+cbOPPzWVQz9psZjw
+cAAAdQU4NHElODRxIAAAAHc3NoLXJzYQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZ
+PzCyuf3Ur8swDJGPKnfWRBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/
+t0LHoZaGb9MYSs6WdhrdoPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdT
+p4JaiblSdfnAJeIVNDxsiM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J5
+8aeCQNuKu9psUHFMljZlCnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2O
+kKzFyfuk1udnUH+6ufOn9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8
+D00jNn/HcDdBZ7fwkm+2/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ
+/NjK0FqsKusj2/GaN+SAoAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs
+8yloZc1mQ8iSTVZuv0lxgJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEh
+o/B0WqTQWGMxczJXhVpc7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuN
+rOB+cbOPPzWVQz9psZjwcAAAADAQABAAACAEmfLHBeBL/hekR20n5eHd/YwzX2OsIvdIdU
+8CGDRA9tqT8/hkKSYWY+C939pp1ML3BdC7590xqJQb9WcuKYRKHgZwlwxvKpi3b4Wyb6/t
+tZxJeGuN9+ruuGFx/Vef6N8OrdJTakJEoDMtWprT64NAyTBGQVPoK0/61PZHp7qAjjhURQ
++Aa2DgtnD8mctrWHhkl9TBmed1DuUImTTu8l9GUSOUlVxIfhB0Tr25oAlRyAlbAk1M518d
+oxRrWzRHFp9Z4j1AaFQ4vHvK0Rc5J6OJoJA7oRGkaAnRI7NDIZfMqPwMJ4FvvyFcK3xYS5
+TzfJ7YqOgVlC7/3PVHVyaK/lj9cAzc9qmKIJUGF7BiSqg12V4n16/N7nDDl8obaqBHNebV
+xeAb//IXTPVi02hCYkSQ4SyoFCWV1SVnSU84shJAEsrKyyVk4hyEXrlPXW6/bzkGbh+gSz
+GBdOb5mUgjuk2e8sKLN8s+oF+jytcgCJg5QnaDVSPk5BYFTyPbDrcyIR06EepVE5CujVjW
+nhRmTg4g8r8MzSTSYLgyqUFE9YAep827JDbyG6LbrsvNVz8kxeDUP9JrSuZ2ThON2vR3Ws
+AWPkVyfBACf3FsvjzHD/9zRBuyU45UJqGlY4tEinveloBB7CGE72ew2mAHApfNc97u/r0Z
+UWEcendslW4Y5fFjohAAABAAri4c8kVaDYInLmpCu7qD63ZUluWjPhO4yUdW2MMvfXUF/Z
+l73V7AjFm/jR1lnR3wK+xmnrtaqvXbHscM4vKms6F7ex/OOtxiA8KQXNZS12IgZd0BGuM4
+lEZ8bco2Q5UrDK7f+bx4rEBAgHQCdWbuTEdRrT/0UqJ4Gvi1wsm/CbNO5eYgEzC0vDga92
+Z5hmfFua0HM8GfTvR1/SZGVeAwVT8vL43lnCrudLndZyDjEIFD3+3UHPS8Ed4rmp9A+uxy
+pSMSq+5MYVWs/uk4ShY0jHFTRuvmk4lf5tI0jU3tsKE3xIcYX/lJwgkRW5yKEGMpmR8Eno
+Qwx7pg3VQI1yrJgAAAEBAOULZbpq5MsprmYSnD5B/+ujbNbsuqcEX/kM6nHQm8BWsLkTTc
+V1TEnaH+irFpzRSe7a7M9JE9kV9PJBxf2Gx3UR4MJhw0RgCoTM546M9JPkkoRMuCxCq20S
+RqU+XPUK1HWcKlwJ1TscXDtEkyjuoBQ01uU3s6UTko363fCnJygjiZuNeVIgyzNEq40OhG
+4eQP/ftccZJiwrUnqJClH6q88QkEaZE197mXSH9LSNRJCtgPwls0b6C7WH8JKVvw9xrBCo
+CGhn1LrQCgwnpkVvCODCv4yu2HaPA2aiRAQoGAopJhevYf6rq5pwdbi8ISCaVDm7/jYTkX
+Bx/udKjV2A/pkAAAEBAM1wd2WfrZgxBLzH3FJiQrnqUs6kDpI993GsKijjd/K5IxpYwkSM
+a40X/oNXHva9u8EfPUq0JU6oWWhLh3KRH5xvNVR5BT4+PTpuzOE6AWkIKYyj+LYo0hEXSa
+NidijrBYRPVGeVpQZ9ObHTBOGcxvwb4AphZOoz5Ku8h/VoMicdglyGjFzNo3dbA3cR6ZQ2
++WxT83gLmFCE4dhKRYxoerCTigm/b5s//sQe0C/VsnVyx9GAA55AWlWbYvwI+ASxnwQ9uk
+xvdWWxxydZ9Lky1Pk9T0HakbGxRvKYVKEAg0HkdgvdSYcJfsSmVRq5bgmaBKONaok7Uz2x
+hau1VzZBnp8AAAAYVGhpcyBpcyBhIGNvbW1lbnQgc3RyaW5nAQID
+-----END OPENSSH PRIVATE KEY-----
+
+
+
+
+
Structure Reference (Hex) (Decoded Base64)
+
+
  1
+  2
+  3
+  4
+  5
+  6
+  7
+  8
+  9
+ 10
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 17
+ 18
+ 19
+ 20
+ 21
+ 22
+ 23
+ 24
+ 25
+ 26
+ 27
+ 28
+ 29
+ 30
+ 31
+ 32
+ 33
+ 34
+ 35
+ 36
+ 37
+ 38
+ 39
+ 40
+ 41
+ 42
+ 43
+ 44
+ 45
+ 46
+ 47
+ 48
+ 49
+ 50
+ 51
+ 52
+ 53
+ 54
+ 55
+ 56
+ 57
+ 58
+ 59
+ 60
+ 61
+ 62
+ 63
+ 64
+ 65
+ 66
+ 67
+ 68
+ 69
+ 70
+ 71
+ 72
+ 73
+ 74
+ 75
+ 76
+ 77
+ 78
+ 79
+ 80
+ 81
+ 82
+ 83
+ 84
+ 85
+ 86
+ 87
+ 88
+ 89
+ 90
+ 91
+ 92
+ 93
+ 94
+ 95
+ 96
+ 97
+ 98
+ 99
+100
+101
+102
+103
+104
+
0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+    1.0.0 6165733235362d637472 ("none")
+2.0 00000006 (6)
+    2.0.0 626372797074 ("none")
+3.0 00000000 (0)
+4.0 00000001 (1)
+    4.0.0 00000217 (535)
+        4.0.0.0 00000007 (7)
+            4.0.0.0.0 7373682d727361 ("ssh-rsa")
+        4.0.0.1 00000003 (3)
+            4.0.0.1.0 010001 (65537)
+        4.0.0.2 00000201 (513)
+            4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+    4.0.1 00000750 (1872)
+        4.0.1.0 53834712 (1401112338)
+        4.0.1.1 53834712 (1401112338)
+        4.0.1.2 00000007 (7)
+            4.0.1.2.0 7373682d727361 ("ssh-rsa")
+        4.0.1.3 00000201 (513)
+            4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+        4.0.1.4 00000003 (3)
+            4.0.1.4.0 010001 (65537)
+        4.0.1.5 00000200 (512)
+            4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d
+                      a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1
+                      e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0
+                      eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3
+                      854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465
+                      12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5
+                      9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f
+                      c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7
+                      00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d
+                      5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c
+                      acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef
+                      2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3
+                      a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c
+                      dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163
+                      e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804
+                      1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes)
+        4.0.1.6 00000100 (256)
+            4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7
+                      505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b
+                      3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952
+                      b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b
+                      34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305
+                      53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7
+                      2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a
+                      137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98 (bytes)
+        4.0.1.7 00000101 (257)
+            4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0
+                      56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7
+                      7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a
+                      d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728
+                      23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab
+                      cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71
+                      ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a
+                      292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe
+                      99 (bytes)
+        4.0.1.8 00000101 (257)
+            4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2
+                      b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f
+                      9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb
+                      05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227
+                      1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a
+                      b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1
+                      9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341
+                      e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e
+                      9f (bytes)
+        4.0.1.9 00000018 (24)
+            4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string")
+        4.0.1.10 010203 ([1 2 3], 3 bytes)
+
+
+
+
+
+
+
3.1.2.4. v1 (Encrypted)
+
+ + + + + +
+
Tip
+
+
+

Currently, the only supported KDF is bcrypt_pbkdf (bcrypt).

+
+
+

See the following for more details:

+
+ +
+
+
+ + + + + +
+
Tip
+
+
+

You can get a list of supported ciphers (1.0.0) via ssh -Q cipher on most systems. +Note that 1.0.0 has nothing to do with SSH connections themselves; it’s only for the encryption of 4.0.1.

+
+
+

This is likely going to be:

+
+
+
    +
  • +

    3des-cbc

    +
  • +
  • +

    aes128-cbc

    +
  • +
  • +

    aes192-cbc

    +
  • +
  • +

    aes256-cbc

    +
  • +
  • +

    rijndael-cbc@lysator.liu.se (may not be present on all systems)

    +
  • +
  • +

    aes128-ctr

    +
  • +
  • +

    aes192-ctr

    +
  • +
  • +

    aes256-ctr

    +
  • +
  • +

    aes128-gcm@openssh.com

    +
  • +
  • +

    aes256-gcm@openssh.com

    +
  • +
  • +

    chacha20-poly1305@openssh.com

    +
  • +
+
+
+

The author recommends using aes256-ctr. It is currently the upstream default.

+
+
+
+
+
3.1.2.4.1. Structure
+
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+
+0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes)
+    3.0.0 uint32 allocator for 3.0.0.0 (4 bytes)
+        3.0.0.0 Salt/IV (bytes)
+    3.0.1 uint32 for number of rounds/"work factor" (4 bytes)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public exponent ('e')
+		4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes)
+			4.0.0.2.0 modulus ('n')
+	4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes)
+		4.0.1.0 <ENCRYPTED BLOB>
+
+
+
+
+ + + + + +
+
Note
+
+
+

Chunk 4.0: This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).

+
+
+

Chunk 4.0.1.0: When decrypted, this is equivalent to the plaintext 4.0.1.0 to 4.0.1.6. It uses a padded size appropriate to the encryption cipher used.

+
+
+
+
+
+
3.1.2.4.2. Example
+
+

The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is test.

