| |
 |
|
|
Science Forum Index » Cryptography Forum » RSA ecnryption confusion...
Page 1 of 3 Goto page 1, 2, 3 Next
|
| Author |
Message |
| Albert... |
 Posted: Thu May 08, 2008 9:01 am |
|
|
|
Guest
|
I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
First of all is this secure?
The second question has to do with the way the RSA provider is
implemented in .NET. It has 8 parameters and my understanding is as
follow:
Modulus - needed for encryption and decryption
Exponent - needed for encryption
P - internal to algorithm
Q - internal to algorithm
DP - internal to algorithm - calculated
DQ - internal to algorithm calculated
InverseQ - internal to algorithm - calculated
D - needed for decryption
What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
From my understanding that's not possible, however the RSA provider
gives an error if the Exponent is not provided when
decrypting...although it's not needed.
Any suggestion/comments?
Thanx in advance,
Albert |
|
|
| Back to top |
|
| Kristian Gjøsteen... |
| Posted: Thu May 08, 2008 9:49 am |
|
|
|
Guest
|
Albert <Albert.Tollkuci at (no spam) gmail.com> wrote:
Quote: I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Most likely, you want digital signatures. Look it up.
--
Kristian Gjøsteen |
|
|
| Back to top |
|
| H.K. Kingston-Smith... |
| Posted: Thu May 08, 2008 12:40 pm |
|
|
|
Guest
|
On Thu, 08 May 2008 12:01:27 -0700, Albert wrote:
Quote: I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Is it not the case that both RSA keys can be used for encryption
or decryption? That is, is it not true that something encrypted with a
given RSA private key can only be decrypted with its corresponding public
key, and something encrypted with a given public key can only be
decrypted with its corresponding private key? |
|
|
| Back to top |
|
| David Eather... |
| Posted: Thu May 08, 2008 8:42 pm |
|
|
|
Guest
|
H.K. Kingston-Smith wrote:
Quote: On Thu, 08 May 2008 12:01:27 -0700, Albert wrote:
I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Is it not the case that both RSA keys can be used for encryption
or decryption? That is, is it not true that something encrypted with a
given RSA private key can only be decrypted with its corresponding public
key, and something encrypted with a given public key can only be
decrypted with its corresponding private key?
Correct. |
|
|
| Back to top |
|
| Joseph Ashwood... |
| Posted: Thu May 08, 2008 10:25 pm |
|
|
|
Guest
|
"Albert" <Albert.Tollkuci at (no spam) gmail.com> wrote in message
news:4a800fec-edb4-40d4-a996-387198fb447b at (no spam) 8g2000hse.googlegroups.com...
Quote: Any suggestion/comments?
This seems to be an implementation issue. It sounds to me like you are
trying to use the wrong tool. Like Kistian said you are probably looking for
digital signatures. But in case you are actually looking for encryption I
would suggest instead looking for formats and processes, for example OpenPGP
formatting. The basic idea is that RSA itself should never be used directly
for encrypting a message.
Each user has their own public/private key pair, for example Alice_public
and Alice_private
A pair of random symmetric key is chosen, call this K (K_1 and K_2 for the
message step)
K is encrypted to each user seperately
Encrypt and MAC the message with K
Format the message something like
Alice = RSA_OAEP_Encrypt(Alice_public, K)
Bob = RSA_OAEP_Encrypt(Bob_public, K)
Charles = RSA_OAEP_Encrypt(Charles_public, K)
David = RSA_OAEP_Encrypt(David_public, K)
....
Data = AES_CBC_Encrypt_and_MAC(Message, K)
Exact formatting can be done any convenient way.
This has many additional security features for the system, including the
ability to add/remove/replace/revoke/reissue any user's key pair.
This also removes the necessity of keeping the encryption key protected.
I would also first look at what the actual intention of the encryption
operation is, it is likely that the intention is different from the reality.
Joe |
|
|
| Back to top |
|
| Pubkeybreaker... |
| Posted: Fri May 09, 2008 2:00 am |
|
|
|
Guest
|
On May 8, 3:01 pm, Albert <Albert.Tollk... at (no spam) gmail.com> wrote:
Quote: I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Impossible. Once someone has the private key, they can both
encrypt and decrypt. It is impossible to "keep private" the public
key
since it is trivially constructible from the private key.
Quote: First of all is this secure?
Trivially insecure.
