RSA 私钥密码如何在幕后工作? [英] How does the RSA private key passphrase work under the hood?

问题描述

RSA 私钥可能会被分配一个密码短语"——据我所知——它旨在提供一些二级安全性，以防有人盗用私钥文件.

RSA private keys may be assigned a "passphrase" which - as I understand it - is intended to provide some secondary security in case someone makes off with the private key file.

密码短语层是如何实现的?

How is the passphrase layer of security implemented?

推荐答案

ssh-keygen 使用 OpenSSL 生成 RSA 密钥并将其存储为 PEM 格式.您所谈论的加密特定于 PEM.如果您查看您的密钥文件，

ssh-keygen uses OpenSSL to generate RSA keys and store it in PEM format. The encryption you are talking about is specific to PEM. If you look at your key file,

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5B01E932988DC66B

EPESt4ZVIrxnQXxxWWVa7cCR+vgNZ/4vTu4mdq6pjaW7jMZoB8HV+mA745mQkQw7
i+YtdVs/JqOeyGiw/3McxYYKZTlhyh7MvfIr1n8ZdZmcjQz+oFqMxChFU3r8BGgA

DEK-Info"标题包含解密密钥所需的所有信息，只要您知道密码即可.DES-EDE3-CBC"表示三重 DES(在 EDE 模式下).CBC 是链接模式.十六进制数是 CBC 所需的初始向量.

"DEK-Info" header has all the information you need to decrypt the key as long as you know the passphrase. "DES-EDE3-CBC" means Triple DES (in EDE mode). CBC is the chaining mode. The hex number is the initial vector needed for CBC.

PEM 是一种非常古老的格式，因此它只支持 DES/TripleDES.AES 和 Blowfish 是后来添加的，但并非所有实现都支持.我的 ssh (OpenSSH 5.2) 只支持 DES 和 TripleDES.

PEM is a very old format so it only supports DES/TripleDES. AES and Blowfish were added later on but not supported by all implementations. My ssh (OpenSSH 5.2) only supports DES and TripleDES.

这篇关于RSA 私钥密码如何在幕后工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！