+
+
+
id_rsa Format
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+
-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAH1LB8Cx
+KDSJFkiACNbhMLAAAAZAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQC3zsBGAc4q
+EvDJJMuaMOuZAGaBLLFDaRk/MLK5/dSvyzAMkY8qd9ZEEPNheufIyjGMJX08TfTixBCLu+
+k6holLoUs1dfL3IVC8OB3L+3QsehloZv0xhKzpZ2Gt2g/CmS9shm11aZGfwi2cS/DeQFqM
+dtUZqipTKdxoJXdyKaXQt1OnglqJuVJ1+cAl4hU0PGyIzWaQoiH4rp72de5GTcfRGNpBBQ
+fqXWtkid1gr9imZGSS2z4nnxp4JA24q72mxQcUyWNmUKcggef6XUcsFCiwfq5dFbZOoeKn
+UIUS/pq2VfhqMTSG08yh3Y6QrMXJ+6TW52dQf7q586f2jHSBQq8qNwHTGoqbdRGViqdxh7
+pwLtk004WvzuQjgOleDn6bwPTSM2f8dwN0Fnt/CSb7b9ttBarRz9GRgkhFsBThgVO/DR08
+Ox+tuyWj8dFR+baEYz2MFpD82MrQWqwq6yPb8Zo35ICgCJEDGcEW1HvZJLOZQlQ7iKD2En
+lSstjhKQ8wKfVCrr6cDI42zzKWhlzWZDyJJNVm6/SXGAk5mhrAlv4e3Dtfhxv17wtNRODq
+J2INIFFC4L/PZ3tNsCVTISGj8HRapNBYYzFzMleFWlzsvjrEQD0E/wzAxYt8BJBLQCElwr
+wqY6IOuzCcxvPmXbMBoFi42s4H5xs48/NZVDP2mxmPBwAAB1CWbizkNSQv7wl4f26Nk6Vj
+CS4/O8mGtEGYyB6AScXJREGe/8BSFAHcHvW8Dk1q7et9BYgLw/cxaYubzuzq4I5eBfefTS
+LelTyJnDJxhQ6A6AT5saebzsMbuhHAjbYPm9Iga8PXv+90iV5PTjcgZJ+SRUT0os6lud+5
+zAor2PO6cPS6Ln9ClgRlyereEYYw+cgy/oTvVIUpl50NbqB5+dXEDjlrCY/FCUSNJt48tI
+SwM0r6yro3G1LDfBIKViMXDB0KOTSKFRyfuKqxBJ9SzwwIx3FErzFCWakISPPcYuWDH6wI
+cgscgTUG8dseeUDe9S3EbJfWNjzaD/fiJY4mN9LgnyYJm7/qx4gZGYt4N00kJFN/5Umiqz
+3dr19/23OcOSEGSwT2/8/rVUTbUzF5A44R0MxiKZK8bQYAWE1AaKKJHcdIycFr4ywqCOls
+qi3exN3Roqs7AYoLDxZqFayHCjDIDMiX2/Fa9+jCkVs2FvI3pmRuQ8Zl91aaXtGFCtjNBU
+AG04lWjbVTk+eA51Ks6PBrcPHpnYa5RF2cGnpkdry/SEQApY5aWnPSwg1jCpmFu/TGkau2
+HuRRWqZKcn57rEpe17tfdnx9zwA1kEIxKD2SRFhjcCqZXnkr3h1ax91iSJh7n+SwpvGDfO
+T7qgMv9Gcahr6Mfk+b43GCEurQpvG0KYiGO/gK8XqYFPH/vtbIHn9Z3luMcbn1cfxVbMVq
+7iK+G1fUj4ynajeYR8Z9DOtD6tEBNV5UGlfCVK6BTwWKA2GS9J2WI2yIQo5fVNr+/RpbjK
+Ethc84M9ONgWxuDiBRQ/M+NTxHGryXjSjRrImnJNWqs+fEgBXFzTpvMcJYzvExJXTmksbk
+laKo777nhan+HHJzeeof3FtJKoOkr/ezlFrvUDqV3FKyFHQXK7VAVLEGNC8r3mvDitFmwa
+XG2IaFuAZ/UpdBs2mRNS1d8Skbnjx0anHivaeW/d2sKdDi8/rf0fD9M9p1vGFR0+4n9hme
+dsO56HL7Y7VK14sPvivoTxDX5IM5xuYzZFBwdK3cWivYxL5YSMKRvbJ0DTqjJcNQOWzijg
+hu7N1iVvSPt5R7hOhXWbHH5t2RIj4/go5CU6fsbZh61hvSF5wimiDo2X5hWMsL5zQidpi0
+aVx4TEY8rD6n1TgFbVBiqJX4rmRUm9WEhKYDY6uBvEPm/eDuEkdwUbU8lw8GPfLw/y/WVb
+f4ECm+VFzIQfcyHTEwTuuiEP34/a1+G8iszU2ZDAWLMIF+heLFaVq5LB4SmsdHHzOP3TlO
+3hYHFFDBkGHgfBNcvofwEmCzYgbLwWnIW53aJvs9/159aP1RpXNALbzB3H9JocucNBALmz
+0LuLhjnGnH1HSQq4PIkYrQOuYu7kMWXkUvhU2NQTIYbCH3Qu5KPMYUUVrcfAiUCDhThQP1
+xNV4HphMrZPPeo0Xpo1nizRmr7rjYgVdW27bAAe1kjHTBA2/7IuXgrOcOREW8gN+IYv6uk
+bFLFYYCu7yQdkY8hSwtkgLc4KHWtnazkSWw2guoqaXtf5DsQfZPhl2slQNv9oq4iO8GoTW
+Xg1nAlE7jMRCol+5g6rfpJLQnj39mR+fR0cLtzNp9jTdUNqybRKcO6CWrXlxHw7kQZwSJu
+uNpCZ0ss936PSj92zp6eJJtNH8x3jvMY29Z3hVbA+YeOvm6DJJFteCgPI/fjkhsptCu6bK
+LXgDmcpO08stA2yb7YCyNYCRmEIhNeLYQsj1Ok3Vn+C+2InUeEAWQCSx9mjMVml41DHrKg
+eiDtBuV1VR4bAw2xNQ6UySmgKKXcJTQONDTyJQ4/Sd4XG7hQh10oAFDklVRLpxtx6jbCk3
+rWWT4rW8oovDjlnOqR8mzRyoqkvZ+8HGBa5Grj9Vmzpuv4n/Vp/zZcPLpLS5H2Zf/aOXGI
+/iPqRWyALEeoBihE1AT6tBoPqD/Q3Wbk21ERXwJhl/TImhvygka6mWbKKXOw86+kMVSJal
+a/4hU9+qo8zSqwEbf5FHDL3ASvfP4XA95wQPTXd3sGh2nUA1N3zHZk9Aa11pNWqjMEXEM0
+oeLOYC6isexmY1LRS1mW2tRRpMuIbGYUPcJfjxvPDtJT/ryXM0MuraNaavyYJ0n6DsaAqI
+HbBhceo3+oM4HskKavovJp2doHyPMCFh4myaTCHCVgztgRvfa+QC02ri8R+IQ1EkHneaIv
+i2mo4+6qZ25xUBQ6ZrOpLU2s6fT5th4/fgqnZWyBjs+1MwNFfVHnTn7InPA4yac/ODQ4Po
+ItL1DDp3daoOY7EnohTbdJDkiPfukXgqkN4y9KsiYBr3sZD8xqKS5C4vi2nKrOmUsSfp+R
+UyttjDt84I+ZHSaSILzu7X1OYVFSPmPkG80nFU/Tp/c3DASxJYcVQT7F8X9RuqmejlzVms
+evF9rs0OiSYAJAOrh6Qi5CKm+xGGtbt9sl+v/trSR/10GyRhqjuWEjQhQq8Q3s7+AMALN6
+ZnrXZl+8QIW1MSvaaQFmJFqTs=
+-----END OPENSSH PRIVATE KEY-----
+
+
+
+
+
Structure Reference (Hex) (Decoded Base64)
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
+56
+57
+58
+59
+60
+61
+62
+63
+64
+65
+66
+67
+68
+69
+70
+71
+72
+73
+74
+75
+76
+77
+78
+79
+80
+81
+82
+83
+84
+85
+86
+87
+88
+89
+90
+91
+92
+93
+
0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+    1.0.0 6165733235362d637472 ("aes256-ctr")
+2.0 00000006 (6)
+    2.0.0 626372797074 ("bcrypt")
+3.0 00000018 (24)
+    3.0.0 00000010 (16)
+        3.0.0.0 07d4b07c0b128348916488008d6e130b (bytes)
+    3.0.1 00000064 (100)
+4.0 00000001 (1)
+    4.0.0 00000217 (535)
+        4.0.0.0 00000007 (7)
+            4.0.0.0.0 7373682d727361 ("ssh-rsa")
+        4.0.0.1 00000003 (3)
+            4.0.0.1.0 010001 (65537)
+        4.0.0.2 00000201 (513)
+            4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+                      cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+                      4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+                      2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+                      b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+                      d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+                      0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+                      55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+                      2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+                      f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+                      0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+                      37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+                      f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+                      dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+                      5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+                      bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+                      07 (bytes)
+    4.0.1 00000750 (1872)
+        4.0.1.0 966e2ce435242fef09787f6e8d93a563092e3f3bc986b44198c81e8049c5c944
+                419effc0521401dc1ef5bc0e4d6aedeb7d05880bc3f731698b9bceeceae08e5e
+                05f79f4d22de953c899c3271850e80e804f9b1a79bcec31bba11c08db60f9bd2
+                206bc3d7bfef74895e4f4e3720649f924544f4a2cea5b9dfb9cc0a2bd8f3ba70
+                f4ba2e7f42960465c9eade118630f9c832fe84ef548529979d0d6ea079f9d5c4
+                0e396b098fc509448d26de3cb484b0334afacaba371b52c37c120a5623170c1d
+                0a39348a151c9fb8aab1049f52cf0c08c77144af314259a90848f3dc62e5831f
+                ac08720b1c813506f1db1e7940def52dc46c97d6363cda0ff7e2258e2637d2e0
+                9f26099bbfeac78819198b78374d2424537fe549a2ab3dddaf5f7fdb739c3921
+                064b04f6ffcfeb5544db533179038e11d0cc622992bc6d0600584d4068a2891d
+                c748c9c16be32c2a08e96caa2ddec4ddd1a2ab3b018a0b0f166a15ac870a30c8
+                0cc897dbf15af7e8c2915b3616f237a6646e43c665f7569a5ed1850ad8cd0540
+                06d389568db55393e780e752ace8f06b70f1e99d86b9445d9c1a7a6476bcbf48
+                4400a58e5a5a73d2c20d630a9985bbf4c691abb61ee4515aa64a727e7bac4a5e
+                d7bb5f767c7dcf0035904231283d92445863702a995e792bde1d5ac7dd624898
+                7b9fe4b0a6f1837ce4fbaa032ff4671a86be8c7e4f9be3718212ead0a6f1b429
+                88863bf80af17a9814f1ffbed6c81e7f59de5b8c71b9f571fc556cc56aee22be
+                1b57d48f8ca76a379847c67d0ceb43ead101355e541a57c254ae814f058a0361
+                92f49d96236c88428e5f54dafefd1a5b8ca12d85cf3833d38d816c6e0e205143
+                f33e353c471abc978d28d1ac89a724d5aab3e7c48015c5cd3a6f31c258cef131
+                2574e692c6e495a2a8efbee785a9fe1c727379ea1fdc5b492a83a4aff7b3945a
+                ef503a95dc52b21474172bb54054b106342f2bde6bc38ad166c1a5c6d88685b8
+                067f529741b36991352d5df1291b9e3c746a71e2bda796fdddac29d0e2f3fadf
+                d1f0fd33da75bc6151d3ee27f6199e76c3b9e872fb63b54ad78b0fbe2be84f10
+                d7e48339c6e63364507074addc5a2bd8c4be5848c291bdb2740d3aa325c35039
+                6ce28e086eecdd6256f48fb7947b84e85759b1c7e6dd91223e3f828e4253a7ec
+                6d987ad61bd2179c229a20e8d97e6158cb0be734227698b4695c784c463cac3e
+                a7d538056d5062a895f8ae64549bd58484a60363ab81bc43e6fde0ee12477051
+                b53c970f063df2f0ff2fd655b7f81029be545cc841f7321d31304eeba210fdf8
+                fdad7e1bc8accd4d990c058b30817e85e2c5695ab92c1e129ac7471f338fdd39
+                4ede16071450c19061e07c135cbe87f01260b36206cbc169c85b9dda26fb3dff
+                5e7d68fd51a573402dbcc1dc7f49a1cb9c34100b9b3d0bb8b8639c69c7d47490
+                ab83c8918ad03ae62eee43165e452f854d8d4132186c21f742ee4a3cc614515a
+                dc7c08940838538503f5c4d5781e984cad93cf7a8d17a68d678b3466afbae362
+                055d5b6edb0007b59231d3040dbfec8b9782b39c391116f2037e218bfaba46c5
+                2c56180aeef241d918f214b0b6480b7382875ad9dace4496c3682ea2a697b5fe
+                43b107d93e1976b2540dbfda2ae223bc1a84d65e0d6702513b8cc442a25fb983
+                aadfa492d09e3dfd991f9f47470bb73369f634dd50dab26d129c3ba096ad7971
+                1f0ee4419c1226eb8da42674b2cf77e8f4a3f76ce9e9e249b4d1fcc778ef318d
+                bd6778556c0f9878ebe6e8324916d78280f23f7e3921b29b42bba6ca2d780399
+                ca4ed3cb2d036c9bed80b235809198422135e2d842c8f53a4dd59fe0bed889d4
+                7840164024b1f668cc566978d431eb2a07a20ed06e575551e1b030db1350e94c
+                929a028a5dc25340e3434f2250e3f49de171bb850875d280050e495544ba71b7
+                1ea36c2937ad6593e2b5bca28bc38e59cea91f26cd1ca8aa4bd9fbc1c605ae46
+                ae3f559b3a6ebf89ff569ff365c3cba4b4b91f665ffda397188fe23ea456c802
+                c47a8062844d404fab41a0fa83fd0dd66e4db51115f026197f4c89a1bf28246b
+                a9966ca2973b0f3afa43154896a56bfe2153dfaaa3ccd2ab011b7f91470cbdc0
+                4af7cfe1703de7040f4d7777b068769d4035377cc7664f406b5d69356aa33045
+                c4334a1e2ce602ea2b1ec666352d14b5996dad451a4cb886c66143dc25f8f1bc
+                f0ed253febc9733432eada35a6afc982749fa0ec680a881db06171ea37fa8338
+                1ec90a6afa2f269d9da07c8f302161e26c9a4c21c2560ced811bdf6be402d36a
+                e2f11f884351241e779a22f8b69a8e3eeaa676e7150143a66b3a92d4dace9f4f
+                9b61e3f7e0aa7656c818ecfb53303457d51e74e7ec89cf038c9a73f3834383e8
+                22d2f50c3a7775aa0e63b127a214db7490e488f7ee91782a90de32f4ab22601a
+                f7b190fcc6a292e42e2f8b69caace994b127e9f91532b6d8c3b7ce08f991d269
+                220bceeed7d4e6151523e63e41bcd27154fd3a7f7370c04b1258715413ec5f17
+                f51baa99e8e5cd59ac7af17daecd0e8926002403ab87a422e422a6fb1186b5bb
+                7db25faffedad247fd741b2461aa3b9612342142af10decefe00c00b37a667ad
+                7665fbc4085b5312bda690166245a93b (AES256-CTR encrypted block) (bytes)
+
+
+
+
+ + + + + +
+
Note
+
+
+

The decrypted 4.0.1.0 should match the plaintext key’s structure for 4.0.1.0 through 4.0.1.10. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.

+
+
+
+
+

When 4.0.1.0 is decrypted, it yields:

+
+
+
Decrypted 4.0.1.0
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
+56
+57
+58
+59
+60
+61
+62
+63
+64
+65
+66
+67
+68
+69
+70
+71
+72
+73
+
4.0.1.0 0d98bd61 (228113761)
+4.0.1.1 0d98bd61 (228113761)
+4.0.1.2 00000007 (7)
+    4.0.1.2.0 7373682d727361 ("ssh-rsa")
+4.0.1.3 00000201 (513)
+    4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af
+              cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689
+              4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299
+              2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0
+              b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7
+              d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5
+              0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6
+              55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af
+              2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0
+              f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf
+              0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a
+              37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029
+              f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e
+              dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074
+              5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2
+              bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f
+              07 (bytes)
+4.0.1.4 00000003 (3)
+    4.0.1.4.0 010001 (65537)
+4.0.1.5 00000200 (512)
+    4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d
+              a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1
+              e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0
+              eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3
+              854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465
+              12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5
+              9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f
+              c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7
+              00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d
+              5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c
+              acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef
+              2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3
+              a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c
+              dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163
+              e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804
+              1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes)
+4.0.1.6 00000100 (256)
+    4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7
+              505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b
+              3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952
+              b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b
+              34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305
+              53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7
+              2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a
+              137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98
+4.0.1.7 00000101 (257)
+    4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0
+              56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7
+              7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a
+              d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728
+              23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab
+              cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71
+              ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a
+              292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe
+              99
+4.0.1.8 00000101 (257)
+    4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2
+              b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f
+              9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb
+              05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227
+              1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a
+              b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1
+              9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341
+              e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e
+              9f (bytes)
+4.0.1.9 00000018 (24)
+    4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string")
+4.0.1.10 010203 ([1 2 3], 3 bytes)
+
+
+
+
+

See the plaintext structure for details.

