RSA Fingerprint Variations

G5 Cyber Security

1 week ago

TL;DR

Yes, you can generate multiple different fingerprints from a single RSA public key using different hashing algorithms and formats. This isn’t a problem in itself, but it’s important to understand the differences when comparing keys or checking for consistency.

How to Generate Multiple RSA Key Fingerprints

Understand Fingerprinting Basics

A fingerprint is a short, unique representation of a longer piece of data (like an RSA public key). It’s used for quick comparison.
Hashing algorithms create these fingerprints. Different algorithms produce different results even with the same input.

Using OpenSSL

OpenSSL is a common tool for working with cryptography. Here’s how to generate various RSA key fingerprints:

MD5 Fingerprint: (Generally discouraged due to collision vulnerabilities)
```
openssl x509 -noout -fingerprint -md5 -in your_public_key.pem
```

SHA1 Fingerprint: (Also discouraged, but still sometimes seen)

openssl x509 -noout -fingerprint -sha1 -in your_public_key.pem

SHA256 Fingerprint: (Recommended – most common modern choice)

openssl x509 -noout -fingerprint -sha256 -in your_public_key.pem

SHA384 Fingerprint: (Good alternative to SHA256, provides a longer fingerprint)
```
openssl x509 -noout -fingerprint -sha384 -in your_public_key.pem
```

SHA512 Fingerprint: (Longest and most secure, but less common)

openssl x509 -noout -fingerprint -sha512 -in your_public_key.pem

Fingerprint Formats

Colon-Hexadecimal: (Most Common) This is the standard format you’ll see in many tools and systems, like SSH keys.
Example: AA:BB:CC:DD:EE:FF:01:23:45:67:89:AB:CD:EF:01:23
Hexadecimal: A continuous string of hexadecimal characters.
Example: AA BB CC DD EE FF 01 23 45 67 89 AB CD EF 01 23

Comparing Fingerprints

Algorithm Consistency: When comparing fingerprints, *always* ensure you’re using the same hashing algorithm (e.g., SHA256). Comparing a SHA1 fingerprint to a SHA256 fingerprint is meaningless.
Format Consistency: Ensure the format is also consistent (colon-hexadecimal vs. hexadecimal).

Practical Example – SSH Key Verification

When adding an SSH key to a server, you’ll typically get a fingerprint displayed. Verify this fingerprint matches the one generated by your local machine using OpenSSL (using SHA256 is best practice).

Generate Fingerprint Locally:
```
ssh-keygen -lf ~/.ssh/id_rsa.pub
```
Compare: Carefully compare the output of ssh-keygen with the fingerprint shown by the server during key addition.

Using Python (with cryptography library)

You can also generate fingerprints programmatically using Python:

from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
import binascii

def fingerprint(public_key):
  hasher = hashes.SHA256()
  hasher.update(public_key)
  digest = hasher.finalize()
  return binascii.hexlify(digest).decode('utf-8')

# Example (assuming you have the public key in bytes format):
public_key_bytes = b'...' # Replace with your actual public key data
sha256_fingerprint = fingerprint(public_key_bytes)
print(f"SHA256 Fingerprint: {sha256_fingerprint}")