Is it safe to "share" a private key's MD5 fingerprint?

kfriend · November 29, 2018, 4:22pm

Hi all,

I have a repo that is currently private, but may eventually be public. In the CircleCI config, I have a snippet which adds a private SSH key via the add_ssh_keys item, e.g.:

steps:
  - add_ssh_keys:
      fingerprints:
        - "00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55"

I was wondering whether it’s safe to have the fingerprint publicly accessible, given its a private key, and uses MD5 for its hash. My assumption is yes, it’s safe, but want to confirm, before heading down an alternate route.

Thanks!

halfer · November 30, 2018, 8:52am

Probably not. MD5 is a very fast hashing algorithm, and many millions of brute-force attempts can be guessed per second these days (with just one CPU). Due to hashing collisions, there are probably several keys that resolve to the same hash, but perhaps there would be a small enough number that they could be tried one by one.

If you have a need to share a hash, can you use something stronger (e.g. Bcrypt)?

system · February 28, 2019, 9:04am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CircleCI User Key uses RSA with SHA1, which GitHub has deprecated Feedback & Bug Reports suggested	5	2261	January 11, 2022
Ssh key integration Integrations and Accounts	2	727	March 6, 2019
Cannot SSH into remote server using private key, even though I can locally with same private key Deployments ssh	3	6391	December 18, 2018
Scp using public key Deployments	8	10448	June 18, 2018
Removal of ~/.ssh/id_rsa from Ubuntu build environment Build Environment ssh , keys , ruby	2	2349	June 18, 2018

Is it safe to "share" a private key's MD5 fingerprint?

Related Topics