4.8 Key types and formats

The ssh2 protocol uses long term cryptographic key pairs in order to authenticate the hosts and users. A key pair is composed of a public part and a private part. Keys need to be transmitted over the network and stored on the file system. This means that some key storage formats need to be specified.

Key types [link] 

There are various cryptographic algorithms that require different types of keys to be stored. Every supported type of key in libassh has its own support module that is able to create keys pairs and store them in various formats. The following types of keys are supported by the provided modules:

  • RSA keys,

  • DSA keys,

  • EDDSA keys and

  • ECDSA keys.

All types of key can be used for host authentication and user authentication. Additionally, RSA keys are also used by RSA based key-exchange algorithms.

Key storage formats [link] 

Multiple ssh2 key storage formats are in wide use for every type of key. Some formats are specified in standard documents and others are proposed by specific implementations of ssh2.

Existing formats are designed to store either the public part of a key or the whole key. Some are designed as containers that embed one or multiple key blobs encoded using a raw format.

The library comes with a key management example application. It is able to create new keys and convert between supported formats.

Raw formats [link] 

The raw formats are always binary and are handled in libassh key support modules directly. Not all raw formats are capable of storing any type of key. In order to support a given type of key, the format has to be designed to handle the specific set of values and blobs that compose the key. The following raw formats can be loaded and stored in memory by the key support modules:

  • The binary format for public keys as described in rfc4253.

  • The binary PEM format relying on ASN1 DER.

  • The new openssh-key-v1 key format.

Container formats [link] 

Most container formats are not tied to a specific type of key because they are generally designed as wrapper for raw formats. They may be binary or text based.

They offer various features like storage of multiple key pairs, passphrase encryption of private keys and storage of metadata along with the raw key material.

Support for these formats in libassh is provided as helper functions. Helpers are able to load and store keys in memory buffers as well as on the file system. Passphrase encryption of private keys is implemented when supported by the format.

The following container formats are supported using helper functions declared in assh/helper_key.h:

  • The base64 format for public keys as described in rfc4716.

  • The legacy base64 format for public keys used by OpenSSH.

  • The PEM format wrapped in a base64 format similar to rfc2440, used by OpenSSH.

  • The new openssh-key-v1 key format.

Valid XHTML 1.0 StrictGenerated by diaxen on Sun Oct 25 23:30:45 2020 using MkDoc