Key Generation Algorithm
- Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length, e.g. 1024 bits. [See note 1].
- Compute n = pq and (φ) phi = (p-1)(q-1).
- Choose an integer e, 1 < e < phi, such that gcd(e, phi) = 1. [See note 2].
- Compute the secret exponent d, 1 < d < phi, such that ed ≡ 1 (mod phi). [See note 3].
- The public key is (n, e) and the private key is (n, d). Keep all the values d, p, q and phi secret.
- n is known as the modulus.
- e is known as the public exponent or encryption exponent or just the exponent.
- d is known as the secret exponent or decryption exponent.
Encryption
Sender A does the following:-- Obtains the recipient B's public key (n, e).
- Represents the plaintext message as a positive integer m [see note 4].
- Computes the ciphertext c = me mod n.
- Sends the ciphertext c to B.
Decryption
Recipient B does the following:-- Uses his private key (n, d) to compute m = cd mod n.
- Extracts the plaintext from the message representative m.
Digital signing
Sender A does the following:-- Creates a message digest of the information to be sent.
- Represents this digest as an integer m between 0 and n-1. [See note 5].
- Uses her private key (n, d) to compute the signature s = md mod n.
- Sends this signature s to the recipient, B.
Signature verification
Recipient B does the following:-- Uses sender A's public key (n, e) to compute integer v = se mod n.
- Extracts the message digest from this integer.
- Independently computes the message digest of the information that has been signed.
- If both message digests are identical, the signature is valid.
Notes on practical applications
- To generate the primes p and q, generate a random number of bit length b/2 where b is the required bit length of n; set the low bit (this ensures the number is odd) and set the two highest bits (this ensures that the high bit of n is also set); check if prime (use the Rabin-Miller test); if not, increment the number by two and check again until you find a prime. This is p. Repeat for q starting with a random integer of length b-b/2. If p
p and q (this only matters if you intend using the CRT form of the private key). In the extremely unlikely event that p = q, check your random number generator. Alternatively, instead of incrementing by 2, just generate another random number each time. There are stricter rules in ANSI X9.31 to produce strong primes and other restrictions on p and q to minimise the possibility of known techniques being used against the algorithm. There is much argument about this topic. It is probably better just to use a longer key length.
- In practice, common choices for e are 3, 17 and 65537 (216+1). These are Fermat primes, sometimes referred to as F0, F2 and F4 respectively (Fx=2^(2^x)+1). They are chosen because they make the modular exponentiation operation faster. Also, having chosen e, it is simpler to test whether gcd(e, p-1)=1 and gcd(e, q-1)=1 while generating and testing the primes in step 1. Values of p or q that fail this test can be rejected there and then. (Even better: if e is prime and greater than 2 then you can do the less-expensive test (p mod e)!=1 instead of gcd(p-1,e)==1.)
- To compute the value for d, use the Extended Euclidean Algorithm to calculate d = e-1 mod phi (this is known as modular inversion).
- When representing the plaintext octets as the representative integer m, it is usual to add random padding characters to make the size of the integer m large and less susceptible to certain types of attack. If m = 0 or 1 or n-1 there is no security as the ciphertext has the same value. For more details on how to represent the plaintext octets as a suitable representative integer m, see PKCS#1 Schemes below or the reference itself [PKCS1]. It is important to make sure that m < n otherwise the algorithm will fail. This is usually done by making sure the first octet of m is equal to 0x00.
- Decryption and signing are identical as far as the mathematics is concerned as both use the private key. Similarly, encryption and verification both use the same mathematical operation with the public key. That is, mathematically, for m < n, m = (me mod n)d mod n = (md mod n)e mod nHowever, note these important differences in implementation:-
- The signature is derived from a message digest of the original information. The recipient will need to follow exactly the same process to derive the message digest, using an identical set of data.
- The recommended methods for deriving the representative integers are different for encryption and signing (encryption involves random padding, but signing uses the same padding each time).
Summary of RSA
- n = pq, where p and q are distinct primes.
- phi, φ = (p-1)(q-1)
- e < n such that gcd(e, phi)=1
- d = e-1 mod phi.
- c = me mod n, 1
- m = cd mod n.
Key length
When we talk about the key length of an RSA key, we are referring to the length of the modulus, n, in bits. The minimum recommended key length for a secure RSA transmission is currently 1024 bits. A key length of 512 bits is now no longer considered secure, although cracking it is still not a trivial task for the likes of you and me. The longer your information is needed to be kept secure, the longer the key you should use. Keep up to date with the latest recommendations in the security journals.There is small one area of confusion in defining the key length. One convention is that the key length is the position of the most significant bit in n that has value '1', where the least significant bit is at position 1. Equivalently, key length = ceiling(log2(n+1)). The other convention, sometimes used, is that the key length is the number of bytes needed to store n multiplied by eight, i.e. ceiling(log256(n+1)).
The key used in the RSA Example paper [KALI93] is an example. In hex form the modulus is
0A 66 79 1D C6 98 81 68 DE 7A B7 74 19 BB 7F B0The most significant byte 0x0A in binary is
C0 01 C6 27 10 27 00 75 14 29 42 E1 9A 8D 8C 51
D0 53 B3 E3 78 2A 1D E5 DC 5A F4 EB E9 94 68 17
01 14 A1 DF E6 7C DC 9A 9A F5 5D 65 56 20 BB AB
00001010'B
. The most significant bit is at position 508, so its key length is 508 bits. On the other hand, this value needs 64 bytes to store it, so the key length could also be referred to by some as 64 x 8 = 512 bits. We prefer the former method. You can get into difficulties with the X9.31 method for signatures if you use the latter convention.
0 comments:
Post a Comment