Quote: What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
Yes. |
|
|
| Back to top |
|
| Albert... |
| Posted: Fri May 09, 2008 5:56 am |
|
|
|
Guest
|
On May 9, 2:41 pm, Ertugrul Söylemez <e... at (no spam) ertes.de> wrote:
Quote: Pubkeybreaker <pubkeybrea... at (no spam) aol.com> wrote:
I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key
(so other can decrypt) and keep private the public key (so only me
can encrypt).
Impossible. Once someone has the private key, they can both encrypt
and decrypt. It is impossible to "keep private" the public key since
it is trivially constructible from the private key.
Very well possible, if the public key doesn't follow a known pattern.
Less efficient, though.
What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
Yes.
With most implementations, but if he implements RSA himself, he could
select one exponent randomly (instead of a fixed one, as most
implementations do it), and calculate the other from it.
Regards,
Ertugrul.
--http://ertes.de/
Thanx Ertugurl, finally someone who really understand ecnryption. This
is exactly what I thought, but seeing a lot of people opposing it I
started to doubt myself.
Probably I will not use RSA directly as suggested by Joe, but the
important thing is to exactly understand what's going on behind the
scenes.
This question convinced me for 2 things:
- A lot of people claim to have knowledge on ecnryption but they know
only the surface of it...ecnrypt this, sign this other, etc...but do
not really know what's going on...and most of the material found in
net is not good.
- Very similar to this case is TCP/IP and routing. There are like
thousand of tools and protocols and standards and commands and all
this shit that are based on a very simple concept of TCP/IP packets
and knowledge of binary numbers. And there are millions of admins that
do not understand them... |
|
|
| Back to top |
|
| Ertugrul Söylemez... |
| Posted: Fri May 09, 2008 7:41 am |
|
|
|
Guest
|
Pubkeybreaker <pubkeybreaker at (no spam) aol.com> wrote:
Quote: I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key
(so other can decrypt) and keep private the public key (so only me
can encrypt).
Impossible. Once someone has the private key, they can both encrypt
and decrypt. It is impossible to "keep private" the public key since
it is trivially constructible from the private key.
Very well possible, if the public key doesn't follow a known pattern.
Less efficient, though.
Quote: What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
Yes.
With most implementations, but if he implements RSA himself, he could
select one exponent randomly (instead of a fixed one, as most
implementations do it), and calculate the other from it.
Regards,
Ertugrul.
--
http://ertes.de/ |
|
|
| Back to top |
|
| Ertugrul Söylemez... |
| Posted: Fri May 09, 2008 11:16 am |
|
|
|
Guest
|
Albert <Albert.Tollkuci at (no spam) gmail.com> wrote:
Quote: I'm trying to use RSA algorithm in .NET. My needs are somehow
the inverse of the normal usage. I want to distribute the
private key (so other can decrypt) and keep private the public
key (so only me can encrypt).
Impossible. Â Once someone has the private key, they can both
encrypt and decrypt. Â It is impossible to "keep private" the
public key since it is trivially constructible from the private
key.
Very well possible, if the public key doesn't follow a known
pattern. Less efficient, though.
What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
Yes.
With most implementations, but if he implements RSA himself, he
could select one exponent randomly (instead of a fixed one, as most
implementations do it), and calculate the other from it.
Thanx Ertugurl, finally someone who really understand ecnryption. This
is exactly what I thought, but seeing a lot of people opposing it I
started to doubt myself.
I wouldn't say that I understand encryption any better than
Pubkeybreaker does. Most likely it's the other way round, but he may
have typed too quickly, or assumed a particular implementation, in which
case, he would be wrong, and I just tried to resolve that
misunderstanding.
Quote: Probably I will not use RSA directly as suggested by Joe, but the
important thing is to exactly understand what's going on behind the
scenes.
This question convinced me for 2 things:
- A lot of people claim to have knowledge on ecnryption but they know
only the surface of it...ecnrypt this, sign this other, etc...but do
not really know what's going on...and most of the material found in
net is not good.
I can't confirm that. A lot of people here on sci.crypt (most notably
those with the lower posting rate) are very knowledgable, but I'm rather
seeing a lust for formality here. If you're not totally precise, you'll
get bad answers, or sometimes even rants.
That often leads to misunderstandings here.
Quote: - Very similar to this case is TCP/IP and routing. There are like
thousand of tools and protocols and standards and commands and all
this shit that are based on a very simple concept of TCP/IP packets
and knowledge of binary numbers. And there are millions of admins that
do not understand them...
