2

I'm currently working on a library with secure authentication process. I wanted to support ppk file loading for ed25519 private keys. I used the original source code of putty to determine how the decoding of password protected files worked. I generated a demo file with a password protected and a non password protected private key. Decrypting both files turned out that the private key of the password protected file was 12 bytes longer, both decrypted private keys shared the first 36byte. They both had the same public key.

From the putty source code i can't see any sublisting. Am I doing something wrong? Other libraries have have the same result.

Richard Burkhardt
  • 135
  • 6

1 Answers1

3

Password protected private keys are simply private keys that are encrypted using symmetric encryption (e.g. AES), with a key that is derived from the password (e.g. PBKDF2).

AES works in blocks of 16 bytes. Being that your underlying plaintext (i.e. the private key) is 36 blocks in length, it must be padded up to a length that is a multiple of 16 bytes. That could be one of the reasons for the additional 12 bytes that you are seeing.

Also, key derivation functions usually utilizes a random salt, to mitigate against dictionary attacks. The salt is not a secret, so it is generally stored along with the ciphertext. So, another possibility is that some or all the additional bytes are used to store the salt used in the key derivation function.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • 1
    Yes it's padding. PuTTY format (PuTTY-User-Key-File-2) PBE uses no salt, and one iteration of SHA-1: https://github.com/github/putty/blob/0.74/sshpubk.c#L459 . ed25519 private_blob (plaintext) is 4bytes length (redundant but consistent with other types) plus 32 bytes actual privatekey = 36. – dave_thompson_085 Feb 18 '21 at 03:04
  • Thank you, but the public key is the same. Will both private keys be able to decode messages that have been encoded with the public key. An will messages signed with the private key have the same result as well? – Richard Burkhardt Feb 18 '21 at 09:30
  • 1
    @RichardBurkhardt Yes to all of your questions. It's not two private keys, it's the same private key. In the first case, the private key is stored on your system as-is, unencrypted. In the second case, the private key is encrypted (using AES with a key derived from a password), and the encrypted key is stored on your system. In the second case, before you can use the private key to decrypt a message or to sign a message, you must decrypt it (using the password), then this renders it the same as the private key in the first case. – mti2935 Feb 18 '21 at 13:54