Christian Screen
Christian Screen

Fixing the ‘1.2.840.113549.1.5.3 not available’ PKCS encryption Issue

Twitter
LinkedIn

More modern systems rely on private and public key creation to connect securely between applications or users. This includes systems such as Github, Snowflake and other general protocols like SSH.

In general you can use terminal based software on local machines such as SSH to connect with the private/public key pair. Programmatically just about all major languages can encrypt and decrypt encryption algorithms given the pair. One well-known API/library for this is Bouncy Castle (https://www.bouncycastle.org/about.html).

Whether using Bouncy Castle or another library you may encounter this issue where you receive an error message attempting to decrypt a key that is password encrypted.

unable to read encrypted data: 1.2.840.113549.1.5.3 not available: requires PBE parameters

Also, similar a similar error could be thrown such as…

Unknown PBE type 1.2.840.113549.1.5.3

We see that the set of numbers 1.2.840.113549.1.5.3, technically represents an algorithm. But that algorithm used when creating an OpenSSL key has been deprecated/removed several years ago. That algorithm seems to have been found to be insecure. I believe OpenSSL keeps this default version around when running OpenSSL for backwards compatibility but if one is not encrypting their key then technically it doesn’t matter.

So whats the solution?

In order to comply with a modern security standards, when creating your encrypted private key with openssl pkcs8, you should use the flag for -v2. This will allow you to use the v2.0 PKCS#8 (PKCS#5) algorithms such as des3

Thoughts on Snowflake Public/Private Key Pair Authorization

Since Snowflake continues to update their documentation, one should always read the latest document. If we take a peek at their user key pair authentication, we see that not only have they recommended the -v2 flag option but then use des3 algorithm when generating an encrypted private key.

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

More to explorer

Scroll to Top