Administrators don't need to know everything in that detail, though it's
truely a virtue for them, if they do.
Regards,
Ertugrul.
--
http://ertes.de/ |
|
|
| Back to top |
|
| Thomas Pornin... |
| Posted: Fri May 09, 2008 12:30 pm |
|
|
|
Guest
|
According to Albert <Albert.Tollkuci at (no spam) gmail.com>:
Quote: Thanx Ertugurl, finally someone who really understand ecnryption. This
is exactly what I thought, but seeing a lot of people opposing it I
started to doubt myself.
The human being who sometimes post here under the pseudonym of
"Pubkeybreaker" happens to be one of the top experts on RSA on this
planet. This means that his counsel should not be dismissed so easily.
If you have the impression either him or you did not fully understand
RSA, then it is most probably you.
"RSA" is a catch-all name which describes several things:
-- A mathematical mechanism which is usually described as a
"trapdoor permutation".
-- An asymmetric encryption protocol.
-- A digital signature protocol.
The core operation of RSA is the following: there is a (usually) big
integer, denoted "n", which is not prime. There are also two other
integers, "d" and "e", which are so that for all integers x between 0
(inclusive) and n (exclusive) then (x^e)^d = x mod n.
This function which, from x, computes x^e mod n is thus a permutation of
the space of integers from 0 to n-1. The inverse permutation is the
function which computes y^d mod n from y.
We call this a "trapdoor" permutation because computing x^e mod n
requires only knowledge of x, n and e; there is no need to know d.
Moreover, provided that some conditions are met (explained below), then
it is not feasible to compute the inverse permutation with only the
knowledge of n and e (i.e., given n, e and y^e mod n, nobody knows how
to compute y).
The conditions for RSA to be a trapdoor permutation (i.e. to realize
that infeasibility) are roughly the following:
-- The prime factors of n are not known by those who must not know the
trapdoor (i.e. those people for which computing the inverse permutation
is infeasible). In particular, this means that n must have been chosen
randomly "with sufficient uniformity" among the set of composite
integers which are the product of at least two large enough prime
numbers. Here, "large enough" means "at least 512 bits" and "with
sufficient uniformity" means that a great number of primes were usable.
A proper modulus generation procedure is no easy task; many real-life
systems were broken due to a suboptimal random choice.
-- e must be such that there exist no matching value of d which is small.
Note that for given values of n and e, there are several values of d
which realize the "(x^e)^d = x mod n" property. The precise notion of
"small" is not known, but attacks have been found when the length of
d is less than the third of the length of n. To be on the safe side,
the length of d is usually roughly equal to that of n.
-- The input values x must be part of a space which is not "too
special". It is not easy to characterize that property; a first easy
remark is that if the space is too small then it can be search
exhaustively. In plain words, if you use the trapdoor permutation as a
rough encryption function, and you encrypt either "yes" or "no", then an
attacker would just have to encrypt "yes" and "no" himself, and see
which encrypted word matches what was sent.
Hence, that RSA is a trapdoor permutation does not immediately turn
it into an encryption scheme. The RSA _encryption algorithm_ is
specified in PKCS#1, and it has the following properties:
-- There is a padding scheme, which transforms input _messages_ (i.e.
sequence of bytes with a given maximum size) into input _integers_ (the
"x" value above). That padding scheme includes a number of random bytes,
which makes the space of input values "unspecial enough" for security to
be achieved. A consequence is that two encryptions of the same input
message with the same n and e may not yield the same output integers.
-- The "private key" is defined as containing not only "d" but also
the prime factors of n, because using them allows for a roughly
four times faster decryption.
-- The "public key" is defined to be the n and e integers, and it so
happens that e can be chosen to be quite short, since it is public
anyway, and short exponents are better for performance.
Now you may try to use the trapdoor permutation "in reverse", i.e. have
someone _first_ compute the inverse permutation (with knowledge of d)
then publish it and have other people (using only n and e) perform the
reverse operation. This is the basis of RSA signatures, also described
in PKCS#1. There again, there is some difference between a mathematic
trapdoor permutation, and a cryptographic protocol which implements
digital signatures with security properties usually expected of digital
signatures. In particular, a padding scheme must be defined (_not_ the
same than for encryption, because needs are different). As was the case
for encryption, many early designs and systems were broken due to the
use of padding schemes which were not "good enough" (some did not use
any padding at all...).
