RSA Key Fingerprints Explained

RSA Key Fingerprints

A key fingerprint is a short, human-readable hash that uniquely identifies a cryptographic key. Fingerprints allow you to verify a key's identity without comparing the entire key content.

How Fingerprints Are Computed

A fingerprint is produced by hashing the key's binary representation:

1. The public key is encoded in a standard binary format
2. A cryptographic hash function is applied to the binary data
3. The hash is displayed in a human-readable format

SSH Key Fingerprints

SSH uses fingerprints extensively for host verification. When you connect to a server for the first time, SSH displays the server's key fingerprint:

The authenticity of host 'example.com' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)?

Fingerprint Formats

MD5 format (legacy, deprecated):

ssh-keygen -l -E md5 -f key.pub
# 2048 MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48

SHA-256 format (current default):

ssh-keygen -l -E sha256 -f key.pub
# 2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8

The SHA-256 fingerprint is Base64-encoded (43 characters), while the MD5 fingerprint is displayed as colon-separated hex (47 characters).

Computing Fingerprints Programmatically

// Hash the SSH public key blob
const keyData = parseSSHPublicKey(publicKeyString);
const hashBuffer = await crypto.subtle.digest("SHA-256", keyData);
const fingerprint = btoa(String.fromCharCode(...new Uint8Array(hashBuffer)))
  .replace(/=+$/, "");
console.log(`SHA256:${fingerprint}`);

Security Considerations

• Always compare fingerprints out-of-band — verify via a separate channel (phone, in person, signed email)
• Use SHA-256 — MD5 fingerprints are susceptible to collision attacks
• Store known fingerprints — SSH maintains ~/.ssh/known_hosts for this purpose
• Monitor for changes — an unexpected fingerprint change could indicate a man-in-the-middle attack