2

I have made some research but doesn't understand fully:

In this link, it says ed25519 has a length of 64 characters.

Questions:

  • Is this base64 encoded characters?
  • And does ed25519 limit to only 64 characters?

In the same link, it says rsa 3072 has 544 characters. I tried to generate a public private key pair here but:

  • rsa515 produces a public key with 128 characters
  • rsa1024 produces a public key with 216 characters
  • rsa2048 produces a public key with 392 characters
  • rsa3072 produces a public key with 564 characters
  • rsa4096 produces a public key with 736 characters

Question:

  • I would like to ask why?
paulj
  • 123
  • 1
  • 1
  • 5

1 Answers1

8

Note that this isn't really a cryptography question; it's about how various kinds of data representations work. The data in this case happens to be cryptographic, but the same or similar methods, operations, and issues can occur with any kind of data.

In this link, it says ed25519 has a length of 64 characters
Is this base64 encoded characters?
And does ed25519 limit to only 64 characters?

That webpage is about keys used in SSH, and more specifically in OpenSSH which is the only SSH implementation most people know about even though there are (many) others.

A0. That link says ed25519 publickey is 68 chars, not 64, and is correct; see below.

A1. Yes, OpenSSH stores publickeys in base64, or more exactly as a line containing two or three space-separated fields: a type or algorithm name, a base64 encoded 'blob' which itself can contain multiple subfields, and an optional comment string; with in some cases one more field preceding those (nothing in key.pub files, always a hostname (or hash thereof) in the known_hosts file, optionally a set of special options in the authorized_keys file).

For ed25519 the 'blob' data in binary is (always) 51 bytes: a 4-byte length, a 11-byte string containing (again) the algorithm name, another 4-byte length, and a 32-byte value which is the actual publickey value. 51 bytes is base64-encoded to 68 chars (exactly).

For example:

$ cat sample.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvz/i320EDToF/MruEAUWFq7vPmZz5O1MVGhlyE1R/I hello, world!
$

Here the base64-encoded 'blob' is the following 68 chars:

AAAAC3NzaC1lZDI1NTE5AAAAILvz/i320EDToF/MruEAUWFq7vPmZz5O1MVGhlyE1R/I

When decoded, it produces the following bytes:

$ awk '{ print $2 }' sample.pub | base64 -d | xxd
00000000: 0000 000b 7373 682d 6564 3235 3531 3900  ....ssh-ed25519.
00000010: 0000 20bb f3fe 2df6 d040 d3a0 5fcc aee1  .. ...-..@.._...
00000020: 0051 616a eef3 e667 3e4e d4c5 4686 5c84  .Qaj...g>N..F.\.
00000030: d51f c8                                  ...
$

The first 4 bytes [0x00, 0x00, 0x00, 0x0b], interpreted as a big endian int, represent the value 11, which is the length of the algorithm name. The next 11 bytes are the algorithm name, namely "ssh-ed25519". The next 4 bytes [0x00, 0x00, 0x00, 0x20] represent the value 32, which is the length of the public key. The final 32 bytes are, of course, the actual public key value.

A2: yes, ed25519 keys are fixed length 32 bytes (as kelalak commented), and the added metadata in the 'blob' is also fixed length, so the base64-encoded blob is fixed length. This isn't true of other algorithms used by OpenSSH.

An RSA-3072 key (with e=F4, see below) in OpenSSH format has a blob of 23+384=407 bytes encoded as 544 chars.

I tried to generate a public private key pair here but: ...

That webpage produces (and uses) keys in the formats used by many but not all other programs, including Java, (plus base64 encoding) which are different from those used by OpenSSH. In particular for publickey Java uses the ASN.1 structure SubjectPublicKeyInfo defined in X.509 and more conveniently copied in RFC5280 section 4.1. Thus the encoded key contains ASN.1-level metadata (tag and length octets) and 'application' metadata (the AlgorithmIdentifier structure) in addition to the actual publickey values -- which as also commented contains both the modulus n and the public exponent e as required by the standard format, although that site like many but not all systems makes e a constant value 65537 chosen because it is a Fermat prime: prime is good because it eases generation of p,q with p-1,q-1 coprime e as required, and Fermat primes have minimal Hamming weight making encryption or verification operation cheaper.

515 there is a typo; it actually does 512 bits. Although mathematically RSA works for any number of bits, a nearly universal convention quickly developed of using only powers of 2 or values halfway between such powers: 512, 768, 1024, 1536, 2048, 3072, 4096. (There are some exceptions; for example some smartcard interfaces use message formats with a single-byte length field allowing up to 1016 bits if signed or 2040 bits if unsigned, making that the maximum size RSA they can readily support.)

The 'standard' RSA sizes with e=65537 represented as SubjectPublicKeyInfo in DER and base64 are:

modulus bits DER bytes base64 chars
512 30+64=94 128
768 30+96=126 168
1024 34+128=162 216
1536 34+192=226 304
2048 38+256=294 392
3072 38+384=422 564
4096 38+512=546 736

I would like to ask why?

The 'real' info in a RSA-3072 publickey is the modulus n, which is 384 bytes in both representations, but the added metadata varies in format and size, resulting in base64 encodings of different lengths.

typically
  • 103
  • 4
dave_thompson_085
  • 6,523
  • 1
  • 22
  • 25