+

3.2. ED25519

- +
+

ED25519[4] is a relatively somewhat new OpenSSH key algorithm. It has numerous benefits over e.g. RSA, including:

+
+
+
    +
  • +

    fixed key sizes, so fixed pubkey sizes

    +
    +
      +
    • +

      and significantly shorter pubkeys, yet-

      +
    • +
    +
    +
  • +
  • +

    strength comparable to RSA4096, but-

    +
    +
      +
    • +

      much faster

      +
    • +
    +
    +
  • +
  • +

    public domain and developed by independent researchers; not tied to specific corporation (i.e. nothing like RSA)

    +
  • +
+
+
+

I recommend it over all other key types for new SSH keys as long as it’s supported by clients/servers.

+
+
+

3.2.1. Public

+
+
3.2.1.1. Structure
+
+

Public keys are stored in the following structure:

+
+
+
Key Structure
+
+
1
+2
+3
+4
+
0.0 uint32 allocator for 0.0.0 (4 bytes)
+	0.0.0 Public key key type string (ASCII bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 Public key payload (bytes)
+
+
+
+
+
+
3.2.1.2. Example
+
+
id_ed25519.pub Format
+
+
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQ4i8lzaE3WaFcTESK/8hLJg7umsWLE6XzRH3PDnZew This is a test key
+
+
+
+
+
Structure Reference (Hex) (Decoded Base64 component only; AAA…​nZew)
+
+
1
+2
+3
+4
+
0.0 0000000b (11)
+	0.0.0 7373682d65643235353139 ("ssh-ed25519")
+1.0 00000020 (32)
+	1.0.0 44388bc973684dd66857131122bff212c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+
+
+
+
+
+
+

3.2.2. Private

+
+
3.2.2.1. Legacy
+
+ + + + + +
+
Note
+
+
+

ED25519 has no legacy format, as it was introduced after the introduction of the new key format.

+
+
+
+
+
+
3.2.2.2. v1 (Plain)
+
+ + + + + +
+
Tip
+
+
+

Since plaintext/unencrypted keys do not have a cipher or KDF (as there’s no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options).

+
+
+
+
+
3.2.2.2.1. Structure
+
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+
0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public key #n payload (bytes)
+	4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes)
+        4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes)
+        4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes)
+        4.0.1.2 Copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes)
+            4.0.1.2.0 Copy of 4.0.0.0.0 (ASCII bytes)
+        4.0.1.3 Copy of 4.0.0.1; allocator for 4.0.1.3.0 (4 bytes)
+            4.0.1.3.0 Copy of 4.0.0.1.0 (bytes)
+        4.0.1.4 uint32 allocator for 4.0.1.4.0 (4 bytes)
+            4.0.1.4.0 Private key #n (bytes)
+        4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes)
+            4.0.1.5.0 comment for key #n string (ASCII bytes)
+        4.0.1.6 sequential padding
+
+
+
+
+ + + + + +
+
Note
+
+
+

Chunk 3.0.0 to 3.0.1: These blocks are not present in unencrypted keys (see the encrypted key structure for what these look like). 3.0 reflects this, as it’s always going to be 00000000 (0).

+
+
+

Chunk 4.0: This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).

+
+
+

Chunk 4.0.1.4.0: This is a 64-byte block for ED25519, but the second half of the private key ([32:]) is always the same as the public key.

+
+
+

Chunk 4.0.1.6: The padding used aligns the private key (4.0.1.0 to 4.0.1.5.0) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used.

+
+
+
+
+
+
3.2.2.2.2. Example
+
+
id_ed25519 Format
+
+
1
+2
+3
+4
+5
+6
+7
+
-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsAAAAJjPbUqwz21K
+sAAAAAtzc2gtZWQyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsA
+AAAEBqSF+KwoLTOqI6+TnpcaZY4ckcamLrBF8CvtJbNZflJ0Q4i8lzaE3WaFcTESK/8hLJ
+g7umsWLE6XzRH3PDnZewAAAAElRoaXMgaXMgYSB0ZXN0IGtleQECAw==
+-----END OPENSSH PRIVATE KEY-----
+
+
+
+
+
Structure Reference (Hex) (Decoded Base64)
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+
0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 00000004 (4)
+    1.0.0 6e6f6e65 ("none")
+2.0 00000004
+    2.0.0 6e6f6e65 ("none")
+3.0 00000000 (0)
+4.0 00000001 (1)
+    4.0.0 00000033 (51)
+        4.0.0.0 0000000b (11)
+            4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519")
+        4.0.0.1 00000020 (32)
+            4.0.0.1.0 44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+    4.0.1 00000098 (141)
+        4.0.1.0 cf6d4ab0 (3480046256)
+        4.0.1.1 cf6d4ab0 (3480046256)
+        4.0.1.2 0000000b (11)
+            4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519")
+        4.0.1.3 00000020 (32)
+            4.0.1.3.0 44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+        4.0.1.4 00000040 (64)
+            4.0.1.4.0 6a485f8ac282d33aa23af939e971a658
+                      e1c91c6a62eb045f02bed25b3597e527
+                      44388bc973684dd66857131122bff212
+                      c983bba6b162c4e97cd11f73c39d97b0 (bytes)
+        4.0.1.5 00000012 (18)
+            4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key")
+        4.0.1.6 010203 ([1 2 3], 3 bytes)
+
+
+
+
+
+
+
3.2.2.3. v1 (Encrypted)
+
+ + + + + +
+
Tip
+
+
+

Currently, the only supported KDF is bcrypt_pbkdf (bcrypt).

+
+
+

See the following for more details:

+
+ +
+
+
+ + + + + +
+
Tip
+
+
+

You can get a list of supported ciphers (1.0.0) via ssh -Q cipher on most systems. +Note that 1.0.0 has nothing to do with SSH connections themselves; it’s only for the encryption of 4.0.1.

+
+
+

This is likely going to be:

+
+
+
    +
  • +

    3des-cbc

    +
  • +
  • +

    aes128-cbc

    +
  • +
  • +

    aes192-cbc

    +
  • +
  • +

    aes256-cbc

    +
  • +
  • +

    rijndael-cbc@lysator.liu.se (may not be present on all systems)

    +
  • +
  • +

    aes128-ctr

    +
  • +
  • +

    aes192-ctr

    +
  • +
  • +

    aes256-ctr

    +
  • +
  • +

    aes128-gcm@openssh.com

    +
  • +
  • +

    aes256-gcm@openssh.com

    +
  • +
  • +

    chacha20-poly1305@openssh.com

    +
  • +
+
+
+

The author recommends using aes256-ctr. It is currently the upstream default.

+
+
+
+
+
3.2.2.3.1. Structure
+
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+
0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes)
+1.0 uint32 allocator for 1.0.0 (4 bytes)
+	1.0.0 cipher name string (ASCII bytes)
+2.0 uint32 allocator for 2.0.0 (4 bytes)
+	2.0.0 KDF name string (ASCII bytes)
+3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes)
+	3.0.0 uint32 allocator for 3.0.0.0 (4 bytes)
+		3.0.0.0 Salt/IV (bytes)
+	3.0.1 uint32 for number of rounds/"work factor" (4 bytes)
+4.0 uint32 counter for # of keys (4 bytes)
+	4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes)
+		4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes)
+			4.0.0.0.0 public key #n keytype string (ASCII bytes)
+		4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes)
+			4.0.0.1.0 public key #n payload (bytes)
+	4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes)
+		4.0.1.0 <ENCRYPTED BLOB>
+
+
+
+
+ + + + + +
+
Note
+
+
+

Chunk 4.0: This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01).

+
+
+

Chunk 4.0.1.0: When decrypted, this is equivalent to the plaintext 4.0.1.0 to 4.0.1.6. It uses a padded size appropriate to the encryption cipher used.

+
+
+
+
+
+
3.2.2.3.2. Example
+
+

The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is test.

+
+
+
id_ed25519 Format
+
+
1
+2
+3
+4
+5
+6
+7
+8
+
-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBQEy9ykA
+1o4KMfnXW28KW8AAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIL+iAxqlRjET5A4W
+iWr1A8Upnq12sJy2OEb0HMTeF0D2AAAAoMSXd80NGn0323ehgUmRJ4+M6Z1XLixma5O5mG
+dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV
+2Zkal+8/CDj4qb/UPts0AxiWSQiPbPt4lG+5FONYrGq8ZGkQcvXyeIU02dQtf0BrxQkLMN
+8jy33YxcuTjkH6zW446IRbgWC/+EBZgRjUR8I=
+-----END OPENSSH PRIVATE KEY-----
+
+
+
+
+
Structure Reference (Hex) (Decoded Base64)
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+
0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00)
+1.0 0000000a (10)
+	1.0.0 6165733235362d637472 ("aes256-ctr")
+2.0 00000006 (6)
+	2.0.0 626372797074 ("bcrypt")
+3.0 00000018 (24)
+	3.0.0 00000010 (16)
+		3.0.0.0 50132f72900d68e0a31f9d75b6f0a5bc (bytes)
+	3.0.1 00000064 (100)
+4.0 00000001 (1)
+	4.0.0 00000033 (51)
+		4.0.0.0 0000000b (11)
+			4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519")
+		4.0.0.1 00000020 (32)
+			4.0.0.1.0 bfa2031aa5463113e40e16896af503c5
+					  299ead76b09cb63846f41cc4de1740f6 (bytes)
+	4.0.1 000000a0 (160)
+		4.0.1.0 c49777cd0d1a7d37db77a1814991278f
+			    8ce99d572e2c666b93b99867425c60da
+			    4652fddb8555098532b51beeee2959f9
+			    db5cf5a0905052720c5de25f2c4dd87e
+			    bcc7bb5ea3d7bcbeacc6b732e4c39295
+			    d9991a97ef3f0838f8a9bfd43edb3403
+			    189649088f6cfb78946fb914e358ac6a
+			    bc64691072f5f2788534d9d42d7f406b
+			    c5090b30df23cb7dd8c5cb938e41facd
+			    6e38e8845b8160bff840598118d447c2 (AES256-CTR encrypted block) (bytes)
+
+
+
+
+ + + + + +
+
Note
+
+
+

The decrypted 4.0.1.0 should match the plaintext key’s structure for 4.0.1 through 4.0.1.6. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size.

+
+
+
+
+

When 4.0.1.0 is decrypted, it yields:

+
+
+
Decrypted 4.0.1.0
+
+
 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+10
+11
+12
+13
+14
+15
+
4.0.1.0 f890d89a (4170242202)
+4.0.1.1 f890d89a (4170242202)
+4.0.1.2 0000000b (11)
+    4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519")
+4.0.1.3 00000020 (32)
+    4.0.1.3.0 bfa2031aa5463113e40e16896af503c5
+              299ead76b09cb63846f41cc4de1740f6 (bytes)
+4.0.1.4 00000040 (64)
+    4.0.1.4.0 ce6e2b8d638c9d5219dff455af1a90d0
+              a5b72694cfcedfb93bc1e1b1816dee98
+              bfa2031aa5463113e40e16896af503c5
+              299ead76b09cb63846f41cc4de1740f6 (bytes)
+4.0.1.5 00000012 (18)
+    4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key")
+4.0.1.6 0102030405060708090a0b ([1 2 3 4 5 6 7 8 9 10 11], 11 bytes)
+
+
+
+
+

See the plaintext structure for details.