If you want to use RSA "in reverse" then most probably you want RSA
signatures, and thirty years of research on that subject have shown that
transforming the RSA trapdoor permutation into a signature scheme with
adequate security is _not_ a trivial operation. Stick to PKCS#1 and you
will live longer and happier.
Otherwise, you _might_ have a novel idea on RSA for a usage mode which
is not a degenerate case of asymmetric encryption or signature. Which
would somehow make you one of the top experts on cryptography since many
have looked for novel usages of RSA, and failed, for the last few
decades. Chances are, however, that what you think about is no more than
some homemade degenerate signature scheme, and probably insecure since
designing a signature scheme is not an easy task. You would not be the
first to try, even in this very newsgroup sci.crypt.
--Thomas Pornin |
|
|
| Back to top |
|
| Albert... |
| Posted: Sat May 10, 2008 4:28 am |
|
|
|
Guest
|
On May 9, 7:30 pm, Thomas Pornin <por... at (no spam) bolet.org> wrote:
Quote: According to Albert <Albert.Tollk... at (no spam) gmail.com>:
Thanx Ertugurl, finally someone who really understand ecnryption. This
is exactly what I thought, but seeing a lot of people opposing it I
started to doubt myself.
The human being who sometimes post here under the pseudonym of
"Pubkeybreaker" happens to be one of the top experts on RSA on this
planet. This means that his counsel should not be dismissed so easily.
If you have the impression either him or you did not fully understand
RSA, then it is most probably you.
"RSA" is a catch-all name which describes several things:
-- A mathematical mechanism which is usually described as a
"trapdoor permutation".
-- An asymmetric encryption protocol.
-- A digital signature protocol.
The core operation of RSA is the following: there is a (usually) big
integer, denoted "n", which is not prime. There are also two other
integers, "d" and "e", which are so that for all integers x between 0
(inclusive) and n (exclusive) then (x^e)^d = x mod n.
This function which, from x, computes x^e mod n is thus a permutation of
the space of integers from 0 to n-1. The inverse permutation is the
function which computes y^d mod n from y.
We call this a "trapdoor" permutation because computing x^e mod n
requires only knowledge of x, n and e; there is no need to know d.
Moreover, provided that some conditions are met (explained below), then
it is not feasible to compute the inverse permutation with only the
knowledge of n and e (i.e., given n, e and y^e mod n, nobody knows how
to compute y).
The conditions for RSA to be a trapdoor permutation (i.e. to realize
that infeasibility) are roughly the following:
-- The prime factors of n are not known by those who must not know the
trapdoor (i.e. those people for which computing the inverse permutation
is infeasible). In particular, this means that n must have been chosen
randomly "with sufficient uniformity" among the set of composite
integers which are the product of at least two large enough prime
numbers. Here, "large enough" means "at least 512 bits" and "with
sufficient uniformity" means that a great number of primes were usable.
A proper modulus generation procedure is no easy task; many real-life
systems were broken due to a suboptimal random choice.
-- e must be such that there exist no matching value of d which is small.
Note that for given values of n and e, there are several values of d
which realize the "(x^e)^d = x mod n" property. The precise notion of
"small" is not known, but attacks have been found when the length of
d is less than the third of the length of n. To be on the safe side,
the length of d is usually roughly equal to that of n.
-- The input values x must be part of a space which is not "too
special". It is not easy to characterize that property; a first easy
remark is that if the space is too small then it can be search
exhaustively. In plain words, if you use the trapdoor permutation as a
rough encryption function, and you encrypt either "yes" or "no", then an
attacker would just have to encrypt "yes" and "no" himself, and see
which encrypted word matches what was sent.
Hence, that RSA is a trapdoor permutation does not immediately turn
it into an encryption scheme. The RSA _encryption algorithm_ is
specified in PKCS#1, and it has the following properties:
-- There is a padding scheme, which transforms input _messages_ (i.e.
sequence of bytes with a given maximum size) into input _integers_ (the
"x" value above). That padding scheme includes a number of random bytes,
which makes the space of input values "unspecial enough" for security to
be achieved. A consequence is that two encryptions of the same input
message with the same n and e may not yield the same output integers.
-- The "private key" is defined as containing not only "d" but also
the prime factors of n, because using them allows for a roughly
four times faster decryption.
-- The "public key" is defined to be the n and e integers, and it so
happens that e can be chosen to be quite short, since it is public
anyway, and short exponents are better for performance.
