Bug 2586 - Ed25519 secret keys are 64 bytes but only 32 bytes used
Summary: Ed25519 secret keys are 64 bytes but only 32 bytes used
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.2p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-11 03:57 AEST by Kenny Root
Modified: 2016-08-02 10:43 AEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kenny Root 2016-06-11 03:57:15 AEST
There are two ways in which you can transport Ed25519 keys:

1. A 32-byte seed

2. Two 32-byte values: scalar left-half and a right half

OpenSSH is currently storing 64 byte values for Ed25519 keys which made me think it was using the second representation, but it turns out that only the first 32 bytes are used by ed25519.c since it calls:

  crypto_hash_sha512(extsk, sk, 32);

The second 32-bytes appears to be unused.
Comment 1 Damien Miller 2016-06-17 14:17:06 AEST
Yeah, the encoding is redundant - having the public key appended to the private. I updated the PROTOCOL.agent file that is our best reference for how private keys are serialised to mention this, but I don't think we can trivially change it without breaking older OpenSSH clients, since they check the length is what they expect.

commit 531c135409b8d8810795b1f3692a4ebfd5c9cae0
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu May 19 07:45:32 2016 +0000

    upstream commit
    
    fix type of ed25519 values
    
    Upstream-ID: b32d0cb372bbe918ca2de56906901eae225a59b0
Comment 2 Damien Miller 2016-08-02 10:43:03 AEST
Close all resolved bugs after 7.3p1 release