+
+
+
+
@@ -900,10 +2880,13 @@ pre.rouge { + diff --git a/_ref/ed25519/main.adoc b/_ref/ed25519/main.adoc new file mode 100644 index 0000000..27113b6 --- /dev/null +++ b/_ref/ed25519/main.adoc @@ -0,0 +1,15 @@ + +=== ED25519 + +ED25519footnote:[https://datatracker.ietf.org/doc/html/rfc8709] is a relatively somewhat new OpenSSH key algorithm. It has numerous benefits over e.g. RSA, including: + +* fixed key sizes, so fixed pubkey sizes +** and significantly shorter pubkeys, yet- +* strength comparable to RSA4096, but- +** much faster +* public domain and https://ed25519.cr.yp.to/[developed by independent researchers^]; not tied to specific corporation (i.e. nothing like https://en.wikipedia.org/wiki/RSA_Security[RSA^]) + +I recommend it over all other key types for new SSH keys as long as it's supported by clients/servers. + +include::public.adoc[] +include::private/main.adoc[] diff --git a/_ref/ed25519/private/legacy/main.adoc b/_ref/ed25519/private/legacy/main.adoc new file mode 100644 index 0000000..5534d06 --- /dev/null +++ b/_ref/ed25519/private/legacy/main.adoc @@ -0,0 +1,7 @@ + +===== Legacy + +[NOTE] +==== +ED25519 has no legacy format, as it was introduced *after* the introduction of the new key format. +==== diff --git a/_ref/ed25519/private/main.adoc b/_ref/ed25519/private/main.adoc new file mode 100644 index 0000000..b6bff00 --- /dev/null +++ b/_ref/ed25519/private/main.adoc @@ -0,0 +1,5 @@ + +==== Private + +include::legacy/main.adoc[] +include::v1/main.adoc[] diff --git a/_ref/ed25519/private/v1/encrypted.adoc b/_ref/ed25519/private/v1/encrypted.adoc new file mode 100644 index 0000000..3902954 --- /dev/null +++ b/_ref/ed25519/private/v1/encrypted.adoc @@ -0,0 +1,146 @@ + +===== v1 (Encrypted) + +[TIP] +==== +Currently, the only supported KDF is *bcrypt_pbkdf* (`bcrypt`). + +See the following for more details: + +* https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf +* http://www.tedunangst.com/flak/post/bcrypt-pbkdf +* https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html +* https://datatracker.ietf.org/doc/html/rfc2898 +==== + +[TIP] +==== +You can get a list of supported ciphers (*1.0.0*) via `ssh -Q cipher` on most systems. +Note that *1.0.0* has nothing to do with SSH connections themselves; it's *only* for the encryption of *4.0.1*. + +This is likely going to be: + +* `3des-cbc` +* `aes128-cbc` +* `aes192-cbc` +* `aes256-cbc` +* `rijndael-cbc@lysator.liu.se` _(may not be present on all systems)_ +* `aes128-ctr` +* `aes192-ctr` +* `aes256-ctr` +* `aes128-gcm@openssh.com` +* `aes256-gcm@openssh.com` +* `chacha20-poly1305@openssh.com` + +The author recommends using `aes256-ctr`. It is currently the upstream default. +==== + +[id=struct_ed25519_crypt] +====== Structure + +[source,text,linenums] +---- +0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes) +1.0 uint32 allocator for 1.0.0 (4 bytes) + 1.0.0 cipher name string (ASCII bytes) +2.0 uint32 allocator for 2.0.0 (4 bytes) + 2.0.0 KDF name string (ASCII bytes) +3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) + 3.0.0 uint32 allocator for 3.0.0.0 (4 bytes) + 3.0.0.0 Salt/IV (bytes) + 3.0.1 uint32 for number of rounds/"work factor" (4 bytes) +4.0 uint32 counter for # of keys (4 bytes) + 4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes) + 4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes) + 4.0.0.0.0 public key #n keytype string (ASCII bytes) + 4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes) + 4.0.0.1.0 public key #n payload (bytes) + 4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes) + 4.0.1.0 +---- + +[NOTE] +==== +*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded `0x01`). + +*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <> *4.0.1.0* to *4.0.1.6*. It uses a padded size appropriate to the encryption cipher used. +==== + +[id=bytes_ed25519_crypt] +====== Example + +The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*. + +.`id_ed25519` Format +[source,text,linenums] +---- +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBQEy9ykA +1o4KMfnXW28KW8AAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIL+iAxqlRjET5A4W +iWr1A8Upnq12sJy2OEb0HMTeF0D2AAAAoMSXd80NGn0323ehgUmRJ4+M6Z1XLixma5O5mG +dCXGDaRlL924VVCYUytRvu7ilZ+dtc9aCQUFJyDF3iXyxN2H68x7teo9e8vqzGtzLkw5KV +2Zkal+8/CDj4qb/UPts0AxiWSQiPbPt4lG+5FONYrGq8ZGkQcvXyeIU02dQtf0BrxQkLMN +8jy33YxcuTjkH6zW446IRbgWC/+EBZgRjUR8I= +-----END OPENSSH PRIVATE KEY----- +---- + +.Structure Reference (Hex) (Decoded Base64) +[source,text,linenums] +---- +0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00) +1.0 0000000a (10) + 1.0.0 6165733235362d637472 ("aes256-ctr") +2.0 00000006 (6) + 2.0.0 626372797074 ("bcrypt") +3.0 00000018 (24) + 3.0.0 00000010 (16) + 3.0.0.0 50132f72900d68e0a31f9d75b6f0a5bc (bytes) + 3.0.1 00000064 (100) +4.0 00000001 (1) + 4.0.0 00000033 (51) + 4.0.0.0 0000000b (11) + 4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519") + 4.0.0.1 00000020 (32) + 4.0.0.1.0 bfa2031aa5463113e40e16896af503c5 + 299ead76b09cb63846f41cc4de1740f6 (bytes) + 4.0.1 000000a0 (160) + 4.0.1.0 c49777cd0d1a7d37db77a1814991278f + 8ce99d572e2c666b93b99867425c60da + 4652fddb8555098532b51beeee2959f9 + db5cf5a0905052720c5de25f2c4dd87e + bcc7bb5ea3d7bcbeacc6b732e4c39295 + d9991a97ef3f0838f8a9bfd43edb3403 + 189649088f6cfb78946fb914e358ac6a + bc64691072f5f2788534d9d42d7f406b + c5090b30df23cb7dd8c5cb938e41facd + 6e38e8845b8160bff840598118d447c2 (AES256-CTR encrypted block) (bytes) +---- + +[NOTE] +==== +The decrypted *4.0.1.0* should match the <> for *4.0.1* through *4.0.1.6*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size. +==== + +When *4.0.1.0* is decrypted, it yields: + +.Decrypted *4.0.1.0* +[source,text,linenums] +---- +4.0.1.0 f890d89a (4170242202) +4.0.1.1 f890d89a (4170242202) +4.0.1.2 0000000b (11) + 4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519") +4.0.1.3 00000020 (32) + 4.0.1.3.0 bfa2031aa5463113e40e16896af503c5 + 299ead76b09cb63846f41cc4de1740f6 (bytes) +4.0.1.4 00000040 (64) + 4.0.1.4.0 ce6e2b8d638c9d5219dff455af1a90d0 + a5b72694cfcedfb93bc1e1b1816dee98 + bfa2031aa5463113e40e16896af503c5 + 299ead76b09cb63846f41cc4de1740f6 (bytes) +4.0.1.5 00000012 (18) + 4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key") +4.0.1.6 0102030405060708090a0b ([1 2 3 4 5 6 7 8 9 10 11], 11 bytes) +---- + +See the <> for details. diff --git a/_ref/ed25519/private/v1/main.adoc b/_ref/ed25519/private/v1/main.adoc new file mode 100644 index 0000000..5154324 --- /dev/null +++ b/_ref/ed25519/private/v1/main.adoc @@ -0,0 +1,3 @@ + +include::plain.adoc[] +include::encrypted.adoc[] diff --git a/_ref/ed25519/private/v1/plain.adoc b/_ref/ed25519/private/v1/plain.adoc new file mode 100644 index 0000000..e339845 --- /dev/null +++ b/_ref/ed25519/private/v1/plain.adoc @@ -0,0 +1,98 @@ + +===== v1 (Plain) + +[TIP] +==== +Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options). +==== + +[id=struct_ed25519_plain] +====== Structure + +[source,text,linenums] +---- +0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes) +1.0 uint32 allocator for 1.0.0 (4 bytes) + 1.0.0 cipher name string (ASCII bytes) +2.0 uint32 allocator for 2.0.0 (4 bytes) + 2.0.0 KDF name string (ASCII bytes) +3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure) +4.0 uint32 counter for # of keys (4 bytes) + 4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes) + 4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes) + 4.0.0.0.0 public key #n keytype string (ASCII bytes) + 4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes) + 4.0.0.1.0 public key #n payload (bytes) + 4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes) + 4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes) + 4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes) + 4.0.1.2 Copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes) + 4.0.1.2.0 Copy of 4.0.0.0.0 (ASCII bytes) + 4.0.1.3 Copy of 4.0.0.1; allocator for 4.0.1.3.0 (4 bytes) + 4.0.1.3.0 Copy of 4.0.0.1.0 (bytes) + 4.0.1.4 uint32 allocator for 4.0.1.4.0 (4 bytes) + 4.0.1.4.0 Private key #n (bytes) + 4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes) + 4.0.1.5.0 comment for key #n string (ASCII bytes) + 4.0.1.6 sequential padding +---- + +[NOTE] +==== +*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0). + +*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded `0x01`). + +*Chunk 4.0.1.4.0:* This is a 64-byte block for ED25519, but the second half of the private key (`[32:]`) is always the same as the public key. + +*Chunk 4.0.1.6:* The padding used aligns the private key (*4.0.1.0* to *4.0.1.5.0*) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used. +==== + +[id=bytes_ed25519_plain] +====== Example + +.`id_ed25519` Format +[source,text,linenums] +---- +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsAAAAJjPbUqwz21K +sAAAAAtzc2gtZWQyNTUxOQAAACBEOIvJc2hN1mhXExEiv/ISyYO7prFixOl80R9zw52XsA +AAAEBqSF+KwoLTOqI6+TnpcaZY4ckcamLrBF8CvtJbNZflJ0Q4i8lzaE3WaFcTESK/8hLJ +g7umsWLE6XzRH3PDnZewAAAAElRoaXMgaXMgYSB0ZXN0IGtleQECAw== +-----END OPENSSH PRIVATE KEY----- +---- + +.Structure Reference (Hex) (Decoded Base64) +[source,text,linenums] +---- +0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00) +1.0 00000004 (4) + 1.0.0 6e6f6e65 ("none") +2.0 00000004 + 2.0.0 6e6f6e65 ("none") +3.0 00000000 (0) +4.0 00000001 (1) + 4.0.0 00000033 (51) + 4.0.0.0 0000000b (11) + 4.0.0.0.0 7373682d65643235353139 ("ssh-ed25519") + 4.0.0.1 00000020 (32) + 4.0.0.1.0 44388bc973684dd66857131122bff212 + c983bba6b162c4e97cd11f73c39d97b0 (bytes) + 4.0.1 00000098 (141) + 4.0.1.0 cf6d4ab0 (3480046256) + 4.0.1.1 cf6d4ab0 (3480046256) + 4.0.1.2 0000000b (11) + 4.0.1.2.0 7373682d65643235353139 ("ssh-ed25519") + 4.0.1.3 00000020 (32) + 4.0.1.3.0 44388bc973684dd66857131122bff212 + c983bba6b162c4e97cd11f73c39d97b0 (bytes) + 4.0.1.4 00000040 (64) + 4.0.1.4.0 6a485f8ac282d33aa23af939e971a658 + e1c91c6a62eb045f02bed25b3597e527 + 44388bc973684dd66857131122bff212 + c983bba6b162c4e97cd11f73c39d97b0 (bytes) + 4.0.1.5 00000012 (18) + 4.0.1.5.0 5468697320697320612074657374206b6579 ("This is a test key") + 4.0.1.6 010203 ([1 2 3], 3 bytes) +---- diff --git a/_ref/ed25519/public.adoc b/_ref/ed25519/public.adoc new file mode 100644 index 0000000..630835f --- /dev/null +++ b/_ref/ed25519/public.adoc @@ -0,0 +1,30 @@ + +==== Public +===== Structure +Public keys are stored in the following structure: + +.Key Structure +[source,text,linenums] +---- +0.0 uint32 allocator for 0.0.0 (4 bytes) + 0.0.0 Public key key type string (ASCII bytes) +1.0 uint32 allocator for 1.0.0 (4 bytes) + 1.0.0 Public key payload (bytes) +---- + +===== Example + +.