1

When you execute

ssh-keygen -t ssh-dss

it generates two files: one containing the public and the other, the private key.

The ssh-keygen man-page says it always generates a 1024bit key, but when I open the public key file, I always get a 580 characters line (which would be 4640 bits in ASCII).

Am I missing something or thinking about it wrong? I've tried reading the algorithm, but it's very hard to calculate, considering the size of the prime numbers involved.

Is there a way I can validate if it's a 1024bit key from the quantity of characters in the id_dsa.pub file?

Diogo Fenilli de Souza
  • 55
  • 6
  • 2
    I'm voting to close this question as off-topic because this has nothing to do with programming or software development. This question might be much better suited for either [su] or [security.se]. – Artjom B. Aug 19 '15 at 14:55
  • there's other metadata in there, not just the key bits themselves. plus, if the key's base64-encoded, you'll be dealing with only 6bits-per-character. – Marc B Aug 19 '15 at 14:55
  • Actually it has. I must write a code to validate if it's a valid key considering its size. – Diogo Fenilli de Souza Aug 19 '15 at 14:56
  • I'd recommend using keys larger than 1024, preferably 2048. – CodesInChaos Aug 19 '15 at 15:08

1 Answers1

1

The files where ssh-keygen stores the public and private keys have some predefined format (PEM, ...), they are not a dump of the keys itself (remember, by example, that private key will be usually encrypted).

In this link (https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html) you will find some good explanations about the different formats, and usage of tools like "openssl asn1parse" to display them:

The private key is an ASN.1 data structure, serialized to a byte string using DER, and then Base64-encoded. ASN.1 is roughly comparable to JSON (it supports various data types such as integers, booleans, strings and lists/sequences that can be nested in a tree structure). It’s very widely used for cryptographic purposes, but it has somehow fallen out of fashion with the web generation (I don’t know why, it seems like a pretty decent format).

A method to find the public key size is look in the ASN1 for the tag that stores it and verify the length of its data.

pasaba por aqui
  • 3,446
  • 16
  • 40
  • Note: You can parse the ASN1 by using the `openssl asn1parse`(edited the answer but got rejected). – vlp Sep 09 '15 at 22:57