How to use ssh-rsa public key to encrypt a text?

So, the scenario is: Given I'm Bob, I want to encrypt some message for Alice. The only public key I have is her ssh-rsa id_rsa.pub like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyb+qaZLwgC7KAQJzYikf3XtOWuhlMXVv2mbTKa5dp0sHPRd2RaYnH8ZRkt7V8bjqct1IHGCuxI8xyoEp4at3FHe6j9RfWiarc1ldLUCmTtryI0GGpRs6Zpvqdtpcq/1NCIYtUQAvsImyEFCtqmB2suDo1ZSllZQ0x9TCKHdCANYIOeaniuFzR57POgE3vxk/r6PO24oy8BIWqxvi29r0n1LUigVBJ7CmMHuzb4/+i1v6PxV1Lqnj6osPP9GpXpsh8kLUCby/KcmcryWNdSP0esyCdDxkA5hlIuk8qL1vzsyPluUQuc0BEHu6nuw8WQlCF1mFFxcpJL+MhWEr01WIIw== sikachu@Sikachus-Notebook.local

So, is there a way to encrypt a string using this public key so she can use her private key from id_rsa (generated from ssh-keygen) to decrypt the message?

(I know that it's possible right away if you're using .pem key pair file. If you can show me how to convert this to the format that openssl supports, that'd be great as well!)

Thanks!

sikachu

Posted 2013-04-01T18:53:09.000

Reputation: 673

You and alice should really investigate gpg ... http://www.gnupg.org/ ;D

– tink – 2013-04-01T20:24:48.937

4Hahaha, indeed! However, the scenario that I have here is that I have access to their ssh-rsa public key already, and I don't want to add another layer of complexity (like, asking the recipient to go install gpg, etc.) – sikachu – 2013-04-02T00:07:11.817

Answers

It's possible to convert your ssh public key to PEM format(that 'openssl rsautl' can read it):

Example:

ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8 > id_rsa.pem.pub

Assuming 'myMessage.txt' is your message which should be public-key encrypted.

Then just encrypt your message with openssl rsautl and your converted PEM public-key as you would normally do:

openssl rsautl -encrypt -pubin -inkey id_rsa.pem.pub -ssl -in myMessage.txt -out myEncryptedMessage.txt

The result is your encrypted message in 'myEncryptedMessage.txt'

To test your work to decrypt the with Alice' private key:

openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in myEncryptedMessage.txt -out myDecryptedMessage.txt

Dirk Thannhäuser

Posted 2013-04-01T18:53:09.000

Reputation: 946

1Echoing what @hyh said, this works only if the input file is small (the line is somewhere around 254 bytes, otherwise It will give "rsa routines:RSA_padding_add_SSLv23:data too large for key size:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/rsa/rsa_ssl.c:73" error. – Devy – 2015-06-11T20:41:32.957

Can it also work for signing messages and for ecdsa and ed25519? – Vi. – 2016-09-13T15:35:43.407

Building on the script from @twe4ked, I made a bash script that does what this post describes with some nice command line parameters and a readme: https://git.e.tern.al/s2/sshencdec

– Simon – 2017-10-25T13:14:31.767

I wrapped this up in a script that pulls the users public key from GitHub. https://github.com/twe4ked/catacomb

– twe4ked – 2013-04-03T10:30:13.290

This does not work for me. My ssh-keygen does not have a -m option. (I cannot figure out how to ask ssh-keygen for its version.) Replacing -m with -t works, but then openssl tells me "unable to load Public Key". See http://stackoverflow.com/questions/18285294/how-do-i-fix-openssl-unable-to-load-public-key.

– Jason Gross – 2013-08-17T05:46:45.327

1Same issue as Jason has on MaxOS Mavericks. Replaced -m with -t for keygen enabled key generation. – Robert Christian – 2013-12-03T18:59:21.297

Note that this only works if the file is small enough. e.g. 200 bytes. See http://stackoverflow.com/questions/7143514/how-to-encrypt-a-large-file-in-openssl-using-public-key

– h__ – 2014-04-16T13:45:38.983

Give a try to ssh-vault it uses ssh-rsa public keys to encrypt "create a vault" and the ssh-rsa private key to decrypt "view content of the vault"

nbari

Posted 2013-04-01T18:53:09.000

Reputation: 193

-3

Why not do this the super obvious way that doesn't require rolling your own crypto.

Alice sftps to alice@bobserver.com which is setup to only allow public key authentication for the account alice. The properties of ssh nicely ensure that only alice can authemticate. Even a man in the middle attack fails since (assuming you disable ssh1 and insist on the right settings) the initial communication using DH creates a value known to both alice and bob but not to any man in the middle and this can be used to authenticate that no reply or MITM attack can see the contents of the communicatino.

So have alice sftp into your box and download the file.

Peter Gerdes

Posted 2013-04-01T18:53:09.000

Reputation: 135

As an example, using RSA to encrypt a 1024 character string would fail because of message size. To overcome this problem the implementer is in a precarious situation, especially if the messages are repeated.

It is safer to use RSA to encrypt a new symmetric cipher key and initialization vector which would be unlikely to repeat, so so generate unique cipher text for ever message sent, and gain the symmetric cipher speed, and reduce the amount of cipher and plain text to attack the RSA key with.

Hope that makes sense. :) – Sam – 2017-06-01T04:56:17.847

This method requires Bob to trust Alice, or to lock down bobserver.com so that Alice can't do anything malicious. – mwfearnley – 2017-12-06T12:57:18.007

Its rolling your own in the sense that alice has to go throw a considerable amount of unusual operations to decrypt not in the sense of the underlying math being roll your own. As this was asked in terms of command line utilities rather than an API or theoretical perspective assumed the individual actually wanted to transfer some concrete information not piggyback a new protocol on top of ssh. As such practically sftp seemed far easier and yes it does require either looking down the server, trusting Alice or wiping the server afterward. – Peter Gerdes – 2017-12-19T11:16:46.000

Seems to me that in the above one is actually vulnerable to someone intercepting the email in which you explain to alice exactly how she can decrypt this unusual message and giving her a sequence of commands that instead safely decrypt Charlie's MITM message (openssl commands are like magic incantations to most) while the server idea avoids all this in favor of standard commands many are familiar with and if bob runs it from the computer he is encrypting on he is trusting it anyway. Obviously the best answer depends on the threat model but from q context this likely would serve them better. – Peter Gerdes – 2017-12-19T11:23:59.470

9How is using openssl rolling your own crypto? – cmc – 2014-04-03T13:06:09.730