RSA Fingerprint Variations

TL;DR

Yes, you can generate multiple different fingerprints from a single RSA public key using different hashing algorithms and formats. This isn’t a problem in itself, but it’s important to understand the differences when comparing keys or checking for consistency.

How to Generate Multiple RSA Key Fingerprints

1. Understand Fingerprinting Basics
• A fingerprint is a short, unique representation of a longer piece of data (like an RSA public key). It’s used for quick comparison.
• Hashing algorithms create these fingerprints. Different algorithms produce different results even with the same input.
2. Using OpenSSL

OpenSSL is a common tool for working with cryptography. Here’s how to generate various RSA key fingerprints:

• MD5 Fingerprint: (Generally discouraged due to collision vulnerabilities)

  openssl x509 -noout -fingerprint -md5 -in your_public_key.pem

• SHA1 Fingerprint: (Also discouraged, but still sometimes seen)

  openssl x509 -noout -fingerprint -sha1 -in your_public_key.pem

• SHA256 Fingerprint: (Recommended – most common modern choice)

  openssl x509 -noout -fingerprint -sha256 -in your_public_key.pem

• SHA384 Fingerprint: (Good alternative to SHA256, provides a longer fingerprint)

  openssl x509 -noout -fingerprint -sha384 -in your_public_key.pem

• SHA512 Fingerprint: (Longest and most secure, but less common)

  openssl x509 -noout -fingerprint -sha512 -in your_public_key.pem

3. Fingerprint Formats
• Colon-Hexadecimal: (Most Common) This is the standard format you’ll see in many tools and systems, like SSH keys.

  Example: AA:BB:CC:DD:EE:FF:01:23:45:67:89:AB:CD:EF:01:23

• Hexadecimal: A continuous string of hexadecimal characters.

  Example: AA BB CC DD EE FF 01 23 45 67 89 AB CD EF 01 23

4. Comparing Fingerprints
• Algorithm Consistency: When comparing fingerprints, *always* ensure you’re using the same hashing algorithm (e.g., SHA256). Comparing a SHA1 fingerprint to a SHA256 fingerprint is meaningless.
• Format Consistency: Ensure the format is also consistent (colon-hexadecimal vs. hexadecimal).
5. Practical Example – SSH Key Verification

When adding an SSH key to a server, you’ll typically get a fingerprint displayed. Verify this fingerprint matches the one generated by your local machine using OpenSSL (using SHA256 is best practice).

• Generate Fingerprint Locally:

  ssh-keygen -lf ~/.ssh/id_rsa.pub

• Compare: Carefully compare the output of ssh-keygen with the fingerprint shown by the server during key addition.
6. Using Python (with cryptography library)

You can also generate fingerprints programmatically using Python:

from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
import binascii

def fingerprint(public_key):
  hasher = hashes.SHA256()
  hasher.update(public_key)
  digest = hasher.finalize()
  return binascii.hexlify(digest).decode('utf-8')

# Example (assuming you have the public key in bytes format):
public_key_bytes = b'...' # Replace with your actual public key data
sha256_fingerprint = fingerprint(public_key_bytes)
print(f"SHA256 Fingerprint: {sha256_fingerprint}")