On Fri, Dec 10, 2010, Matej Kurpel wrote: > On 10. 12. 2010 18:59, Dr. Stephen Henson wrote: >> On Fri, Dec 10, 2010, Matej Kurpel wrote: >> >>> Hello, >>> I am developing an application where I need to decrypt a RSA private key >>> generated by OpenSSL (fyi, it's in C# .NET). >>> I am facing some trouble with the passphrase. I have chosen a 6-character >>> passphrase when generating the key but when I provide it to tie TripleDES >>> algorithm, it says the passphrase has invalid length. I know that it >>> should >>> be 24-bytes long so I have padded it with zero bytes. Now it says it's a >>> known weak key and cannot be used. >>> My question is, how to get the 3DES key out of the passphrase? How does >>> OpenSSL do it? >>> Thanks in advance, >>> >> It is documented here: >> >> http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT >> >> and here: >> >> http://www.openssl.org/docs/crypto/EVP_BytesToKey.html >> >> Steve. >> -- >> Dr Stephen N. Henson. OpenSSL project core developer. >> Commercial tech support now available see: http://www.openssl.org >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List [email protected] >> Automated List Manager [email protected] >> > Thanks. I have couple more questions which arose when reading the pages: > 1. what does D_i mean in EVP_BytesToKey?
It's a subscript. For 3DES you'd need 24bytes of key + 8 bytes of IV (which is discarded) so you need D1 and D2. > 2. is MD5 used as the hash algorithm when encrypting a private key in > OpenSSL? For the "traditional form" yes. Newer versions use PKCS#8. If the PEM file has a line with DEK-Info it is traditional format. If the headers say ENCRYPTED PRIVATE KEY it is PKCS#8. > 3. my "data" is my choosen passphrase, right? Yes. > 4. where did it get the salt? (and salt = IV if I understood correctly) It is take from the DEK-Info line in the PEM headers. > 5. so what do I have to do when decrypting the key? > Sorry for bothering but it's really unclear to me from the documentation > pages. > Well you need to derive the key first. You need 24 bytes for the key and 8 for the IV (which is actually discarded). So you do: D1 = MD5(passphrase || salt) D2 = MD5(D1 || passphrase || salt) 3DES key = (first 24 bytes of)D1 || D2 3DES IV = salt. Then you base64 decode the encrypted key data and decrypt with the above key and IV. The result is a PKCS#1 RSAPrivateKey structure assuming this is RSA. You might find it easier to use the OpenSSL PKCS#8 or PKCS#12 formats instead. The traditional form is no longer the default in the latest versions of OpenSSL and it is retained only for compatibility. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
