7

Both OpenSSH and GPG can generate key pairs which are stored as files in well-known paths inside the user directory. A passphrase is always asked for during the generation process, which is then used to encrypt the contents of the private key using a symmetric encryption algorithm.

I'd like to know if these programs do also apply a key stretching technique such as PBKDF2 or scrypt to the passphrase before using it. Supposing one of these files was ever compromised I'd like to make sure that deriving the real decryption key takes about 10-20 seconds on commodity hardware, thus rendering bruteforce attacks impractible for the time being. Is that even possible?

Marcel Hernandez
  • 211
  • 1
  • 6

2 Answers2

4

OpenSSH

As of version 6.5 OpenSSH offers a new private key format that supports the bcrypt KDF. The new format can be enforced by passing the -o flag to ssh-keygen. The number of KDF rounds can be customized with the -a flag.

$ ssh-keygen -o -a 1000

References: ssh-keygen man page and Ted Unangst' blog.

GPG

I couldn't find anything equivalent to the above command flags. If there is, let me know in the comments and I'll update the answer.

Marcel Hernandez
  • 211
  • 1
  • 6
3

OpenSSH - Line 3090:sshkey.c:sshkey_private_to_blob2

if (strcmp(kdfname, "bcrypt") == 0) {
        arc4random_buf(salt, SALT_LEN);
        if (bcrypt_pbkdf(passphrase, strlen(passphrase),
            salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
            r = SSH_ERR_INVALID_ARGUMENT;
            goto out;
        }
        if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
            (r = sshbuf_put_u32(kdf, rounds)) != 0)
            goto out;
    } else if (strcmp(kdfname, "none") != 0) {
        /* Unsupported KDF type */
        r = SSH_ERR_KEY_UNKNOWN_CIPHER;
        goto out;
    }

GPG allows you to choose what hashing algorithm you want as long as it's supported by the GCrypt Library.

hash algorithms (MD4, MD5, RIPE-MD160, SHA-1, SHA_224, SHA-256, SHA-384, SHA-512, TIGER-192, Whirlpool), MACs (HMAC for all hash algorithms),

PKCS8 RFC5208 Section 1

A password-based encryption algorithm (e.g., one of those described in [PKCS#5]) could be used to encrypt the private-key information.

PKCS5 RFC2898 only has PBKDF1 and PBKDF2 listed for key derivation functions.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • Your OpenSSH reply seems to be about the 'new' keypair format only. What does the 'old' format aka PEM or OpenSSL key format use? (Not just PKCS#8, which OpenSSL uses nowadays, but the older "BEGIN RSA PRIVATE KEY" one.) – user1686 Mar 24 '15 at 17:41
  • Updated to reflect OpenSSL for PKCS8 – RoraΖ Mar 24 '15 at 18:08