`id_ed25519.pub` Format +[source,text,linenums] +---- +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQ4i8lzaE3WaFcTESK/8hLJg7umsWLE6XzRH3PDnZew This is a test key +---- + +.Structure Reference (Hex) (Decoded Base64 component only; `AAA...nZew`) +[source,text,linenums] +---- +0.0 0000000b (11) + 0.0.0 7373682d65643235353139 ("ssh-ed25519") +1.0 00000020 (32) + 1.0.0 44388bc973684dd66857131122bff212c983bba6b162c4e97cd11f73c39d97b0 (bytes) +---- diff --git a/_ref/rsa/main.adoc b/_ref/rsa/main.adoc index aef0740..76cdd3c 100644 --- a/_ref/rsa/main.adoc +++ b/_ref/rsa/main.adoc @@ -2,7 +2,9 @@ RSAfootnote:[https://datatracker.ietf.org/doc/html/rfc8017] is a widely-supported PKI system. It is ubiquitous, but it is recommended to use newer systems (e.g. ED25519) for OpenSSH if all clients and destinations support it. -The key structures have references to the RSA notations in single quotes. You can find these enumerated in https://datatracker.ietf.org/doc/html/rfc8017#section-2[RFC 8017 § 2]. See also the https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation[Wikipedia article^]. +The key structures have references to the RSA notations in single quotes. You can find these enumerated in https://datatracker.ietf.org/doc/html/rfc8017#section-2[RFC 8017 § 2] or https://datatracker.ietf.org/doc/html/rfc8017#section-3.2[RFC 8017 § 3.2^]. See also the https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation[Wikipedia article^]. + +It is *highly* recommended to use 4096-bit RSA if using RSA keys. include::public.adoc[] -include::private/main.adoc[] \ No newline at end of file +include::private/main.adoc[] diff --git a/_ref/rsa/private/legacy/encrypted.adoc b/_ref/rsa/private/legacy/encrypted.adoc index 6921cea..8cd6fcf 100644 --- a/_ref/rsa/private/legacy/encrypted.adoc +++ b/_ref/rsa/private/legacy/encrypted.adoc @@ -1,2 +1,76 @@ -TODO +===== Legacy (Encrypted) + +[id=struct_rsa_crypt_legacy] +====== Structure +Legacy private keys are encoded in standard RSA PEM format (https://datatracker.ietf.org/doc/html/rfc7468[RFC 7468^] § https://datatracker.ietf.org/doc/html/rfc7468#section-11[11^], https://datatracker.ietf.org/doc/html/rfc3447#appendix-A[APPENDIX-A^]). + +The `Proc-Type` field is defined in https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.1[RFC 1421 § 4.6.1.1^]. + +The `DEK-Info` field is defined in https://datatracker.ietf.org/doc/html/rfc1421.html#section-4.6.1.3[RFC 1421 § 4.6.1.3^]. + +[id=bytes_rsa_crypt_legacy] +====== Example + +The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`testpassword`*. + +As shown by the header's fields, it is encrypted using _AES128-CBC_ with the IV of `822FAE7B2F5921CBD9143EDE93B22DFA`. + +[source,text,linenums] +---- +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,822FAE7B2F5921CBD9143EDE93B22DFA + +2vAiqYbBxVV+2LszZQ4ybpMIopqtL+mT6PZ/DNJWD9t7wUUynXS6fMBA45CRrsRI +VTtb1m+ZBo80WaY7PvbYUuX7BS4lWoJ9VFRwtVVPgN4CBOP8ILgQFvywY+yKZW/j +IB9m29XHN4GVxMZctsgUXfiff49juI4P0uVTRxwJ44HtqBFIYyRtQhhK4pcC7KlD +J4X7Fl4J6KRWXBktmZGy6wTLXcfekMwUAbgPuvswhsovjXbTjh0eJVMQbqyFg4N/ +hKEkeOznyVuZbAFnNB5johN/HlpoifGcmNh169FsZzuwMuDUOg//JmH2HgwYLCpy +JQgnsd6AqtlbZkTsoI4Mky0+a8A5y9iMl6Qw1AESt1ISb2k+iKtqXq0EkSzheB6a +aMtcSp7iIP5SKoV81Hl0L9Mnr8Ni/4HDNKLxi7msixN2v69ctB/m45bL3PMErVcm +7knY6Ps8jha/zGKVEQlEkCa7S/P5snb/MyMualc3PN/sAvWfcxLUi97pPU0HUZCX +RS1HR2Fc+FqfMAX+B+Zfr/cmlTSirrPQr387CDospv6UyzGgf6O5ZmGTp47T91mc +i/4GRHFUQ39nM9sD79fofk3Gdo/manhL1mFvti8Vy2jRXbwXuWhZNTy9J+gRkjR2 +X1NfRDaZlWfcDgUplqqZEbPFElRL8w00PTA4ZOWAt1a5jtQaNXh7JvnlC3oWDSW7 +RgAyAfvvUjigslfobMmMAbQt6gPcCHjnGMst11Xqcvw0c/+8sXVb5LOzAupOlb9B +lhPvgAuhr0k5azseCD0Y1uyahh5rcIcaN08KaLI1t/nWUYwvSfGx1ej14q1F/Y+Q +eDmS1695jWngX+FF1GdDzPRWYQhjeBl4V1dV+aTxLamWS8Oz4jk0pkzTwdl1yKDB +I60t6uhFpummMbKIqvFtOkpqdLjGXZ8bSVbgHu7uPyycJ+PZCgpn/fYxqJNvIhsO +x4QzKz1p6cFg0hxYKAcKqgIZUbmEu0MRr/VHDaR5K8AlSlVNz8ur62O4YEOslUFC +Tv8d0LBd80OyrhpoJhK7fplVbFx2jkmVkLSjbwTPWz7HxLO3u/fQ1+higQHbAGqg +75i4gpQVUDQE4KwPXjsjwhU1jrYyk2snnwmRa6yfYd61CI1lGJOycgm1tS90NNKA +/sZmBG2u/t+UFDX+cBIkdA6B4CwRaPmvo27jv1Mk3u4N/zp+FR9IUxCnc8Z3Fo7F +IKZAAEhtZniXG0t82aIXHdw7bQtH9eZsP/Il9ozaNW5Oky51AH/SCZT24vnOyc/U +RQPP8g+59bjeriG/QAZ/Ezv6TilW06i/0xOo9i8ZyJdtPLuQ9q9ijNydCCqB/yE/ +Q/VTYQxHV1GBmpb89p//VpeqKmyTFISGK3r+nTHelVLgy8zDLWSSRkDQEu2n+7ou +RwRli6ZrqsMBqhsBPcD/SzerRaq3AkstQ21C1fDpnBoXdRzx52wQcd3mKmspRLgc +w/V2zaJqzjKaqfqNaT3xBTns0BGUBMCzaE+YtSHe2+NiHnxioU8H2wQz0CM2rjJE +LBjfw4raTwrOSOufo7JqjMr5JrUeTy8Gqv1Wq8YrqmsPPrXmhhasxYrV/aqN96/m +UZgWVjD0G3NOHDcQ+yPQrjodPEbokeLb1y+Hw8os53sirWwKkUnPKK1tpZtsmCjR +wJTcaZVhGVdgWvxZnBGGvkDdxJBGisFc+IgnEWjgVxLiHkeXoyskgdB9zwYzNgJl +B0NuxgGnLpcNpTz11tPAvpJYHIFTgW/cjMfGh47hfJxCAyEa4qdlwk6YbvUHDEml +qzFMP70LbS18ck6SiP1ITVgxznT4CwuWXUdXTI1T1F9AY9u0Y5NPlB5SN7e/1Pq4 +1sf9NhUjgIVrxXoILUXDVreEcZj8B2zQOS4HcbQnQlUZuIbVKgot7UnHtTmALEu7 +YIYqKKr0GZCBpNi+qkBQd0RFsMNV6241X+BIwnHSIKBJ08PJ4O6H0RxK6KSshZV3 +bZGJcDrARHd/VbEmUE3pJbbesgwrOBvY9mh1iGHfYyoCabagdgEbXAqgAGKihvQ7 +l4J28BI4rbCU23U5BtBEGhHwhFC9tvkwx8/ImbzIwKqRXRN1fJys0ReYONWkOv7J +OBU3kvjhKUivcbAG6guz6hwP9I+450dE2Q4V54LabeQSZ3rfBk+SCXR6w6aX5us9 +ydLVqtUxvhyqP5/61seNWwDmvdB8A9DFKHuxPqhVKxhumfoe0T+zkOUmuVRLafIv +AGCxIVQBm1DEnuG/c6cMlgzw9qITrMgJAzqpyQDBslAxfa45+ViPHYFIpPhd+iGg +aaj6q9Clkl3tLoZvZ1D827zMfpq1Kaog9VsxQSiaAmpC5e/N+QaPunPIZTyDtaPj +5H7uCm27yHGG5z8yehmlDcPc2I1TjN24Dfzxi6AaiEZ/BAaUv8pTs3r4n2BAtzPm +u0zE1vw5UsZ59QmsHRgBO6z8IYA+HhNt+sd0krYfuJ1MUiSH03uhYAiGFoqHngAN +7w18EcsJPFUL1NTMy4dK6SaZFxIvPItbzf49Bwc03ruUt7Zy95Odz7UsjyD4msSE +q8/DAtzFPgztBlNieUH4N0w5Qu4x3hSx3/xgp9e+7njQo7mE+yySh7NPV27HaFKz +htsnuMaOzVMis9WLOq6egrsEaJ6BM3WRSPBa8ZjHdWYeVQ6WFLs2v7wX/j19Q9GZ +bdWkI1wBHcyz4MLUeJESFt3uqrHeNTLm5BWaGCeqtHeeHhoAquAJdjceLcDW7Le4 +tkQj3FxLFUCKlZt9H/gyDKwDhHShONFDWPbItKHrHlmSftsOiWNt7X9r9MEaxyWh +KIJcTV2JsrhDHcNHUDniSi0qYhVsAkLSng6xxy/A4bQIz0Jhp42+Sk0aJVj+DaBa +5K0ctJ1f/YoQv7SjOJAMEvoGLCVPFLFbWQpDhtvfpgB7g9/qpJKL5/ixDDgfRf58 +NN9CdVs/JPpuZiSmR86gAgHrDblaBcIOtUoKBPfZweiJKowN2li934JZRs2xuamv +HQEqEb9jJPj+eDv9FlCgCzBTdkiaLuuqU9agB6Ji8NMFDedj7rErkCUZ8tE9wqfY +ftSfkGNUzTzPFbF5iEukTvKm42a7F/I/ExMVgpN/eQxJ7+m5TOgja0KC1h5fCN4L +-----END RSA PRIVATE KEY----- +---- + +See the <> for the decrypted (non-password-protected) version of this key. diff --git a/_ref/rsa/private/legacy/main.adoc b/_ref/rsa/private/legacy/main.adoc index 36a4887..5154324 100644 --- a/_ref/rsa/private/legacy/main.adoc +++ b/_ref/rsa/private/legacy/main.adoc @@ -1,2 +1,3 @@ + include::plain.adoc[] include::encrypted.adoc[] diff --git a/_ref/rsa/private/legacy/plain.adoc b/_ref/rsa/private/legacy/plain.adoc index 6921cea..c204642 100644 --- a/_ref/rsa/private/legacy/plain.adoc +++ b/_ref/rsa/private/legacy/plain.adoc @@ -1,2 +1,65 @@ -TODO +===== Legacy (Plain) + +[id=struct_rsa_plain_legacy] +====== Structure + +Legacy private keys are encoded in standard RSA PEM format (https://datatracker.ietf.org/doc/html/rfc7468[RFC 7468^] § https://datatracker.ietf.org/doc/html/rfc7468#section-10[10^], https://datatracker.ietf.org/doc/html/rfc3447#appendix-A[APPENDIX-A^]). + +[id=bytes_rsa_plain_legacy] +====== Example + +[source,text,linenums] +---- +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEA0cey1didD//oq66foKO2IUqFAl0+EF9nMiDfu4LTM4SSoajP +Q02jewKP/GW9M7eFcDNf3UC5BUNkWym7uNzT6JlkKREZpe6AFsl4hNIfN+uoZSXA +5vUsqCW29+6lNALMwAHS835cMZPg2IIPQW21nudsMUH0+U4npwfc5jRButoxYnOT +LwbpTsDE8L1SXQdNojdfBQ/Ftk+mMr2E+boFv38lQMksfvY9nNhp5JKklyrmQtGv +2M1ChJXHKMCkspKpuIvM6ORIp5FMLmLpe1HR5HpxVFKGjCQaRhtwRnUrY69LhyEc +XtTt2O6OuiwFZbMcOTVSkGJUZ3qDKvRT9V4LA1WAvIKIqwkwNPoGdv8lVBgNL17c +32GTtb3eGg3zYl9pJu1bsofnm8KGrKGYG0qBWjSdKcpGLRvbPj3d0m0YPk1smCid +XnGCyzrG3gpMy0DS5SAyUl585rmfx/HJFtfSbhQTOR3lT1AMYRNNDej+pWX9ZAQC +82mnIdRLIXQL60BPLX/xRjHWva+0s3arfNhB1F0gxJWdMwCU7Fsd7M0m4bL519pt +t+fwnGgoEjOGDaiPzfARfi/IZ90npNmAS9WoDt94/uQdbGWXA9naww41z2IcuY5V +uPqeJkyqflA49GnYyiJz273fh3EnDqdudBTqAMZnUsRW/nJoNi64GldfXv0CAwEA +AQKCAgAldEcswRkBw0oSZQIhFzmsZfarfmRXXgE5xP7NJsV4nEHl1RL0TEdU7hcx +FCUct7Z+Wt3Rzf16wBaJ5ECc9+hpzgFBB8mRg6yg5OW8qRtjy5JsRLpVQg7wEpPB +Xn1mdN2Dpo+4Y6YoP+PUJBx/LQxRS7ZYcRNA88BGpTO+cjQOHWjV0BbGPbCoG+jN +pq+u5l/pB4PSjodZTo043/d+8sSV9Sh8ka59GI/VkhoN8lSqnMExyuhfh/5JV8iQ +MRz2uRLOXT9/kUqbiGiWm5heKTSVW3sid/2HxeZfAAUiv0a47JJKlRHQqKmyop0f +Bj8Mclcmq6uLFdNGCmyi3a6jz1+drKPovO8H9ZTKx7sujxbR1lIC1BPfzFQ1LzjT +A+n1Yp0gR9LA83TnzysGiYpl2MJYijbB8FPbXdJOMBNO63Jrr0DrF0VdI6Vf9GbA +HAmz+IbPD+ZTZNktzpv1MmTE+4W/7E/i22KwpJy+/6RYpkDCu3vTKS4L46BQsN4W +Gm2EL+kdzzmyCog3Vi6b0JRNd0dlKdZQKBanGtm4m3vx6PGhQFt0OZYu/QxDlLuK +YhlKDIpBdZTTL/PIk4xx89X826fm2DT3ZSK652YCiU35nO1VqU+hKl4gA1dhp4DN +/wg4LGFtwVhcwr1NyAC+nsFVTYU9Wszl+qpMOK/kKy7WH1K8rQKCAQEA/wXLJPeL +e3QG0E7TlMmOxq2yUFhu7WMybmhW5z3su9jHNxZ2qEP7Vzer4LiQNmnJiNKFQ8El +fjywSHINW1+OJXs3M6W3vQLw03XfYt69X2kC9uhooo0/xj8++YhVL4pmI9K7uI0Y +IkFI2I9rsV6rb7tiKdeFW9NK9AoGp5StSwrVWvgPLwWl4ipVvZhDcRK2VsD8DqNU +5QwX5l+wnFlR77XIi7c73UwbEictp7ZGwpDDVT7EBJRhruaybRoIGKHX4etJXPGz +J2L/YQII4H44e7L00qTvfpxNHcdaqqIdZ/Rn3hKqoQBa1lZJf3WjDq70lq26aJwC +h34COSjbwKM/HwKCAQEA0pWEU54DE4ybznDxUZsLgD1xPYpqMTKO6yAJijwMobFv +Py9nc25vK0u6RT1It7eIse7TilpUZPB9PDV3sL+kgH5mW1OpvvfMtmncAM68KM7R +XXBCcpCp0ke1DBNZtNLXFR8OSoJ2Vd2+XbeF7+uRHW4UCHtZttWPke8rokVCFXGN +JgM6ubF7QPNcZ/gSclhZORP5e4QR1tFppA3dN/ehLaU7Md45oqYRE9y5oONEdnQA +9b5t1vMqL3TgIHuD6m1nlITmmWSQIWm7BObAz1WmBpyluz8kVeLj8yu+My6VnxNl +0P1yEVck9mMlNqzgA6i0ilcPMJoU0M+2Fzr72yFKYwKCAQAPro2FYmuDVektWguM +tLBA62Fxq1523oi1XVkqsxYhnvzxGEKHqlaEUHoTQYYssmigL0HenrvtfVHhwpGr +sr6M83y7gk9AIjQo7LCl5ciDW3PBNx1oEYOAb1cyBP4oBDyvqz+744E+agFOv9MB +fy7Pmhg5NnWO5flP9GXgXDYjzTC9fU+BtrkypSPMmtZa16m6v/c/9y87Pnkhw3Sa +yKtPMEB6xvO5cfqgLSSTkZPcVwaL8WYgWfd/x9Pk/ZrN2PXrgIpsWriHjYDiuDtP +grN6d9CyO0423OmpER80Ku/f+pmAgGlZqSns0DWIzvUN7BhCQ8CYui81obwFQ8vv +lppFAoIBAD5UbxRo4rQ4nC1glKz43VCZ3xi+DWx+cHr7wpcd6wc5A5qKJ26tM053 +Xaz81Lc8JcO00vxSfERcQlU95i10q/Y0c4t4mfeiVP9xGeNLTboubR3hCmnqk7lf +7CCk4Zp6BZuE07AOKYSE28HVflljOlKhsGBKUmWhlJs3VYz0Pvkl4QdtUUaBV+AD +qEhFzv/1UoNofCGpF7ajyUb7q4zTSOu/ymOaSSjxSoC8hl0up6b/8wDJ2q0S0Fu3 +lldG9+a9dzkolTC16UtahjaPLmawDTJLz2o66EBbpejl+6gek76/+RUAz3B+gLxE +4FDsnmm216lS13YlRSABOv5pQP69Pc0CggEBAI8eT3npJUQX31Gej0KvN4h0Sq0t +eYtLF5+uEoDr+DTD0MHv6Cta0QpBKzvOljDtxqNTu8oiNkkhch4daXMOD/qfdk9y +C+befW1llA6ni6qNF5SlJWVZoyJgasAotzdK7bAIHmJ2BVc1NH5RWYipEWrcfwGA +JSpC9D6V5wxP0GQa3hl0X7w/2pFNfv7jZ3VeYP91xbn01r4hUdyR2ryOBd817t/N +aLB3RLkJazg7EKadnM5elAwFZ7PKWjnAyIYH6BoUbs3YonySFPpp9Z5SxidrRpb+ +Zb7jkiz4m88ol7ezdWZyHhVMZqy4bWMCI4moTDcpqJuox6JTQiO2Ajj2pFU= +-----END RSA PRIVATE KEY----- +---- diff --git a/_ref/rsa/private/main.adoc b/_ref/rsa/private/main.adoc index ea6179f..08c356c 100644 --- a/_ref/rsa/private/main.adoc +++ b/_ref/rsa/private/main.adoc @@ -1,5 +1,4 @@ ==== Private -===== Legacy -include::legacy/plain.adoc[] -include::legacy/encrypted.adoc[] -===== v1 + +include::legacy/main.adoc[] +include::v1/main.adoc[] diff --git a/_ref/rsa/private/v1/encrypted.adoc b/_ref/rsa/private/v1/encrypted.adoc index 6921cea..e37dd78 100644 --- a/_ref/rsa/private/v1/encrypted.adoc +++ b/_ref/rsa/private/v1/encrypted.adoc @@ -1,2 +1,315 @@ -TODO +===== v1 (Encrypted) + +[TIP] +==== +Currently, the only supported KDF is *bcrypt_pbkdf* (`bcrypt`). + +See the following for more details: + +* https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf +* http://www.tedunangst.com/flak/post/bcrypt-pbkdf +* https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html +* https://datatracker.ietf.org/doc/html/rfc2898 +==== + +[TIP] +==== +You can get a list of supported ciphers (*1.0.0*) via `ssh -Q cipher` on most systems. +Note that *1.0.0* has nothing to do with SSH connections themselves; it's *only* for the encryption of *4.0.1*. + +This is likely going to be: + +* `3des-cbc` +* `aes128-cbc` +* `aes192-cbc` +* `aes256-cbc` +* `rijndael-cbc@lysator.liu.se` _(may not be present on all systems)_ +* `aes128-ctr` +* `aes192-ctr` +* `aes256-ctr` +* `aes128-gcm@openssh.com` +* `aes256-gcm@openssh.com` +* `chacha20-poly1305@openssh.com` + +The author recommends using `aes256-ctr`. It is currently the upstream default. +==== + +[id=struct_rsa_crypt] +====== Structure + +[source,text,linenums] +---- + +0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes) +1.0 uint32 allocator for 1.0.0 (4 bytes) + 1.0.0 cipher name string (ASCII bytes) +2.0 uint32 allocator for 2.0.0 + 2.0.0 KDF name string (ASCII bytes) +3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) + 3.0.0 uint32 allocator for 3.0.0.0 (4 bytes) + 3.0.0.0 Salt/IV (bytes) + 3.0.1 uint32 for number of rounds/"work factor" (4 bytes) +4.0 uint32 counter for # of keys (4 bytes) + 4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes) + 4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes) + 4.0.0.0.0 public key #n keytype string (ASCII bytes) + 4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes) + 4.0.0.1.0 public exponent ('e') + 4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes) + 4.0.0.2.0 modulus ('n') + 4.0.1 uint32 allocator for encrypted private key structure blob #n (4.0.1.0) (4 bytes) + 4.0.1.0 +---- + +[NOTE] +==== +*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01). + +*Chunk 4.0.1.0:* When decrypted, this is equivalent to the <> *4.0.1.0* to *4.0.1.6*. It uses a padded size appropriate to the encryption cipher used. +==== + +[id=bytes_rsa_crypt] +====== Example + +The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*. + +.`id_rsa` Format +[source,text,linenums] +---- +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAH1LB8Cx +KDSJFkiACNbhMLAAAAZAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQC3zsBGAc4q +EvDJJMuaMOuZAGaBLLFDaRk/MLK5/dSvyzAMkY8qd9ZEEPNheufIyjGMJX08TfTixBCLu+ +k6holLoUs1dfL3IVC8OB3L+3QsehloZv0xhKzpZ2Gt2g/CmS9shm11aZGfwi2cS/DeQFqM +dtUZqipTKdxoJXdyKaXQt1OnglqJuVJ1+cAl4hU0PGyIzWaQoiH4rp72de5GTcfRGNpBBQ +fqXWtkid1gr9imZGSS2z4nnxp4JA24q72mxQcUyWNmUKcggef6XUcsFCiwfq5dFbZOoeKn +UIUS/pq2VfhqMTSG08yh3Y6QrMXJ+6TW52dQf7q586f2jHSBQq8qNwHTGoqbdRGViqdxh7 +pwLtk004WvzuQjgOleDn6bwPTSM2f8dwN0Fnt/CSb7b9ttBarRz9GRgkhFsBThgVO/DR08 +Ox+tuyWj8dFR+baEYz2MFpD82MrQWqwq6yPb8Zo35ICgCJEDGcEW1HvZJLOZQlQ7iKD2En +lSstjhKQ8wKfVCrr6cDI42zzKWhlzWZDyJJNVm6/SXGAk5mhrAlv4e3Dtfhxv17wtNRODq +J2INIFFC4L/PZ3tNsCVTISGj8HRapNBYYzFzMleFWlzsvjrEQD0E/wzAxYt8BJBLQCElwr +wqY6IOuzCcxvPmXbMBoFi42s4H5xs48/NZVDP2mxmPBwAAB1CWbizkNSQv7wl4f26Nk6Vj +CS4/O8mGtEGYyB6AScXJREGe/8BSFAHcHvW8Dk1q7et9BYgLw/cxaYubzuzq4I5eBfefTS +LelTyJnDJxhQ6A6AT5saebzsMbuhHAjbYPm9Iga8PXv+90iV5PTjcgZJ+SRUT0os6lud+5 +zAor2PO6cPS6Ln9ClgRlyereEYYw+cgy/oTvVIUpl50NbqB5+dXEDjlrCY/FCUSNJt48tI +SwM0r6yro3G1LDfBIKViMXDB0KOTSKFRyfuKqxBJ9SzwwIx3FErzFCWakISPPcYuWDH6wI +cgscgTUG8dseeUDe9S3EbJfWNjzaD/fiJY4mN9LgnyYJm7/qx4gZGYt4N00kJFN/5Umiqz +3dr19/23OcOSEGSwT2/8/rVUTbUzF5A44R0MxiKZK8bQYAWE1AaKKJHcdIycFr4ywqCOls +qi3exN3Roqs7AYoLDxZqFayHCjDIDMiX2/Fa9+jCkVs2FvI3pmRuQ8Zl91aaXtGFCtjNBU +AG04lWjbVTk+eA51Ks6PBrcPHpnYa5RF2cGnpkdry/SEQApY5aWnPSwg1jCpmFu/TGkau2 +HuRRWqZKcn57rEpe17tfdnx9zwA1kEIxKD2SRFhjcCqZXnkr3h1ax91iSJh7n+SwpvGDfO +T7qgMv9Gcahr6Mfk+b43GCEurQpvG0KYiGO/gK8XqYFPH/vtbIHn9Z3luMcbn1cfxVbMVq +7iK+G1fUj4ynajeYR8Z9DOtD6tEBNV5UGlfCVK6BTwWKA2GS9J2WI2yIQo5fVNr+/RpbjK +Ethc84M9ONgWxuDiBRQ/M+NTxHGryXjSjRrImnJNWqs+fEgBXFzTpvMcJYzvExJXTmksbk +laKo777nhan+HHJzeeof3FtJKoOkr/ezlFrvUDqV3FKyFHQXK7VAVLEGNC8r3mvDitFmwa +XG2IaFuAZ/UpdBs2mRNS1d8Skbnjx0anHivaeW/d2sKdDi8/rf0fD9M9p1vGFR0+4n9hme +dsO56HL7Y7VK14sPvivoTxDX5IM5xuYzZFBwdK3cWivYxL5YSMKRvbJ0DTqjJcNQOWzijg +hu7N1iVvSPt5R7hOhXWbHH5t2RIj4/go5CU6fsbZh61hvSF5wimiDo2X5hWMsL5zQidpi0 +aVx4TEY8rD6n1TgFbVBiqJX4rmRUm9WEhKYDY6uBvEPm/eDuEkdwUbU8lw8GPfLw/y/WVb +f4ECm+VFzIQfcyHTEwTuuiEP34/a1+G8iszU2ZDAWLMIF+heLFaVq5LB4SmsdHHzOP3TlO +3hYHFFDBkGHgfBNcvofwEmCzYgbLwWnIW53aJvs9/159aP1RpXNALbzB3H9JocucNBALmz +0LuLhjnGnH1HSQq4PIkYrQOuYu7kMWXkUvhU2NQTIYbCH3Qu5KPMYUUVrcfAiUCDhThQP1 +xNV4HphMrZPPeo0Xpo1nizRmr7rjYgVdW27bAAe1kjHTBA2/7IuXgrOcOREW8gN+IYv6uk +bFLFYYCu7yQdkY8hSwtkgLc4KHWtnazkSWw2guoqaXtf5DsQfZPhl2slQNv9oq4iO8GoTW +Xg1nAlE7jMRCol+5g6rfpJLQnj39mR+fR0cLtzNp9jTdUNqybRKcO6CWrXlxHw7kQZwSJu +uNpCZ0ss936PSj92zp6eJJtNH8x3jvMY29Z3hVbA+YeOvm6DJJFteCgPI/fjkhsptCu6bK +LXgDmcpO08stA2yb7YCyNYCRmEIhNeLYQsj1Ok3Vn+C+2InUeEAWQCSx9mjMVml41DHrKg +eiDtBuV1VR4bAw2xNQ6UySmgKKXcJTQONDTyJQ4/Sd4XG7hQh10oAFDklVRLpxtx6jbCk3 +rWWT4rW8oovDjlnOqR8mzRyoqkvZ+8HGBa5Grj9Vmzpuv4n/Vp/zZcPLpLS5H2Zf/aOXGI +/iPqRWyALEeoBihE1AT6tBoPqD/Q3Wbk21ERXwJhl/TImhvygka6mWbKKXOw86+kMVSJal +a/4hU9+qo8zSqwEbf5FHDL3ASvfP4XA95wQPTXd3sGh2nUA1N3zHZk9Aa11pNWqjMEXEM0 +oeLOYC6isexmY1LRS1mW2tRRpMuIbGYUPcJfjxvPDtJT/ryXM0MuraNaavyYJ0n6DsaAqI +HbBhceo3+oM4HskKavovJp2doHyPMCFh4myaTCHCVgztgRvfa+QC02ri8R+IQ1EkHneaIv +i2mo4+6qZ25xUBQ6ZrOpLU2s6fT5th4/fgqnZWyBjs+1MwNFfVHnTn7InPA4yac/ODQ4Po +ItL1DDp3daoOY7EnohTbdJDkiPfukXgqkN4y9KsiYBr3sZD8xqKS5C4vi2nKrOmUsSfp+R +UyttjDt84I+ZHSaSILzu7X1OYVFSPmPkG80nFU/Tp/c3DASxJYcVQT7F8X9RuqmejlzVms +evF9rs0OiSYAJAOrh6Qi5CKm+xGGtbt9sl+v/trSR/10GyRhqjuWEjQhQq8Q3s7+AMALN6 +ZnrXZl+8QIW1MSvaaQFmJFqTs= +-----END OPENSSH PRIVATE KEY----- +---- + +.Structure Reference (Hex) (Decoded Base64) +[source,text,linenums] +---- +0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00) +1.0 0000000a (10) + 1.0.0 6165733235362d637472 ("aes256-ctr") +2.0 00000006 (6) + 2.0.0 626372797074 ("bcrypt") +3.0 00000018 (24) + 3.0.0 00000010 (16) + 3.0.0.0 07d4b07c0b128348916488008d6e130b (bytes) + 3.0.1 00000064 (100) +4.0 00000001 (1) + 4.0.0 00000217 (535) + 4.0.0.0 00000007 (7) + 4.0.0.0.0 7373682d727361 ("ssh-rsa") + 4.0.0.1 00000003 (3) + 4.0.0.1.0 010001 (65537) + 4.0.0.2 00000201 (513) + 4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af + cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689 + 4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299 + 2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0 + b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7 + d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5 + 0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6 + 55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af + 2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0 + f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf + 0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a + 37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029 + f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e + dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074 + 5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2 + bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f + 07 (bytes) + 4.0.1 00000750 (1872) + 4.0.1.0 966e2ce435242fef09787f6e8d93a563092e3f3bc986b44198c81e8049c5c944 + 419effc0521401dc1ef5bc0e4d6aedeb7d05880bc3f731698b9bceeceae08e5e + 05f79f4d22de953c899c3271850e80e804f9b1a79bcec31bba11c08db60f9bd2 + 206bc3d7bfef74895e4f4e3720649f924544f4a2cea5b9dfb9cc0a2bd8f3ba70 + f4ba2e7f42960465c9eade118630f9c832fe84ef548529979d0d6ea079f9d5c4 + 0e396b098fc509448d26de3cb484b0334afacaba371b52c37c120a5623170c1d + 0a39348a151c9fb8aab1049f52cf0c08c77144af314259a90848f3dc62e5831f + ac08720b1c813506f1db1e7940def52dc46c97d6363cda0ff7e2258e2637d2e0 + 9f26099bbfeac78819198b78374d2424537fe549a2ab3dddaf5f7fdb739c3921 + 064b04f6ffcfeb5544db533179038e11d0cc622992bc6d0600584d4068a2891d + c748c9c16be32c2a08e96caa2ddec4ddd1a2ab3b018a0b0f166a15ac870a30c8 + 0cc897dbf15af7e8c2915b3616f237a6646e43c665f7569a5ed1850ad8cd0540 + 06d389568db55393e780e752ace8f06b70f1e99d86b9445d9c1a7a6476bcbf48 + 4400a58e5a5a73d2c20d630a9985bbf4c691abb61ee4515aa64a727e7bac4a5e + d7bb5f767c7dcf0035904231283d92445863702a995e792bde1d5ac7dd624898 + 7b9fe4b0a6f1837ce4fbaa032ff4671a86be8c7e4f9be3718212ead0a6f1b429 + 88863bf80af17a9814f1ffbed6c81e7f59de5b8c71b9f571fc556cc56aee22be + 1b57d48f8ca76a379847c67d0ceb43ead101355e541a57c254ae814f058a0361 + 92f49d96236c88428e5f54dafefd1a5b8ca12d85cf3833d38d816c6e0e205143 + f33e353c471abc978d28d1ac89a724d5aab3e7c48015c5cd3a6f31c258cef131 + 