RSA 私钥密码在幕后是如何工作的?
RSA 私钥可能会被分配一个“密码”,据我所知,该密码旨在提供一些二级安全性,以防有人窃取私钥文件。
安全密码层是如何实现的?
RSA private keys may be assigned a "passphrase" which - as I understand it - is intended to provide some secondary security in case someone makes off with the private key file.
How is the passphrase layer of security implemented?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
ssh-keygen 使用 OpenSSL 生成 RSA 密钥并将其存储为 PEM 格式。您所说的加密是 PEM 特有的。如果您查看密钥文件,
只要您知道密码,“DEK-Info”标头就包含解密密钥所需的所有信息。 “DES-EDE3-CBC”表示三重 DES(EDE 模式)。 CBC是链接模式。十六进制数字是 CBC 所需的初始向量。
PEM 是一种非常古老的格式,因此它仅支持 DES/TripleDES。 AES 和 Blowfish 后来添加,但并非所有实现都支持。我的 ssh (OpenSSH 5.2) 仅支持 DES 和 TripleDES。
ssh-keygen uses OpenSSL to generate RSA keys and store it in PEM format. The encryption you are talking about is specific to PEM. If you look at your key file,
"DEK-Info" header has all the information you need to decrypt the key as long as you know the passphrase. "DES-EDE3-CBC" means Triple DES (in EDE mode). CBC is the chaining mode. The hex number is the initial vector needed for CBC.
PEM is a very old format so it only supports DES/TripleDES. AES and Blowfish were added later on but not supported by all implementations. My ssh (OpenSSH 5.2) only supports DES and TripleDES.
密码只是一个密钥,用于使用对称密码(通常是 DES 或 3DES)对包含 RSA 密钥的文件进行加密。为了使用该密钥进行公钥加密,您首先需要使用解密密钥对其文件进行解密。 ssh 通过询问您的密码来自动执行此操作。
如果有人掌握了密钥的文件,除非他们知道用于加密文件的密码,否则他们将无法使用它。
The passphrase is just a key used to encrypt the file that contains the RSA key, using a symmetric cipher (usually DES or 3DES). In order to use the key for public-key encryption, you first need to decrypt its file using the decryption key. ssh does this automatically by asking your for the passphrase.
If somebody got a hold of the key's file, they wouldn't be able to use it unless they knew the passphrase used to encrypt the file.
如果不加以保护,存储在通用文件系统上的私钥(与防篡改的专用硬件令牌相反)很容易被盗。文件系统权限可能看起来足够,但它们通常可以被绕过,特别是如果攻击者可以物理访问计算机。
强对称密码和良好的密码有助于防止这种情况发生。好的 RSA 私钥太长而难以记住(无论如何,对我来说),但更小的对称密钥可以提供相同级别的安全性。存储在大脑中的相对较短的对称密钥用于保护存储在磁盘上的大型私钥。
Private keys stored on general-purpose file systems (as opposed to tamperproof, special-purpose hardware tokens) could be easily stolen if not protected. File system permissions might seem sufficient, but they can often be bypassed, especially if an attacker has physical access to the machine.
A strong symmetric cipher, keyed with a good password, helps prevent this. A good RSA private key is too long to remember (for me, anyway), but far smaller symmetric keys can provide the same level of security. A relatively short, symmetric key stored in one's brain is used to protect a large private key stored on disk.