secp256r1 65 byte key size in packet capture

[Matt Caswell]

On 19/06/2024 09:15, Lokesh Chakka wrote:
> hello,
> 
> I'm trying to generate public/private keys with following commands:
> 
> openssl ecparam -name secp256r1 -genkey -out pvtkey.pem
> openssl ec -in pvtkey.pem -pubout
> 
> I'm seeing the sizeof private key as 164 bytes and public key as 124 bytes.
> 
> In a wireshark capture( attached ), I'm seeing key length as 65 bytes.

What you are doing is confusing. You have generated public/private key 
pair for secp256r1 - but the wireshark capture you show seems to be the 
key share from a TLSv1.3 handshake. TLSv1.3 key shares are ephemeral so 
- you'll get a different key share every time. You don't need to create 
a public/private key for this. OpenSSL does it for you.

Anyway. Taking the key that you generated:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVSmp4UnlQbzbe6eopByeEUzkmYHP
GgaKvSt/xdAgvDp7FXKTpST8UM9LpF8f4JETOXgDDGvNlIDqVFo+T0hdtQ==
-----END PUBLIC KEY-----

This is just a PEM encoding of the real key (base 64 encoding of DER 
structured data in PEM headers). Not sure where you get 124 bytes from, 
but you can look take a look at the actual key data like this:

$ openssl pkey -in /tmp/key.pem -pubin -noout -text
Public-Key: (256 bit)
pub:
     04:55:29:a9:e1:49:e5:41:bc:db:7b:a7:a8:a4:1c:
     9e:11:4c:e4:99:81:cf:1a:06:8a:bd:2b:7f:c5:d0:
     20:bc:3a:7b:15:72:93:a5:24:fc:50:cf:4b:a4:5f:
     1f:e0:91:13:39:78:03:0c:6b:cd:94:80:ea:54:5a:
     3e:4f:48:5d:b5
ASN1 OID: prime256v1
NIST CURVE: P-256

This shows you the 65 bytes of raw public key data contained within the 
key file.

This key is in "uncompressed" format (the 04 byte at the start indicates 
this). Since it is uncompressed we then get an x and a y value to 
indicate the point on the curve. Each of these are 32 bytes long (256 
bits) - so this gives you 65 bytes in total.

Matt



> 
> Can someone help me understand why the difference?
> 
> Thanks & Regards
> --
> Lokesh Chakka.