Private key AES 128 CBC Invalid key format

0 votes
asked Nov 14, 2014 by TimLansw (130 points)
edited Nov 18, 2014

I am trying to create a SshPrivateKey object with the information listed below

Code:

byte[] sshkeyBytes = Convert.FromBase64String(cred.SSHKey);
SshPrivateKey prvtKey = new SshPrivateKey(sshkeyBytes, cred.Password);

try
{
    ssh.Login(cred.Username, prvtKey);
}
catch (SshException exc)
{}

Linux key:

Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,C66D147EC61D22907B6BBAE81995B4A5

ARdRQ6Fen0e3LRUm6KFftaFTDBwxXvQI880GpY+Nrz8kc6RYtyD/dObcrJU726IB eYBlFsUrETu5UAlgl3h8MhpEVD0xJ+P9yKVaqSSdlKQlnRYTlKUZ6v7Pb0cUH95T iZuSjGiOHYBYuWgFZIb6nfUwBH96EukgwM8KAwduEbDM1C+XR2W6qvfIzLaN3x6W LwJ0AqraSql5+QDoaC5JDtbE6dblWZHYstU8IyPzGyd4u4fxbw5hTZ4cRaduo5hH wB8EkhYyQx3kgfQpKyuccXCxAoA0cZMJvSixCildPzGarZCPfko4n1Ygwb7razVp W8y1B5iHq90fYp2cqFSh8d6N66aUYlYaIeXo4jMV+Rl1AbcAOf325DDxgtk/CbaW c8WzJCaz8TqPX/npTmhebA5L/6WBojbVO5VgvRhtIlYkkbIlHRTINZGJ8PV8Dl40 gGhkvSJ8vQ1iObsWIlM9iPSmzNSe1hHeTUA6MXwhY64BVZm1HSsyA6HAUpjylBJZ 4mDR5/UZT10aJ9IgjCjXNnz4eVvLMWGQtFBkYpTf0obmhkzlhTshVSHF4DuCA/2F bJHLLPG50b4T+6Re3LDdwPCxCDAcoEqOdy0r8XnlD+Ltu4BeARHksye+hUZwUXCb 7cE6KNlAgb89XqVWI7i9bowU+Yko0TizCTTGs2VotgI1uf36tCxlDHpZIDQhqtiN 9i6XVXu+2Jm1LWg78Mrf0d52vxDIb5m/w+rV5QKhKQmY3iekzSemQEEqQTiQ68zQ aKsW0a2CJFfkLTKy3W8kXLWaP7G1oz81W10qG6XsV0sWhfULl8LMgLCdq4qy1B06 w8cyVRXAU4dPs6oi6S7ZvnZLN+kpIAMvPUmipq4lXuj6DpjeW8xtCLTiDaStkFBC 7FLnGoMAe0KhpNpAkrEw3UIM1L6OjtYQenP9glLmr9cgpaqGI7wQM2zyT9k/9UQz KQbEyxJADfhqs1iXTtpZ6uV20nra9qJy9lxby8G20gTMOGG5K7Q8+hL8VvvRbRlY 3qAKbkFsnOaWZJO6GqHsPVq8C8ChjOW7vAKpZgwzpJB81R+mAOWoO0CUS2IpMpPU RSpKUASxqDlzsj6ZzoHUO4pJYDmYdBFb7GF1S9bEFxgtldgmqbCZvelFfWhGEge/ yNaCayYoNfx+nDv44CQM49wkOy7G7dWSAlfnegTwQRMSAb3kNPcuOL2R08m61q+3 ix4ekpmTry766M1WXX95i74Jn8eOocxj8E15QFujJIur+bMI1B3XBn7St8JepNcf 1CJUq97yCIkLdzoCtgNQ6/ORdZj89md+fYeJBkJQq/+0MixcOjpZHEeSXrT+BPr4 x4O3QM2SG6xxdp8WpyyzrgyrEc16VJq3aBq2jWw3lrNZPFztUV6W2OUc7yKkVaP8 LwlVzeal5IL/RPCyRvlK6vI0MnRe/IpJ6KAmw1DRj0HGNE5HgEfkZyIGC9l2achO i6aTRW8F9xy5kIayJXuIzBhDtqOPf21787LwfZwA6xGvu06DeO6P/bo6zKRbxrkU eoHKTd1pvRLuouqaFJMVMMAyvruQIzmu8lyDyfCpF6UcbcAUHkFrgvmwZXs6z1PA

Values in the variables:

cred.SSHKey:

"ARdRQ6Fen0e3LRUm6KFftaFTDBwxXvQI880GpY+Nrz8kc6RYtyD/dObcrJU726IB \r\neYBlFsUrETu5UAlgl3h8MhpEVD0xJ+P9yKVaqSSdlKQlnRYTlKUZ6v7Pb0cUH95T \r\niZuSjGiOHYBYuWgFZIb6nfUwBH96EukgwM8KAwduEbDM1C+XR2W6qvfIzLaN3x6W \r\nLwJ0AqraSql5+QDoaC5JDtbE6dblWZHYstU8IyPzGyd4u4fxbw5hTZ4cRaduo5hH \r\nwB8EkhYyQx3kgfQpKyuccXCxAoA0cZMJvSixCildPzGarZCPfko4n1Ygwb7razVp \r\nW8y1B5iHq90fYp2cqFSh8d6N66aUYlYaIeXo4jMV+Rl1AbcAOf325DDxgtk/CbaW \r\nc8WzJCaz8TqPX/npTmhebA5L/6WBojbVO5VgvRhtIlYkkbIlHRTINZGJ8PV8Dl40 \r\ngGhkvSJ8vQ1iObsWIlM9iPSmzNSe1hHeTUA6MXwhY64BVZm1HSsyA6HAUpjylBJZ \r\n4mDR5/UZT10aJ9IgjCjXNnz4eVvLMWGQtFBkYpTf0obmhkzlhTshVSHF4DuCA/2F \r\nbJHLLPG50b4T+6Re3LDdwPCxCDAcoEqOdy0r8XnlD+Ltu4BeARHksye+hUZwUXCb \r\n7cE6KNlAgb89XqVWI7i9bowU+Yko0TizCTTGs2VotgI1uf36tCxlDHpZIDQhqtiN \r\n9i6XVXu+2Jm1LWg78Mrf0d52vxDIb5m/w+rV5QKhKQmY3iekzSemQEEqQTiQ68zQ \r\naKsW0a2CJFfkLTKy3W8kXLWaP7G1oz81W10qG6XsV0sWhfULl8LMgLCdq4qy1B06 \r\nw8cyVRXAU4dPs6oi6S7ZvnZLN+kpIAMvPUmipq4lXuj6DpjeW8xtCLTiDaStkFBC \r\n7FLnGoMAe0KhpNpAkrEw3UIM1L6OjtYQenP9glLmr9cgpaqGI7wQM2zyT9k/9UQz \r\nKQbEyxJADfhqs1iXTtpZ6uV20nra9qJy9lxby8G20gTMOGG5K7Q8+hL8VvvRbRlY \r\n3qAKbkFsnOaWZJO6GqHsPVq8C8ChjOW7vAKpZgwzpJB81R+mAOWoO0CUS2IpMpPU \r\nRSpKUASxqDlzsj6ZzoHUO4pJYDmYdBFb7GF1S9bEFxgtldgmqbCZvelFfWhGEge/ \r\nyNaCayYoNfx+nDv44CQM49wkOy7G7dWSAlfnegTwQRMSAb3kNPcuOL2R08m61q+3 \r\nix4ekpmTry766M1WXX95i74Jn8eOocxj8E15QFujJIur+bMI1B3XBn7St8JepNcf \r\n1CJUq97yCIkLdzoCtgNQ6/ORdZj89md+fYeJBkJQq/+0MixcOjpZHEeSXrT+BPr4 \r\nx4O3QM2SG6xxdp8WpyyzrgyrEc16VJq3aBq2jWw3lrNZPFztUV6W2OUc7yKkVaP8 \r\nLwlVzeal5IL/RPCyRvlK6vI0MnRe/IpJ6KAmw1DRj0HGNE5HgEfkZyIGC9l2achO \r\ni6aTRW8F9xy5kIayJXuIzBhDtqOPf21787LwfZwA6xGvu06DeO6P/bo6zKRbxrkU \r\neoHKTd1pvRLuouqaFJMVMMAyvruQIzmu8lyDyfCpF6UcbcAUHkFrgvmwZXs6z1PA "

Cred.Password: "passphrase"

Error message: cryptographicexception was caught Invalid key format.

Debug information

014-11-14 09:54:18.286 DEBUG Ssh(3)[45] SSH: Server is 'SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1'.
2014-11-14 09:54:18.286 INFO Ssh(3)[45] SSH: Negotiation started.
2014-11-14 09:54:18.286 DEBUG Ssh(3)[45] SSH: Group exchange.
2014-11-14 09:54:18.286 DEBUG Ssh(3)[45] SSH: Negotiating key.
2014-11-14 09:54:18.364 DEBUG Ssh(3)[45] SSH: Validating signature.
2014-11-14 09:54:18.364 INFO Ssh(3)[45] SSH: Negotiation finished.
2014-11-14 09:54:18.364 INFO Ssh(3)[45] Info: Server: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1
2014-11-14 09:54:18.364 INFO Ssh(3)[45] Info: Fingerprint: d3:d3:11:a5:67:74:29:4d:ee:b5:b1:13:4a:e6:35:2f
2014-11-14 09:54:18.364 INFO Ssh(3)[45] Info: Cipher info: SSH 2.0, DiffieHellmanGroupExchangeSHA256, DSS, aes256-ctr/aes256-ctr, hmac-sha1/hmac-sha1

We are using version 5171.

This works fine as long as the key is not encrypted with a passphrase.

Would it be possible to point me in the right direction? Or ideally give a code example?

Thanks in advance!

Tim

1 Answer

+1 vote
answered Nov 14, 2014 by Lukas Pokorny (94,670 points)
edited Nov 18, 2014

This key is using OpenSSH/OpenSSL SSLeay format, where the values in the header are actually needed in order to decrypt the key. The DEK-Info header contains an IV vector and it's not possible to decrypt the key without it. SshPrivateKey class needs this header, and it needs the "-----BEGIN RSA PRIVATE KEY-----" as well in order to properly detect the key format.