2574e692c6e495a2a8efbee785a9fe1c727379ea1fdc5b492a83a4aff7b3945a + ef503a95dc52b21474172bb54054b106342f2bde6bc38ad166c1a5c6d88685b8 + 067f529741b36991352d5df1291b9e3c746a71e2bda796fdddac29d0e2f3fadf + d1f0fd33da75bc6151d3ee27f6199e76c3b9e872fb63b54ad78b0fbe2be84f10 + d7e48339c6e63364507074addc5a2bd8c4be5848c291bdb2740d3aa325c35039 + 6ce28e086eecdd6256f48fb7947b84e85759b1c7e6dd91223e3f828e4253a7ec + 6d987ad61bd2179c229a20e8d97e6158cb0be734227698b4695c784c463cac3e + a7d538056d5062a895f8ae64549bd58484a60363ab81bc43e6fde0ee12477051 + b53c970f063df2f0ff2fd655b7f81029be545cc841f7321d31304eeba210fdf8 + fdad7e1bc8accd4d990c058b30817e85e2c5695ab92c1e129ac7471f338fdd39 + 4ede16071450c19061e07c135cbe87f01260b36206cbc169c85b9dda26fb3dff + 5e7d68fd51a573402dbcc1dc7f49a1cb9c34100b9b3d0bb8b8639c69c7d47490 + ab83c8918ad03ae62eee43165e452f854d8d4132186c21f742ee4a3cc614515a + dc7c08940838538503f5c4d5781e984cad93cf7a8d17a68d678b3466afbae362 + 055d5b6edb0007b59231d3040dbfec8b9782b39c391116f2037e218bfaba46c5 + 2c56180aeef241d918f214b0b6480b7382875ad9dace4496c3682ea2a697b5fe + 43b107d93e1976b2540dbfda2ae223bc1a84d65e0d6702513b8cc442a25fb983 + aadfa492d09e3dfd991f9f47470bb73369f634dd50dab26d129c3ba096ad7971 + 1f0ee4419c1226eb8da42674b2cf77e8f4a3f76ce9e9e249b4d1fcc778ef318d + bd6778556c0f9878ebe6e8324916d78280f23f7e3921b29b42bba6ca2d780399 + ca4ed3cb2d036c9bed80b235809198422135e2d842c8f53a4dd59fe0bed889d4 + 7840164024b1f668cc566978d431eb2a07a20ed06e575551e1b030db1350e94c + 929a028a5dc25340e3434f2250e3f49de171bb850875d280050e495544ba71b7 + 1ea36c2937ad6593e2b5bca28bc38e59cea91f26cd1ca8aa4bd9fbc1c605ae46 + ae3f559b3a6ebf89ff569ff365c3cba4b4b91f665ffda397188fe23ea456c802 + c47a8062844d404fab41a0fa83fd0dd66e4db51115f026197f4c89a1bf28246b + a9966ca2973b0f3afa43154896a56bfe2153dfaaa3ccd2ab011b7f91470cbdc0 + 4af7cfe1703de7040f4d7777b068769d4035377cc7664f406b5d69356aa33045 + c4334a1e2ce602ea2b1ec666352d14b5996dad451a4cb886c66143dc25f8f1bc + f0ed253febc9733432eada35a6afc982749fa0ec680a881db06171ea37fa8338 + 1ec90a6afa2f269d9da07c8f302161e26c9a4c21c2560ced811bdf6be402d36a + e2f11f884351241e779a22f8b69a8e3eeaa676e7150143a66b3a92d4dace9f4f + 9b61e3f7e0aa7656c818ecfb53303457d51e74e7ec89cf038c9a73f3834383e8 + 22d2f50c3a7775aa0e63b127a214db7490e488f7ee91782a90de32f4ab22601a + f7b190fcc6a292e42e2f8b69caace994b127e9f91532b6d8c3b7ce08f991d269 + 220bceeed7d4e6151523e63e41bcd27154fd3a7f7370c04b1258715413ec5f17 + f51baa99e8e5cd59ac7af17daecd0e8926002403ab87a422e422a6fb1186b5bb + 7db25faffedad247fd741b2461aa3b9612342142af10decefe00c00b37a667ad + 7665fbc4085b5312bda690166245a93b (AES256-CTR encrypted block) (bytes) +---- + +[NOTE] +==== +The decrypted *4.0.1.0* should match the <> for *4.0.1.0* through *4.0.1.10*. The padding length WILL change, however, between the two unless using a cipher with an 8-byte block size. +==== + +When *4.0.1.0* is decrypted, it yields: + +.Decrypted *4.0.1.0* +[source,text,linenums] +---- +4.0.1.0 0d98bd61 (228113761) +4.0.1.1 0d98bd61 (228113761) +4.0.1.2 00000007 (7) + 4.0.1.2.0 7373682d727361 ("ssh-rsa") +4.0.1.3 00000201 (513) + 4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af + cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689 + 4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299 + 2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0 + b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7 + d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5 + 0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6 + 55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af + 2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0 + f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf + 0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a + 37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029 + f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e + dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074 + 5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2 + bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f + 07 (bytes) +4.0.1.4 00000003 (3) + 4.0.1.4.0 010001 (65537) +4.0.1.5 00000200 (512) + 4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d + a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1 + e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0 + eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3 + 854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465 + 12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5 + 9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f + c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7 + 00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d + 5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c + acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef + 2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3 + a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c + dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163 + e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804 + 1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes) +4.0.1.6 00000100 (256) + 4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7 + 505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b + 3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952 + b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b + 34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305 + 53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7 + 2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a + 137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98 +4.0.1.7 00000101 (257) + 4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0 + 56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7 + 7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a + d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728 + 23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab + cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71 + ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a + 292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe + 99 +4.0.1.8 00000101 (257) + 4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2 + b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f + 9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb + 05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227 + 1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a + b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1 + 9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341 + e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e + 9f (bytes) +4.0.1.9 00000018 (24) + 4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string") +4.0.1.10 010203 ([1 2 3], 3 bytes) +---- + +See the <> for details. diff --git a/_ref/rsa/private/v1/main.adoc b/_ref/rsa/private/v1/main.adoc index 36a4887..5154324 100644 --- a/_ref/rsa/private/v1/main.adoc +++ b/_ref/rsa/private/v1/main.adoc @@ -1,2 +1,3 @@ + include::plain.adoc[] include::encrypted.adoc[] diff --git a/_ref/rsa/private/v1/plain.adoc b/_ref/rsa/private/v1/plain.adoc index 6921cea..6ff5423 100644 --- a/_ref/rsa/private/v1/plain.adoc +++ b/_ref/rsa/private/v1/plain.adoc @@ -1,2 +1,227 @@ -TODO +===== v1 (Plain) + +[TIP] +==== +Since plaintext/unencrypted keys do not have a cipher or KDF (as there's no encryption key or algorithm used), they use the string "none" to identify these (and entirely leave out the KDF options). +==== + +[id=struct_rsa_plain] +====== Structure + +[source,text,linenums] +---- +0.0 "openssh-key-v1" string plus terminating nullbyte (15 bytes) +1.0 uint32 allocator for 1.0.0 (4 bytes) + 1.0.0 cipher name string (ASCII bytes) +2.0 uint32 allocator for 2.0.0 (4 bytes) + 2.0.0 KDF name string (ASCII bytes) +3.0 uint32 allocator for KDF options (3.0.0 to 3.0.1) (4 bytes) (ALWAYS 0 for unencrypted keys, so no following substructure) +4.0 uint32 counter for # of keys (4 bytes) + 4.0.0 uint32 allocator for public key #n (4.0.0.0 to 4.0.0.1) (4 bytes) + 4.0.0.0 uint32 allocator for 4.0.0.0.0 (4 bytes) + 4.0.0.0.0 public key #n keytype string (ASCII bytes) + 4.0.0.1 uint32 allocator for 4.0.0.1.0 (4 bytes) + 4.0.0.1.0 public exponent ('e') + 4.0.0.2 uint32 allocator for 4.0.0.2.0 (4 bytes) + 4.0.0.2.0 modulus ('n') + 4.0.1 uint32 allocator for private key structure #n (4.0.1.0 to 4.0.1.5) (4 bytes) + 4.0.1.0 uint32 decryption "checksum" #1 (should match 4.0.1.1) (4 bytes) + 4.0.1.1 uint32 decryption "checksum" #2 (should match 4.0.1.0) (4 bytes) + 4.0.1.2 copy of 4.0.0.0; allocator for 4.0.1.2.0 (4 bytes) + 4.0.1.2.0 copy of 4.0.0.0.0 (ASCII bytes) + 4.0.1.3 copy of 4.0.0.2; allocator for 4.0.1.3.0 (4 bytes) + 4.0.1.3.0 copy of 4.0.0.2.0 (bytes) + 4.0.1.4 copy of 4.0.0.1; allocator for 4.0.1.4.0 (4 bytes) + 4.0.1.4.0 copy of 4.0.0.1.0 (bytes) + 4.0.1.5 uint32 allocator for 4.0.1.5.0 (4 bytes) + 4.0.1.5.0 private exponent ('d') + 4.0.1.6 uint32 allocator for 4.0.1.6.0 (4 bytes) + 4.0.1.6.0 CRT helper value ('q^(-1) % p') + 4.0.1.7 uint32 allocator for 4.0.1.7.0 (4 bytes) + 4.0.1.7.0 prime #1 ('p') + 4.0.1.8 uint32 allocator for 4.0.1.8.0 (4 bytes) + 4.0.1.8.0 prime #2 ('q') + 4.0.1.9 uint32 allocator for 4.0.1.9.0 (4 bytes) + 4.0.1.9.0 comment for key #n string (ASCII bytes) + 4.0.1.10 sequential padding +---- + +[NOTE] +==== +*Chunk 3.0.0 to 3.0.1:* These blocks are not present in unencrypted keys (see the <> for what these look like). *3.0* reflects this, as it's always going to be `00000000` (0). + +*Chunk 4.0:* This is technically currently unused; upstream hardcodes to 1 (left zero-padded 0x01). + +*Chunk 4.0.0.1.0, 4.0.0.2.0, 4.0.1.3.0, 4.0.1.4.0:* Note that the ordering of `e`/`n` in *4.0.0* is changed to `n`/`e` in *4.0.1*. + +*Chunk 4.0.1.10:* The padding used aligns the private key (*4.0.1.0* to *4.0.1.9.0*) to the cipher blocksize. For plaintext keys, a blocksize of 8 is used. +==== + +[id=bytes_rsa_plain] +====== Example + +The following example, being encrypted, is protected with a passphrase. The passphrase used in this example key is *`test`*. + +.