On Fri, Dec 10, 2010, Matej Kurpel wrote:

> On 10. 12. 2010 18:59, Dr. Stephen Henson wrote:
>> On Fri, Dec 10, 2010, Matej Kurpel wrote:
>>
>>> Hello,
>>> I am developing an application where I need to decrypt a RSA private key
>>> generated by OpenSSL (fyi, it's in C# .NET).
>>> I am facing some trouble with the passphrase. I have chosen a 6-character
>>> passphrase when generating the key but when I provide it to tie TripleDES
>>> algorithm, it says the passphrase has invalid length. I know that it 
>>> should
>>> be 24-bytes long so I have padded it with zero bytes. Now it says it's a
>>> known weak key and cannot be used.
>>> My question is, how to get the 3DES key out of the passphrase? How does
>>> OpenSSL do it?
>>> Thanks in advance,
>>>
>> It is documented here:
>>
>> http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT
>>
>> and here:
>>
>> http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [email protected]
>> Automated List Manager                           [email protected]
>>
> Thanks. I have couple more questions which arose when reading the pages:
> 1. what does D_i mean in EVP_BytesToKey?


It's a subscript. For 3DES you'd need 24bytes of key + 8 bytes of IV (which is
discarded) so you need D1 and D2.

> 2. is MD5 used as the hash algorithm when encrypting a private key in 
> OpenSSL?

For the "traditional form" yes. Newer versions use PKCS#8. If the PEM file has
a line with DEK-Info it is traditional format. If the headers say ENCRYPTED
PRIVATE KEY it is PKCS#8.

> 3. my "data" is my choosen passphrase, right?

Yes.

> 4. where did it get the salt? (and salt = IV if I understood correctly)

It is take from the DEK-Info line in the PEM headers.

> 5. so what do I have to do when decrypting the key?
> Sorry for bothering but it's really unclear to me from the documentation 
> pages.
>

Well you need to derive the key first. You need 24 bytes for the key and 8 for
the IV (which is actually discarded).

So you do:

D1 = MD5(passphrase || salt)
D2 = MD5(D1 || passphrase || salt)

3DES key = (first 24 bytes of)D1 || D2

3DES IV = salt.

Then you base64 decode the encrypted key data and decrypt with the above
key and IV. The result is a PKCS#1 RSAPrivateKey structure assuming this is
RSA.

You might find it easier to use the OpenSSL PKCS#8 or PKCS#12 formats instead.
The traditional form is no longer the default in the latest versions of
OpenSSL and it is retained only for compatibility.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to