8th February 2018

Cipher Feedback Encryption Woes on Windows

I had a problem with a private DSA key that was encrypted with DES-EDE3-CFB.

CFB is a valid block cypher encreyption mode (you can read all about it here) but it is unrecognised by common Windows SFTP utilities such as FileZilla and WinSCP. When I tried to convert it by importing to PuTTYgen I got the the message “Couldn’t load private key (unsupported cipher)”

The header looked like this:
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CFB,C15475B03B004EE1

Note that CFB in the DEK-Info in the header, that tells us that block cipher mode is Cipher Feedback.

Much Googling revealed nothing that directly solved the problem but I did manage to discover that the CFB format is not generally supported and that the CBC variant (Cipher Block Chaining) is. I found some pointers in the Linux world showing conversion of encryption formats by using OpenSSL which  suggested that I might be able to transform it to an acceptable format.

Next stop: Is there an OpenSSL for Windows? Indeed there is 🙂

So first I went to SourceForge and downloaded the latest version of OpenSSL for Windows.

It comes as a zip file which you just need to unzip, there’s no install. I unzipped it to a suitable location and opened a command prompt in the bin folder (so I could execute OpenSSL without a path) and tried a couple of variations on commands I had found on until I came up with

openssl dsa -in my-useless-CFB.key -out hopefully-useful.key -outform pem

The output key now has a header that is simply:

And PuTTYgen happily accepts it and converts it to a Format that’s usable by WinSCP.

So now I’m connected to where I want to be and everyone is happy.


Leave a Reply