CryptoSys Home > PKI > Generating ECC keys in OpenSSH format

Generating ECC keys in OpenSSH format


This page demonstrates how to generate a pair of Elliptic Curve Cryptography (ECC) public and private keys in OpenSSH format.

We provide C# code using CryptoSys PKI Pro specifically for ecdsa-sha2-nistp256 and ssh-ed25519 curves with unencrypted private keys.

OpenSSH key formats | The Known Test Keys | The C# Code | References | Contact us

OpenSSH key formats

Examples of NIST P-256 and Ed25519 public keys in OpenSSH format.

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYSxMBdIUiMoUkj+lVd83ibsaY3p02JDMwfFYKlK18Q/Uv3SX1aTRZqz3CJin8eOUY6z4kQTV+H1rJFq9A0j/g= user@example.com
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfphCpxrTPNXj5akk+9EEsClepCi9YpOiFI4ZSGAoff user@example.com

The corresponding private keys in unencrypted OpenSSH format.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQR2EsTAXSFIjKFJI/pVXfN4m7GmN6dN
iQzMHxWCpStfEP1L90l9Wk0Was9wiYp/HjlGOs+JEE1fh9ayRavQNI/4AAAAsIe2LKKHti
yiAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYSxMBdIUiMoUkj
+lVd83ibsaY3p02JDMwfFYKlK18Q/Uv3SX1aTRZqz3CJin8eOUY6z4kQTV+H1rJFq9A0j/
gAAAAhAKmf94rpamMP+aNnxCYDbON89NvLPUyBYrC1xsjAZEqgAAAAEHVzZXJAZXhhbXBs
ZS5jb20BAgMEBQYH
-----END OPENSSH PRIVATE KEY-----
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAH6YQqca0zzV4+WpJPvRBLApXqQovWKTohSOGUhgKH3wAAAJjWQDOb1kAz
mwAAAAtzc2gtZWQyNTUxOQAAACAH6YQqca0zzV4+WpJPvRBLApXqQovWKTohSOGUhgKH3w
AAAEA+Z4sIp9KQBSA7v5ATxTrzz9Tmv+764xOuTaAAYrWxCQfphCpxrTPNXj5akk+9EEsC
lepCi9YpOiFI4ZSGAoffAAAAEHVzZXJAZXhhbXBsZS5jb20BAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

Public key format

The public key has the form
<type-name> <base64-encoded-ssh-public-key>[ <comment>]
where <type-name> is selected from an approved list (we provide support for ecdsa-sha2-nistp256 and ssh-ed25519 here). The optional comment is usually of the form user@hostname.

The <base64-encoded-ssh-public-key> value is computed as described in [RFC4716] but in one line and without the BEGIN/END delimiters. This public key format is explained in more detail by CoolAJ86 at [ONEAL-PUBLIC].

Private key format

The private key is a "proprietary" OpenSSH format, encoded like a PEM file [RFC1421] but the content is not ASN.1 DER. CoolAJ86 explains the structure very well in [ONEAL-PRIVATE]. We got some more hints from the OpenSSH portable code at [OPENSSH-SSHKEY]. See also the comments in the C# code.

The Known Test Keys

For reference, the known test keys above have the following hex-encoded components:

Ed25519 key

Private key: ae63a9e08d44ccbfc5d04ad45e936b968021f824b5717d41a6ccdb021317e551
Public key:  daff2e9da0ea27a2315f3fad7c2b2837de77c31a80a8beb488df8f2f4fcc30e8

P-256 key

Private key: a99ff78ae96a630ff9a367c426036ce37cf4dbcb3d4c8162b0b5c6c8c0644aa0
Public key:  047612c4c05d21488ca14923fa555df3789bb1a637a74d890ccc1f1582a52b5f
10fd4bf7497d5a4d166acf70898a7f1e39463acf89104d5f87d6b245abd0348ff8

The C# Code

The C# code: SSHkeys.cs. Use the SSHKeys.GenSSHKeys method to generate a pair of ECC public and private keys in OpenSSH format. More instructions in the source code.

Set useKnownTest = true to output the known test keys as shown above. Otherwise a pair of random keys will be generated.

Comment out the line Trace.Listeners.Clear(); in Program.Main to show debugging output.


SSHKeys.GenSSHKeys Method

Generate a pair of ECC keys in SSH format.

Syntax

public static void GenSSHKeys(
	Ecc.CurveName curveName, 
	string newprikeyfile, 
	string newpubkeyfile, 
	string userHostName = "", 
	bool useKnownTest = false
)

Parameters

curveName
Type: Ecc.CurveName
Ecc.CurveName.Ed25519 or Ecc.CurveName.P_256 only.
newprikeyfile
Name of new private key file to be created.
newpubkeyfile
Name of new public key file to be created.
userHostName
Optional user@hostname parameter (comment)
useKnownTest
Type: bool
Set true to use known test case values; else generate at random.

Examples

SSHKeys.GenSSHKeys(Ecc.CurveName.P_256, "knownprikey_ecdsa256.pem", "knownpubkey_ecdsa256.pub", "user@example.com", useKnownTest: true);
SSHKeys.GenSSHKeys(Ecc.CurveName.Ed25519, "newprikey_ed25519.pem", "newpubkey_ed25519.pub", "user@example.com");

References

Contact us

To contact us or comment on this page, please send us a message.

[Go to top]

This page first published 12 January 2024. Last updated 13 January 2024