`id_rsa` Format +[source,text,linenums] +---- +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn +NhAAAAAwEAAQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZPzCyuf3Ur8swDJGPKnfW +RBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/t0LHoZaGb9MYSs6Wdhrd +oPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdTp4JaiblSdfnAJeIVNDxs +iM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J58aeCQNuKu9psUHFMljZl +CnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2OkKzFyfuk1udnUH+6ufOn +9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8D00jNn/HcDdBZ7fwkm+2 +/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ/NjK0FqsKusj2/GaN+SA +oAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs8yloZc1mQ8iSTVZuv0lx +gJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEho/B0WqTQWGMxczJXhVpc +7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuNrOB+cbOPPzWVQz9psZjw +cAAAdQU4NHElODRxIAAAAHc3NoLXJzYQAAAgEAt87ARgHOKhLwySTLmjDrmQBmgSyxQ2kZ +PzCyuf3Ur8swDJGPKnfWRBDzYXrnyMoxjCV9PE304sQQi7vpOoaJS6FLNXXy9yFQvDgdy/ +t0LHoZaGb9MYSs6WdhrdoPwpkvbIZtdWmRn8ItnEvw3kBajHbVGaoqUyncaCV3ciml0LdT +p4JaiblSdfnAJeIVNDxsiM1mkKIh+K6e9nXuRk3H0RjaQQUH6l1rZIndYK/YpmRkkts+J5 +8aeCQNuKu9psUHFMljZlCnIIHn+l1HLBQosH6uXRW2TqHip1CFEv6atlX4ajE0htPMod2O +kKzFyfuk1udnUH+6ufOn9ox0gUKvKjcB0xqKm3URlYqncYe6cC7ZNNOFr87kI4DpXg5+m8 +D00jNn/HcDdBZ7fwkm+2/bbQWq0c/RkYJIRbAU4YFTvw0dPDsfrbslo/HRUfm2hGM9jBaQ +/NjK0FqsKusj2/GaN+SAoAiRAxnBFtR72SSzmUJUO4ig9hJ5UrLY4SkPMCn1Qq6+nAyONs +8yloZc1mQ8iSTVZuv0lxgJOZoawJb+Htw7X4cb9e8LTUTg6idiDSBRQuC/z2d7TbAlUyEh +o/B0WqTQWGMxczJXhVpc7L46xEA9BP8MwMWLfASQS0AhJcK8KmOiDrswnMbz5l2zAaBYuN +rOB+cbOPPzWVQz9psZjwcAAAADAQABAAACAEmfLHBeBL/hekR20n5eHd/YwzX2OsIvdIdU +8CGDRA9tqT8/hkKSYWY+C939pp1ML3BdC7590xqJQb9WcuKYRKHgZwlwxvKpi3b4Wyb6/t +tZxJeGuN9+ruuGFx/Vef6N8OrdJTakJEoDMtWprT64NAyTBGQVPoK0/61PZHp7qAjjhURQ ++Aa2DgtnD8mctrWHhkl9TBmed1DuUImTTu8l9GUSOUlVxIfhB0Tr25oAlRyAlbAk1M518d +oxRrWzRHFp9Z4j1AaFQ4vHvK0Rc5J6OJoJA7oRGkaAnRI7NDIZfMqPwMJ4FvvyFcK3xYS5 +TzfJ7YqOgVlC7/3PVHVyaK/lj9cAzc9qmKIJUGF7BiSqg12V4n16/N7nDDl8obaqBHNebV +xeAb//IXTPVi02hCYkSQ4SyoFCWV1SVnSU84shJAEsrKyyVk4hyEXrlPXW6/bzkGbh+gSz +GBdOb5mUgjuk2e8sKLN8s+oF+jytcgCJg5QnaDVSPk5BYFTyPbDrcyIR06EepVE5CujVjW +nhRmTg4g8r8MzSTSYLgyqUFE9YAep827JDbyG6LbrsvNVz8kxeDUP9JrSuZ2ThON2vR3Ws +AWPkVyfBACf3FsvjzHD/9zRBuyU45UJqGlY4tEinveloBB7CGE72ew2mAHApfNc97u/r0Z +UWEcendslW4Y5fFjohAAABAAri4c8kVaDYInLmpCu7qD63ZUluWjPhO4yUdW2MMvfXUF/Z +l73V7AjFm/jR1lnR3wK+xmnrtaqvXbHscM4vKms6F7ex/OOtxiA8KQXNZS12IgZd0BGuM4 +lEZ8bco2Q5UrDK7f+bx4rEBAgHQCdWbuTEdRrT/0UqJ4Gvi1wsm/CbNO5eYgEzC0vDga92 +Z5hmfFua0HM8GfTvR1/SZGVeAwVT8vL43lnCrudLndZyDjEIFD3+3UHPS8Ed4rmp9A+uxy +pSMSq+5MYVWs/uk4ShY0jHFTRuvmk4lf5tI0jU3tsKE3xIcYX/lJwgkRW5yKEGMpmR8Eno +Qwx7pg3VQI1yrJgAAAEBAOULZbpq5MsprmYSnD5B/+ujbNbsuqcEX/kM6nHQm8BWsLkTTc +V1TEnaH+irFpzRSe7a7M9JE9kV9PJBxf2Gx3UR4MJhw0RgCoTM546M9JPkkoRMuCxCq20S +RqU+XPUK1HWcKlwJ1TscXDtEkyjuoBQ01uU3s6UTko363fCnJygjiZuNeVIgyzNEq40OhG +4eQP/ftccZJiwrUnqJClH6q88QkEaZE197mXSH9LSNRJCtgPwls0b6C7WH8JKVvw9xrBCo +CGhn1LrQCgwnpkVvCODCv4yu2HaPA2aiRAQoGAopJhevYf6rq5pwdbi8ISCaVDm7/jYTkX +Bx/udKjV2A/pkAAAEBAM1wd2WfrZgxBLzH3FJiQrnqUs6kDpI993GsKijjd/K5IxpYwkSM +a40X/oNXHva9u8EfPUq0JU6oWWhLh3KRH5xvNVR5BT4+PTpuzOE6AWkIKYyj+LYo0hEXSa +NidijrBYRPVGeVpQZ9ObHTBOGcxvwb4AphZOoz5Ku8h/VoMicdglyGjFzNo3dbA3cR6ZQ2 ++WxT83gLmFCE4dhKRYxoerCTigm/b5s//sQe0C/VsnVyx9GAA55AWlWbYvwI+ASxnwQ9uk +xvdWWxxydZ9Lky1Pk9T0HakbGxRvKYVKEAg0HkdgvdSYcJfsSmVRq5bgmaBKONaok7Uz2x +hau1VzZBnp8AAAAYVGhpcyBpcyBhIGNvbW1lbnQgc3RyaW5nAQID +-----END OPENSSH PRIVATE KEY----- +---- + +.Structure Reference (Hex) (Decoded Base64) +[source,text,linenums] +---- +0.0 6f70656e7373682d6b65792d763100 ("openssh-key-v1" + 0x00) +1.0 0000000a (10) + 1.0.0 6165733235362d637472 ("none") +2.0 00000006 (6) + 2.0.0 626372797074 ("none") +3.0 00000000 (0) +4.0 00000001 (1) + 4.0.0 00000217 (535) + 4.0.0.0 00000007 (7) + 4.0.0.0.0 7373682d727361 ("ssh-rsa") + 4.0.0.1 00000003 (3) + 4.0.0.1.0 010001 (65537) + 4.0.0.2 00000201 (513) + 4.0.0.2.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af + cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689 + 4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299 + 2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0 + b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7 + d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5 + 0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6 + 55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af + 2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0 + f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf + 0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a + 37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029 + f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e + dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074 + 5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2 + bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f + 07 (bytes) + 4.0.1 00000750 (1872) + 4.0.1.0 53834712 (1401112338) + 4.0.1.1 53834712 (1401112338) + 4.0.1.2 00000007 (7) + 4.0.1.2.0 7373682d727361 ("ssh-rsa") + 4.0.1.3 00000201 (513) + 4.0.1.3.0 00b7cec04601ce2a12f0c924cb9a30eb990066812cb14369193f30b2b9fdd4af + cb300c918f2a77d64410f3617ae7c8ca318c257d3c4df4e2c4108bbbe93a8689 + 4ba14b3575f2f72150bc381dcbfb742c7a196866fd3184ace96761adda0fc299 + 2f6c866d7569919fc22d9c4bf0de405a8c76d519aa2a5329dc6825777229a5d0 + b753a7825a89b95275f9c025e215343c6c88cd6690a221f8ae9ef675ee464dc7 + d118da410507ea5d6b6489dd60afd8a6646492db3e279f1a78240db8abbda6c5 + 0714c9636650a72081e7fa5d472c1428b07eae5d15b64ea1e2a7508512fe9ab6 + 55f86a313486d3cca1dd8e90acc5c9fba4d6e767507fbab9f3a7f68c748142af + 2a3701d31a8a9b7511958aa77187ba702ed934d385afcee42380e95e0e7e9bc0 + f4d23367fc770374167b7f0926fb6fdb6d05aad1cfd191824845b014e18153bf + 0d1d3c3b1fadbb25a3f1d151f9b684633d8c1690fcd8cad05aac2aeb23dbf19a + 37e480a008910319c116d47bd924b39942543b88a0f6127952b2d8e1290f3029 + f542aebe9c0c8e36cf3296865cd6643c8924d566ebf4971809399a1ac096fe1e + dc3b5f871bf5ef0b4d44e0ea27620d205142e0bfcf677b4db025532121a3f074 + 5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2 + bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f + 07 (bytes) + 4.0.1.4 00000003 (3) + 4.0.1.4.0 010001 (65537) + 4.0.1.5 00000200 (512) + 4.0.1.5.0 499f2c705e04bfe17a4476d27e5e1ddfd8c335f63ac22f748754f02183440f6d + a93f3f86429261663e0bddfda69d4c2f705d0bbe7dd31a8941bf5672e29844a1 + e0670970c6f2a98b76f85b26fafedb59c49786b8df7eaeeb86171fd579fe8df0 + eadd2536a4244a0332d5a9ad3eb8340c930464153e82b4ffad4f647a7ba808e3 + 854450f806b60e0b670fc99cb6b58786497d4c199e7750ee5089934eef25f465 + 12394955c487e10744ebdb9a00951c8095b024d4ce75f1da3146b5b3447169f5 + 9e23d40685438bc7bcad1173927a389a0903ba111a46809d123b3432197cca8f + c0c27816fbf215c2b7c584b94f37c9ed8a8e815942effdcf54757268afe58fd7 + 00cdcf6a98a20950617b0624aa835d95e27d7afcdee70c397ca1b6aa04735e6d + 5c5e01bfff2174cf562d36842624490e12ca8142595d52567494f38b2124012c + acacb2564e21c845eb94f5d6ebf6f39066e1fa04b318174e6f9994823ba4d9ef + 2c28b37cb3ea05fa3cad7200898394276835523e4e416054f23db0eb732211d3 + a11ea551390ae8d58d69e14664e0e20f2bf0ccd24d260b832a94144f5801ea7c + dbb2436f21ba2dbaecbcd573f24c5e0d43fd26b4ae6764e138ddaf4775ac0163 + e45727c10027f716cbe3cc70fff73441bb2538e5426a1a5638b448a7bde96804 + 1ec2184ef67b0da60070297cd73deeefebd1951611c7a776c956e18e5f163a21 (bytes) + 4.0.1.6 00000100 (256) + 4.0.1.6.0 0ae2e1cf2455a0d82272e6a42bbba83eb765496e5a33e13b8c94756d8c32f7d7 + 505fd997bdd5ec08c59bf8d1d659d1df02bec669ebb5aaaf5db1ec70ce2f2a6b + 3a17b7b1fce3adc6203c2905cd652d7622065dd011ae33894467c6dca3643952 + b0caedff9bc78ac40408074027566ee4c4751ad3ff452a2781af8b5c2c9bf09b + 34ee5e6201330b4bc381af766798667c5b9ad0733c19f4ef475fd264655e0305 + 53f2f2f8de59c2aee74b9dd6720e3108143dfedd41cf4bc11de2b9a9f40faec7 + 2a52312abee4c6155acfee9384a16348c715346ebe693895fe6d2348d4dedb0a + 137c487185ff949c209115b9c8a106329991f049e8430c7ba60dd5408d72ac98 (bytes) + 4.0.1.7 00000101 (257) + 4.0.1.7.0 00e50b65ba6ae4cb29ae66129c3e41ffeba36cd6ecbaa7045ff90cea71d09bc0 + 56b0b9134dc5754c49da1fe8ab169cd149eedaeccf4913d915f4f241c5fd86c7 + 7511e0c261c344600a84cce78e8cf493e492844cb82c42ab6d1246a53e5cf50a + d4759c2a5c09d53b1c5c3b449328eea01434d6e537b3a513928dfaddf0a72728 + 23899b8d795220cb3344ab8d0e846e1e40ffdfb5c719262c2b527a890a51faab + cf10904699135f7b997487f4b48d4490ad80fc25b346fa0bb587f09295bf0f71 + ac10a8086867d4bad00a0c27a6456f08e0c2bf8caed8768f0366a2440428180a + 292617af61feabab9a7075b8bc21209a5439bbfe3613917071fee74a8d5d80fe + 99 (bytes) + 4.0.1.8 00000101 (257) + 4.0.1.8.0 00cd7077659fad983104bcc7dc526242b9ea52cea40e923df771ac2a28e377f2 + b9231a58c2448c6b8d17fe83571ef6bdbbc11f3d4ab4254ea859684b8772911f + 9c6f355479053e3e3d3a6ecce13a016908298ca3f8b628d2111749a3627628eb + 05844f546795a5067d39b1d304e19cc6fc1be00a6164ea33e4abbc87f5683227 + 1d825c868c5ccda3775b037711e99436f96c53f3780b985084e1d84a458c687a + b0938a09bf6f9b3ffec41ed02fd5b27572c7d180039e405a559b62fc08f804b1 + 9f043dba4c6f7565b1c72759f4b932d4f93d4f41da91b1b146f29854a1008341 + e4760bdd4987097ec4a6551ab96e099a04a38d6a893b533db185abb55736419e + 9f (bytes) + 4.0.1.9 00000018 (24) + 4.0.1.9.0 54686973206973206120636f6d6d656e7420737472696e67 ("This is a comment string") + 4.0.1.10 010203 ([1 2 3], 3 bytes) +---- diff --git a/_ref/rsa/public.adoc b/_ref/rsa/public.adoc index 06a8f4b..bdae5f3 100644 --- a/_ref/rsa/public.adoc +++ b/_ref/rsa/public.adoc @@ -1,6 +1,5 @@ ==== Public - ===== Structure Public keys are stored in the following structure: @@ -8,11 +7,11 @@ Public keys are stored in the following structure: [source,text,linenums] ---- 0 uint32 allocator for 0.0 (4 bytes) - 0.0 Public key type string (ASCII bytes; length defined above) + 0.0 Public key type string (ASCII bytes) 1 uint32 allocator for 1.0 (4 bytes) - 1.0 Public exponent ('e') + 1.0 Public exponent ('e') (hex numeric) 2 uint32 allocator for 2.0 (4 bytes) - 2.0 modulus ('n') + 2.0 modulus ('n') (bytes) ---- ===== Example @@ -48,4 +47,4 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3zsBGAc4qEvDJJMuaMOuZAGaBLLFDaRk/MLK5/dSv 5aa4d0586331733257855a5cecbe3ac4403d04ff0cc0c58b7c04904b402125c2 bc2a63a20ebb309cc6f3e65db301a058b8dace07e71b38f3f3595433f69b198f 07 ----- \ No newline at end of file +----