Now you may try to use the trapdoor permutation "in reverse", i.e. have
someone _first_ compute the inverse permutation (with knowledge of d)
then publish it and have other people (using only n and e) perform the
reverse operation. This is the basis of RSA signatures, also described
in PKCS#1. There again, there is some difference between a mathematic
trapdoor permutation, and a cryptographic protocol which implements
digital signatures with security properties usually expected of digital
signatures. In particular, a padding scheme must be defined (_not_ the
same than for encryption, because needs are different). As was the case
for encryption, many early designs and systems were broken due to the
use of padding schemes which were not "good enough" (some did not use
any padding at all...).
If you want to use RSA "in reverse" then most probably you want RSA
signatures, and thirty years of research on that subject have shown that
transforming the RSA trapdoor permutation into a signature scheme with
adequate security is _not_ a trivial operation. Stick to PKCS#1 and you
will live longer and happier.
Otherwise, you _might_ have a novel idea on RSA for a usage mode which
is not a degenerate case of asymmetric encryption or signature. Which
would somehow make you one of the top experts on cryptography since many
have looked for novel usages of RSA, and failed, for the last few
decades. Chances are, however, that what you think about is no more than
some homemade degenerate signature scheme, and probably insecure since
designing a signature scheme is not an easy task. You would not be the
first to try, even in this very newsgroup sci.crypt.
--Thomas Pornin
Thank you Thomas for the elaborate answer. I did not want to say or
imply that Pubkeybreaker is not an expert and for sure I didn't
dismiss his answer.
However I got a lot of answers (not only here) that this is not
possible. I have mainly a mathematical background of RSA and based on
that I didn't understand why it's not possible. From your answer and
some others now I know that it's not a good idea in practice to do it
(for several reasons).
I was mainly interested in understanding the underlying concepts and
the practical implementation issues. Now I will look more into
signatures and PKCS#1.
Thank you again |
|
|
| Back to top |
|
| Peter Fairbrother... |
| Posted: Sat May 10, 2008 6:07 pm |
|
|
|
Guest
|
Pubkeybreaker wrote:
Quote: On May 8, 3:01 pm, Albert <Albert.Tollk... at (no spam) gmail.com> wrote:
I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Impossible. Once someone has the private key, they can both
encrypt and decrypt. It is impossible to "keep private" the public
key
Why? Because it's "public"?
Quote: since it is trivially constructible from the private key.
Bollocks (unless the attacker knows the "public" key).
It's the same situation as a RSA signature - keep one key secret, and
let one key be known.
It don't matter what you call them, as long as they are long enough - in
fact the E and D keys are entirely interchangeable, if they are long
enough.
Quote:
First of all is this secure?
Yes, at least as much as RSA is.
Quote: Trivially insecure.
What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
Yes.
No.
Not without knowing the factorisation of N (absent some other
maybe-attacks we don't know about on RSA).
If an attacker knows or can guess both keys then you are screwed -
otherwise, if he only knows one and can't guess the second, then it's
quantum computing, advances in factorisation, etc.
-- Peter Fairbrother |
|
|
| Back to top |
|
| David Eather... |
| Posted: Sat May 10, 2008 8:23 pm |
|
|
|
Guest
|
Peter Fairbrother wrote:
Quote: Pubkeybreaker wrote:
On May 8, 3:01 pm, Albert <Albert.Tollk... at (no spam) gmail.com> wrote:
I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Impossible. Once someone has the private key, they can both
encrypt and decrypt. It is impossible to "keep private" the public
key
Why? Because it's "public"?
since it is trivially constructible from the private key.
Bollocks (unless the attacker knows the "public" key).
I'm thinking you made a mistake here. Typo perhaps?
Quote:
It's the same situation as a RSA signature - keep one key secret, and
let one key be known.
It don't matter what you call them, as long as they are long enough - in
fact the E and D keys are entirely interchangeable, if they are long
enough.
First of all is this secure?
Yes, at least as much as RSA is.
Trivially insecure.
What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
Yes.
No.
Not without knowing the factorisation of N (absent some other
maybe-attacks we don't know about on RSA).
If an attacker knows or can guess both keys then you are screwed -
otherwise, if he only knows one and can't guess the second, then it's
quantum computing, advances in factorisation, etc.