In other words, you need to pass the key in this format. Either load it from the text file as array of bytes, or convert your string to a byte array.

The following code demonstrates this:

string password = "passphrase";

string sshkey = @"-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C66D147EC61D22907B6BBAE81995B4A5

ARdRQ6Fen0e3LRUm6KFftaFTDBwxXvQI880GpY+Nrz8kc6RYtyD/dObcrJU726IB 
eYBlFsUrETu5UAlgl3h8MhpEVD0xJ+P9yKVaqSSdlKQlnRYTlKUZ6v7Pb0cUH95T 
iZuSjGiOHYBYuWgFZIb6nfUwBH96EukgwM8KAwduEbDM1C+XR2W6qvfIzLaN3x6W 
LwJ0AqraSql5+QDoaC5JDtbE6dblWZHYstU8IyPzGyd4u4fxbw5hTZ4cRaduo5hH 
wB8EkhYyQx3kgfQpKyuccXCxAoA0cZMJvSixCildPzGarZCPfko4n1Ygwb7razVp 
W8y1B5iHq90fYp2cqFSh8d6N66aUYlYaIeXo4jMV+Rl1AbcAOf325DDxgtk/CbaW 
c8WzJCaz8TqPX/npTmhebA5L/6WBojbVO5VgvRhtIlYkkbIlHRTINZGJ8PV8Dl40 
gGhkvSJ8vQ1iObsWIlM9iPSmzNSe1hHeTUA6MXwhY64BVZm1HSsyA6HAUpjylBJZ 
4mDR5/UZT10aJ9IgjCjXNnz4eVvLMWGQtFBkYpTf0obmhkzlhTshVSHF4DuCA/2F 
bJHLLPG50b4T+6Re3LDdwPCxCDAcoEqOdy0r8XnlD+Ltu4BeARHksye+hUZwUXCb 
7cE6KNlAgb89XqVWI7i9bowU+Yko0TizCTTGs2VotgI1uf36tCxlDHpZIDQhqtiN 
9i6XVXu+2Jm1LWg78Mrf0d52vxDIb5m/w+rV5QKhKQmY3iekzSemQEEqQTiQ68zQ 
aKsW0a2CJFfkLTKy3W8kXLWaP7G1oz81W10qG6XsV0sWhfULl8LMgLCdq4qy1B06 
w8cyVRXAU4dPs6oi6S7ZvnZLN+kpIAMvPUmipq4lXuj6DpjeW8xtCLTiDaStkFBC 
7FLnGoMAe0KhpNpAkrEw3UIM1L6OjtYQenP9glLmr9cgpaqGI7wQM2zyT9k/9UQz 
KQbEyxJADfhqs1iXTtpZ6uV20nra9qJy9lxby8G20gTMOGG5K7Q8+hL8VvvRbRlY 
3qAKbkFsnOaWZJO6GqHsPVq8C8ChjOW7vAKpZgwzpJB81R+mAOWoO0CUS2IpMpPU 
RSpKUASxqDlzsj6ZzoHUO4pJYDmYdBFb7GF1S9bEFxgtldgmqbCZvelFfWhGEge/ 
yNaCayYoNfx+nDv44CQM49wkOy7G7dWSAlfnegTwQRMSAb3kNPcuOL2R08m61q+3 
ix4ekpmTry766M1WXX95i74Jn8eOocxj8E15QFujJIur+bMI1B3XBn7St8JepNcf 
1CJUq97yCIkLdzoCtgNQ6/ORdZj89md+fYeJBkJQq/+0MixcOjpZHEeSXrT+BPr4 
x4O3QM2SG6xxdp8WpyyzrgyrEc16VJq3aBq2jWw3lrNZPFztUV6W2OUc7yKkVaP8 
LwlVzeal5IL/RPCyRvlK6vI0MnRe/IpJ6KAmw1DRj0HGNE5HgEfkZyIGC9l2achO 
i6aTRW8F9xy5kIayJXuIzBhDtqOPf21787LwfZwA6xGvu06DeO6P/bo6zKRbxrkU 
eoHKTd1pvRLuouqaFJMVMMAyvruQIzmu8lyDyfCpF6UcbcAUHkFrgvmwZXs6z1PA 
-----END RSA PRIVATE KEY-----
";

// convert the key from text form to a byte array
byte[] sshkeyBytes = System.Text.Encoding.ASCII.GetBytes(sshkey);

// pass the byte array to SshPrivateKey constructor
SshPrivateKey prvtKey = new SshPrivateKey(sshkeyBytes, password);
commented Nov 17, 2014 by TimLansw (130 points)
edited Nov 17, 2014

Thank you very much, I hadn't thought that the actual indication of the start and end should've been included for the decryption!

It all works now! Tim

commented Nov 18, 2014 by Lukas Pokorny (94,670 points)
edited Nov 18, 2014

Yes, this key format is tricky. Had it been a PKCS #8 key, your original approach would actually work.

...