Bug 2586

Summary: Ed25519 secret keys are 64 bytes but only 32 bytes used
Product: Portable OpenSSH Reporter: Kenny Root <kenny>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 7.2p1   
Hardware: Other   
OS: Linux   

Description Kenny Root 2016-06-11 03:57:15 AEST 
There are two ways in which you can transport Ed25519 keys:

1. A 32-byte seed

2. Two 32-byte values: scalar left-half and a right half

OpenSSH is currently storing 64 byte values for Ed25519 keys which made me think it was using the second representation, but it turns out that only the first 32 bytes are used by ed25519.c since it calls:

  crypto_hash_sha512(extsk, sk, 32);

The second 32-bytes appears to be unused.
Comment 1 Damien Miller 2016-06-17 14:17:06 AEST 
Yeah, the encoding is redundant - having the public key appended to the private. I updated the PROTOCOL.agent file that is our best reference for how private keys are serialised to mention this, but I don't think we can trivially change it without breaking older OpenSSH clients, since they check the length is what they expect.

commit 531c135409b8d8810795b1f3692a4ebfd5c9cae0
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu May 19 07:45:32 2016 +0000

    upstream commit
    
    fix type of ed25519 values
    
    Upstream-ID: b32d0cb372bbe918ca2de56906901eae225a59b0
Comment 2 Damien Miller 2016-08-02 10:43:03 AEST 
Close all resolved bugs after 7.3p1 release