-- Peter Fairbrother |
|
|
| Back to top |
|
| Tim Smith... |
| Posted: Sat May 10, 2008 10:04 pm |
|
|
|
Guest
|
In article <48262ab6$0$2477$da0feed9 at (no spam) news.zen.co.uk>,
Peter Fairbrother <zenadsl6186 at (no spam) zen.co.uk> wrote:
Quote: Pubkeybreaker wrote:
On May 8, 3:01 pm, Albert <Albert.Tollk... at (no spam) gmail.com> wrote:
I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Impossible. Once someone has the private key, they can both
encrypt and decrypt. It is impossible to "keep private" the public
key
Why? Because it's "public"?
since it is trivially constructible from the private key.
Bollocks (unless the attacker knows the "public" key).
It's the same situation as a RSA signature - keep one key secret, and
let one key be known.
It don't matter what you call them, as long as they are long enough - in
fact the E and D keys are entirely interchangeable, if they are long
enough.
Careful. Mr. Silverman is sometimes obnoxious, but he is almost never
wrong when it comes to the mathematics of RSA. Thus, when it *appears*
that he is making a wrong statement--one so wrong that you'd be
surprised if a student made it after the first week of beginning number
theory--it is worth taking a second look.
The original poster is NOT talking about using "pure" RSA. He's using
whatever form of RSA that the .NET libraries provide.
In "pure" RSA, the public key would just be (E,N), and the encryption
operation is C = M^E mod N, where M is the message text. The private
key would be (D,N), and decryption is M = C^D mod N.
D and E are completely interchangeable, assuming one was generated at
random, and the other was calculated so that DE = 1 mod (P-1)(Q-1),
where P and Q are the prime factors of N.
That's "pure" RSA. But in "practical" RSA, as implemented by various
crypto libraries, there is usually more information in the keys.
For an example of this, take a look at ssh keys. My ssh RSA public key
is about 1/3 the size of my private key, indicating that they are indeed
storing more information in the private key. And the command
"ssh-keygen -y -f private_key_file" will regenerate the public key from
just the private key.
PKCS#1 gives the following suggested representation of private RSA keys:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER, -- (inverse of q) mod p
otherPrimeInfos OtherPrimeInfos OPTIONAL
}
and this for public keys:
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e
}
I suspect that Mr. Silverman's answer took into account the fact that
the original poster is using the .NET RSA provider, and he knows that it
is using some form for private keys that does include more than just D
and N.
--
--Tim Smith |
|
|
| Back to top |
|
| Phil Carmody... |
| Posted: Sun May 11, 2008 4:26 am |
|
|
|
Guest
|
Peter Fairbrother <zenadsl6186 at (no spam) zen.co.uk> writes:
Quote: Pubkeybreaker wrote:
On May 8, 3:01 pm, Albert <Albert.Tollk... at (no spam) gmail.com> wrote:
I'm trying to use RSA algorithm in .NET. My needs are somehow the
inverse of the normal usage. I want to distribute the private key (so
other can decrypt) and keep private the public key (so only me can
encrypt).
Impossible. Once someone has the private key, they can both
encrypt and decrypt. It is impossible to "keep private" the public
key
Why? Because it's "public"?
since it is trivially constructible from the private key.
Bollocks (unless the attacker knows the "public" key).
It's the same situation as a RSA signature - keep one key secret, and
let one key be known.
It don't matter what you call them, as long as they are long enough -
in fact the E and D keys are entirely interchangeable, if they are
long enough.
E and D aren't the public and private keys. They are one
component in the tuples that are the keys.
Robert's simply adopting a pedantically tight, but perfectly
standard (in the literal sense) definition of the keys.
If you want to refer to just D and E, then call them the
private and public exponent. You may then throw around
tautologies such as "if the public and private exponents
are indistinguishable, then, before either has been made
non-secret, they are interchangable". Of course, having
a short exponent for speed makes them distinguishable.
Quote: First of all is this secure?
Yes, at least as much as RSA is.
Trivially insecure.
What I want to do is to keep E private and distribute D. Is it
possible that by having D the users can calculate E?
Yes.
No.
Not without knowing the factorisation of N (absent some other
maybe-attacks we don't know about on RSA).
The private key, as usually formulated in the practical real
world, contains that factorisation. It doesn't theoretically
need to contain that information, but then you'd be needlessly
hampering your implementation efficiency.
You boobed, and got your terms confused. Learn and move on.
Phil
--
Dear aunt, let's set so double the killer delete select all.
-- Microsoft voice recognition live demonstration |
|
|
| Back to top |
|
| |
Page 1 of 3 Goto page 1, 2, 3 Next
All times are GMT - 5 Hours
The time now is Sat May 17, 2008 1:25 am
|
|
