I know RSA has the concept of "public" and "private" key and one key is used for "encryption" and another for "decryption", but I am confused if both keys can be used for both purposes.. I mean, what you encrypt with any of them, you can decrypt of the other.
-
One of them you keep private/secret, the other you give to other people/make public. – user May 12 '21 at 17:57
-
2You wouldn't get any benefit from encrypting with the private key, since anyone with the public key could decrypt it. I guess you could use that as proof of holding the private key, but you should use digital signatures for that. – user May 12 '21 at 18:02
-
@user - Yes, my question is if I could use RSA as a Digital Signatura Algoritihm – André Pena May 12 '21 at 18:06
-
1You'll want to use whichever crypto library's digital signature API instead of building digital signatures from pure RSA, since there are a lot of pitfalls with hashing algorithms and padding to be aware of. – user May 12 '21 at 18:16
3 Answers
There are many incorrect wordings/usages here.
RSA is merely the one public-key cryptosystem that can support both encryption and signature naively in the almost same type of operation.
TextBook RSA
What confuses the people is the Textbook RSA which is simply c = m^e mod n
for encryption and m= c^d mod n
for decryption, whereas sign = hash(m)^d mod n
for signature and verify(m,sign)
that calculates hash(m)
and checks that hash(m) == sign^e mod n
.
Both are insecure as you can see that you can multiply the ciphertexts, or .. ( this is a very long story; start from reading Twenty Years of Attacks on the RSA Cryptosystem for more attacks from Dan Boneh).
RSA encryption
RSA encryption requires padding to be secure. PKCS#5v1.5 and Optimal Asymmetric Encryption Padding (OAEP) are the paddings that must be used. The former had lots of attacks due to incorrect implementations. The latter is much easier to implement. They are both proved to be secure so the only problem is the implementations.
RSA signatures
RSA signature requires padding to be secure, too. This time the padding is a Probabilistic Signature Scheme and designed for signatures.
RSA sign!=RSA decryption
Don't use/say that RSA decryption is a signature. It is not. The signatures algorithm consists of two algorithms; sign
and verify
. During the sign operation, PSS be part of it.
For a detailed reading see from Cornell University page; RSA Signing is Not RSA Decryption
Don't use one RSA key for more than one purpose
Don't use the same RSA public-private key for more than one purpose. Use either for enc/dec or sign/verify. If you need both, you two different public/private key pairs where the modulus is distinct.
Public key is not for encryption
Public key cryptosystems are slow compared to private key cryptosystems. Therefore we prefer a hybrid cryptosystem where the public key is used for key exchange and the private key is used for encryption. Examples are;
- RSA-KEM for Key encapsulation Mechanism and AES-GCM for Data Encapsulation Mechanism
- DHKE for key establishment and ChaCha20-Poly1305 for data encapsulation mechanism
Where RSA is used today?
In today's security, RSA is mostly used for the signature. Although RSA-KEM is promising for key encapsulation there is no standard for that, we use Elliptic Curve Diffie-Hellman most of the time.
There is a lot of confusion around the terminology used with asymmetric encryption. Much of it stems from the misuse of the terms.
- Public keys are used for encrypting messages and for verifying signatures.
- Private keys are used for decrypting messages and for creating signatures.
However, often you will see people use the term 'encrypting using the private key', when what the really mean is creating a digital signature using the private key. In actuality, it is impossible to encrypt a message using the private key, because the mathematics just don't work. For more info, see answer by Thomas Pornin at If the public key can't be used for decrypting something encrypted by the private key, then how do digital signatures work?, and pay particular attention to where he tries to blame the confusion on the deleterious effects of post-Disco pop music
.
- 21,098
- 2
- 47
- 66
The short answer is no. While there is a mathematical core that is reversible, the two keys have different security properties. It's not encryption if anyone can “decrypt”.
“RSA” means several things which are related, but have different properties.
The mathematical core of RSA, sometimes called “textbook RSA”, is a pair of operations which are the inverse of each other: transforming A into Ad mod N and transforming B into Be mod N, where the numbers d, e and N are chosen in such a way that (Ad)e = A mod N and (Bd)e = B mod N. With textbook RSA, d and e are interchangeable. But textbook RSA alone does not provide encryption. Encryption means that you can't calculate the inverse operation without knowing some kind of secret key. If you want B ↦ Be mod N to be public-key encryption, so the numbers (N, e) make up the public key, it is necessary that d cannot be calculated from N and e. (By “cannot be calculated”, I mean that it would take more computing power than the world is available. This is not about the mathematical equation having a unique solution.) If the “private key” can be calculated from the “public key”, then the “private key” isn't actually a private key and you don't have an encryption mechanism, you just have a pair of transformations that are inverse to each other.
In order to turn RSA into an encryption mechanism, it is necessary to choose the numbers N, d and e carefully so that knowing two of the numbers isn't enough to know the third. N is always public because it leaks through use anyway. If the knowledge of e isn't sufficient to find d, then d can be a private key and e can be a public key. If the knowledge of d isn't sufficient to find e, then e can be a private key and d can be a public key.
All common cryptosystems based on RSA use the same core rules to generate keys. They first construct N (as the product of two probable primes), then pick a fixed, small e, and calculate d. (There are additional verifications to perform which I won't get into as they are not relevant here.) It's easy to calculate d if you know the two primes that N is the product of, but it's infeasible if you only know N, which is why d can be a private key. It's trivial to find e since it's a fixed, small number (usually 3 or 65537).
It would be possible to use a different key generation process where e is a random large number. If d and e are chosen carefully then it is infeasible both to calculate e from d or to calculate d from e. (N is still public.) This yields a cryptosystem which is asymmetric, but is not a public-key cryptosystem: there are two private keys (N, d) and (N, e) which are inverses of each other, such that it's impossible to calculate either key from the other one. But there isn't much you can do with this that you can't do with the normal RSA. So you won't find many implementations of it. And even if you did, you'd still need to actually find a use for it.
Furthermore, implementations of RSA cryptosystems don't actually use private keys that have the same mathematical shape as public keys. The public key is always the numbers N and e. But the private key is often represented not using the number d such that (Ad)e = A mod N. Instead, it's represented as the two primes P and Q such that N = P × Q plus some other numbers that are calculated during the key generation process. This representation allows (Ad) to be calculated faster using mathematical properties resulting from the Chinese remainder theorem, so it's known as the CRT representation of an RSA private key. The CRT representation always allows e to be recovered, so it is fundamentally asymmetric. Whichever side knows the CRT representation knows both their private key and the other key.
The fact that the core of RSA involves two mathematical objects that happen to be interchangeable from a mathematical perspective is a bit of mathematical curios that has little relevance for cryptography. It's an oddity in the world of public-key cryptosystems. In most public-key cryptosystems, the private key and the public key are different kinds of mathematical objects. For example, Diffie-Hellman and DSA are both based on the discrete logarithm problem, where the private key is a number x and the public key is g*x for some g. The numbers x and g*x are in different ranges. In their elliptic curve variants ECDH and ECDSA, x is an integer but g and g*x aren't even numbers, they're points on a curve. Even for RSA, we've seen above that the private key is usually not the same kind of object as the public key. So the public key and the private key are not interchangeable from a mathematical perspective: you simply cannot perform a public-key calculation with a private key or vice versa.
- 51,415
- 13
- 121
- 180