openssh unix dev - Jul 2014 - improving passphrase protected private keys

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I got a proposal
for a slight different default
private key encryption protocol.

Here is my understanding what
ssh-keygen currently does.

According to this article:

http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html

when you create a new key with a
passphrase to protect it, ssh-keygen
uses a hard-coded openssl call to do this:

It encrypts the private key with AES-128 in
CBC mode, and generates the encryption key
the following way:

1. "Append the first 8 bytes of the IV
to the passphrase, without a separator
(serves as a salt)."

2. "Take the MD5 hash of the resulting string (once)."

So my proposal is, to alter this
by using PKCS 8 as defined in RFC 5208
as is described in the above article.

This currently works already by converting
your key manually:

openssl pkcs8 -topk8 -v2 des3 \
    -in test_rsa_key.old -passin 'pass:super secret passphrase' \
    -out test_rsa_key -passout 'pass:super secret passphrase'

I didn't find any contradicting documentation
or stuff inside the SSH RFCs why this is not the default
yet.

I know this is just a little hardening
and just covers cases where your encrypted
private key gets stolen and is harder to bruteforce
due to the use of PBKDF2 instead of MD5.

What do you think about this?
Is there some error in my information
which prevents this from being the default
way ssh keys are generated?

Does this not work on all supported
plattforms?

Please keep me CC'ed in your answers
as I'm not subscribed to the list.

kind regards

Sven Kieske

PS: Thanks for this awesome free software
and your work!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQGcBAEBAgAGBQJT0icgAAoJEAq0kGAWDrql8vAL/2XS8mhAy5Z1acQBVVA/pLd3
5bLecQQCMEJL8l0zsYSV/6YHBUj7TI0DJleN0qh4OJG+rmK+XIOz4CnnjxY/p/tg
dgwy/XSXEqhoVqWajSP6Q+fiYsydAxqyTa7UXIuGtzyWyqldK6x0n5ThTeNqX/LV
Qt1kLhIsD+w+0AmNN+ERI1uP72/Y1YhLluIC91lA+OrcL0RRkptXN6Vjo2WYR2e9
Edbk55N8J4Dli7YdycSs0fRykad3zjPqH/KxwOopil7+tis1dJTJIBawZaCWs0nq
7OJzF3bs+7smN5342KscO6hpSZ5igOQH2MkS3SXi8D6E5hX9KODupBtu8eZ7qvdN
4qtYno1EMaVJZUCRALmrqAxtVnkGGvDdzNC3dPGEXPgXq4QTHll9aMbWN4R3rOuC
FzMCK97u3DA2ss7+6nY7A1gRSedMPisLGn4fsCYmYn+nVBFKK9s4NXzrGocPgpsA
koNhXZCG2B0554NBNincT4gyO++fPQtUtLqKge/msw==lUo9
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hum,

no I'm a little bit concerned
that my request is actually not needed?

At least this is what I found in
the source, but I'm not that familiar
with it:

/* openssh private key file format */
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
#define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1)
#define MARK_END_LEN (sizeof(MARK_END) - 1)
#define KDFNAME "bcrypt"
#define AUTH_MAGIC "openssh-key-v1"
#define SALT_LEN 16
#define DEFAULT_CIPHERNAME "aes256-cbc"
#define DEFAULT_ROUNDS 16

from:

https://github.com/openssh/openssh-portable/blob/948a1774a79a85f9deba6d74db95f402dee32c69/sshkey.c

So it seems you actually use bcrypt as default?

Is this already in a released version available?
And if yes, since which version?

Sorry for creating this noise.

kind regards

Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQGcBAEBAgAGBQJT0jqoAAoJEAq0kGAWDrqlK00L/jN78/qf0xhEIo5YHjfLEk3x
YJViqOJYQqN+3IkIB6ZqeDTfQyShGLbRVCXnG4u3BMG+YhlmQkO96q3zNv6dYWh2
62R3mEz99vRlPr7WScjbZzLiWCd5yi8nxiEcMomDxD+qhYZ1P3/NcWQZFVxO2Ztf
IygA6Z10dHVcQGHupAG8Ng6jMlCjos7rgz0gvghpuU7fbtQtUa/nhqhZwrq6jTBm
zbDTB2InD0I/tCx6mN01tq7VBcZSN7VPqnOy1s90uSFp7eHNnhfh5WZ+y+9C6/wg
oagBm/JNXn4GIVsiSyh48sNAsCGKCYfA3B/wJIiaYeKc2qDukXsfXExMssqt0WMZ
Sqt+bYopTW6AGsHqmhhaTPKgGOPWR6m+W6vUkXrL/Y5jsjOHxZYRidAyOPpRNGFv
EB9LWrmfxF1uy6cONyyO661jVqeirE5YgtCtMtVT0qFV0QCygc80HUGWAyWNe33v
66uHd4kQEic0jY+2UFFK89n2gXFc63adtn2rdlhDCw==4kU7
-----END PGP SIGNATURE-----