2586 – Ed25519 secret keys are 64 bytes but only 32 bytes used

Bug 2586 - Ed25519 secret keys are 64 bytes but only 32 bytes used

Summary: Ed25519 secret keys are 64 bytes but only 32 bytes used

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	7.2p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-06-11 03:57 AEST by Kenny Root
Modified:	2016-08-02 10:43 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kenny Root 2016-06-11 03:57:15 AEST

There are two ways in which you can transport Ed25519 keys:

1. A 32-byte seed

2. Two 32-byte values: scalar left-half and a right half

OpenSSH is currently storing 64 byte values for Ed25519 keys which made me think it was using the second representation, but it turns out that only the first 32 bytes are used by ed25519.c since it calls:

  crypto_hash_sha512(extsk, sk, 32);

The second 32-bytes appears to be unused.

Comment 1 Damien Miller 2016-06-17 14:17:06 AEST

Yeah, the encoding is redundant - having the public key appended to the private. I updated the PROTOCOL.agent file that is our best reference for how private keys are serialised to mention this, but I don't think we can trivially change it without breaking older OpenSSH clients, since they check the length is what they expect.

commit 531c135409b8d8810795b1f3692a4ebfd5c9cae0
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu May 19 07:45:32 2016 +0000

    upstream commit
    
    fix type of ed25519 values
    
    Upstream-ID: b32d0cb372bbe918ca2de56906901eae225a59b0

Comment 2 Damien Miller 2016-08-02 10:43:03 AEST

Close all resolved bugs after 7.3p1 release