so we have a private key used to sign requests which are later decrypted using the public key. I was messing around with it and replaced a few characters in it, say changing 'wnoy' to 'xxyy'
I suspected this would essentially change the key and the decryption fail as a result but this wasn't the case. Are the changes simply too small to result in a meaningful change to the key?
Thank you!
Any change to the modulus, exponent or CRT parameters that are used during calculation will result in failure of the algorithm to produce a correct signature or in failure during decryption (most likely producing a padding error).
However, because an RSA private key is not just a single number it is commonly saved in a PKCS#1 defined ASN.1 / DER encoded structure. Now it depends on what you change of this structure if the private key is damaged enough or not. The encoding of this structure (if it is a PEM private key) may also play a role.
Most likely you have changed the public or private exponent while the RSA CRT parameters are being used in the calculation (either the private exponent or CRT parameters are used for the calculations). In that case the calculation will proceed as normal. You would have about 256 bytes that can be changed without causing a problem for a 2048 bit key.
The slower "plain" RSA calculation uses the private exponent, which means that any change to the CRT parameters will go unnoticed (unless the structure doesn't parse anymore). For a 2048 bit key you would very likely have over 5 x 128 bytes that can be changed without causing a problem!
From PKCS#1:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER, -- (inverse of q) mod p
otherPrimeInfos OtherPrimeInfos OPTIONAL
}
here the CRT (Chinese Remainder Theorem) parameters are the prime1, prime2, exponent1, exponent2 and finally coefficient parameters.
Related
I'm learning some basic cryptography related programming and I'm now learning diffie-hellman-merkle key exchange. I was watching a video by Computerphile where they explain the mathematics of it.
In the video, they said that you should use n that is 2000 or 4000 bits long. I've seen this key length be discussed as bits in several other places, like with AES. But I don't understand what "length in bits" means. What does it mean to have a key that is 2000 bits long, so if I need to write a program that creates or uses keys that are of certain length, what would I need to do?
If you need to write a program that creates keys of a certain length, you pass the desired key length to the program. You need to know in which unit the length is expressed (for example, some interfaces might require bytes rather than bits), but you usually don't need to know what the key length means under the hood.
The concrete meaning of the key length depends on the cryptographic scheme, and for some schemes, there can be an ambiguity as to what the “key length” is. It's typically one of three things:
The length of a string that is associated with the algorithm, such as a key.
A number n such that an integer parameter of the algorithm is picked between 2^(n-1) and (2^n)-1.
A number n such that an integer parameter of the algorithm is picked between 1 (or some other small bound) and (2^n)-1.
Both of the last two cases are called “n-bit numbers”. In cryptography, “n-bit number” sometimes means a number that can be written with n digits in base 2, and sometimes a number which requires exactly n digits in base 2. In other words, “n-bit number” sometimes means a number whose bit-size is exactly n, and sometimes a number whose bit-size is at most n. You have to check the exact requirement in the description of each cryptographic scheme.
Depending on the cryptographic scheme, a different number is conventionally chosen as the “key length”. For any specific scheme, a larger key length is harder to break, but you can't compare key lengths between different schemes.
For most symmetric schemes, the key is a randomly generated string (each bit of the string has an independent ½ chance of being 0 or 1), and the length is the number of bits of the string. For example, AES-128 is AES using a 128-bit (16-byte) key. There is only one exception worth mentioning: DES keys are expressed as 64-bit strings, but only 56 of those bits are random (the other 8 are calculated from the random 56), and so DES is sometimes considered to have a “56-bit” key length and sometimes a “64-bit” key length.
For Diffie-Hellman, the key length n is the exact size of the group (conventionally written p). Both the private key and the public key are numbers between 1 and p, so they're at-most n-bit numbers. This is as simple as it goes in terms of key length for asymmetric cryptography.
For RSA, the key length n is the exact size of the modulus, which is one part of the public key (the public key is a pair of numbers: the modulus and the public exponent). For example, 4096-bit RSA means that the modulus is between 2^4095 and 2^4096-1. The private key is also an n-bit number, but in the at-most sense.
For DSA, there are two numbers that can be called the key length, because the private key and the public key are chosen in intervals that have different sizes. The public key length is the size of the larger prime p; the public key is a number between 2 and p-2. The private key length is the size of the smaller prime q; the private key is a number between 1 and q-1.
For elliptic curve cryptography, the domain parameters of the algorithm are called a curve: a set of points, and a parametrization of this set of points. A private key is a parameter value that designates a point on the curve, and a public key is a pair of integers that are the coordinates of a point on the curve. In general, since the private key and the public key live in different mathematical spaces, there are two numbers that could be called the “key size”. A private key is a number between 1 and n-1 for some m-bit number n, and a public key is a point with two coordinates, each of which are between 0 and q for some ℓ-bit number q. In general, m and ℓ don't have to be equal. However, n and q are usually close (if they aren't, it's a waste of performance for a given security level), and so m and ℓ are usually equal and can be called the “key length” without ambiguity.
Every bit can be either 1 or 0. It's the basic unit in the digital world. As you may know, all that is digital end up being either 1 or 0. Each 1 and 0 is a bit.
So something of length n bits means that it has n 1s and 0s.
The question is why signatureValue is so big if it is based on hashes?
Suppose Signature Algorithm is sha256RSA.
Shouldn't it be smaller according following steps:
Calculate SHA256 hash from tbsCertificate. Output => 256 bits.
Sign 256 bits hash with RSA private key. Output => 256 bits?
But if you see the size of the signatureValue, it might have 2048, 4096, [bigger?] bits.
Signature size doesn't depend on hashing algorithm used to hash signed data. It depends on key size only.
The RSA signature is based on modular exponentiation, i.e. sig = m ^ d mod N, where:
m is message to be signed
d private exponent (its size is N / 2, i.e. 1024 bits for RSA 2048).
N modulus
sig signature value
For such a calculation the final result is the remainder of the m ^ d result divided by the modulus (roughly, RSA key size). The m and d are quite large values and when you power one by another, the value will be huge and won't fit even modulus length, this is why last mod operation is used. And you can see, there is no term such as "hash". Sometimes (when very small values are used), resulting value size can be less than modulus size. In such cases, signature value is padded to match the modulus length.
From raw signature you can infer RSA key size, but can't infer the hash algorithm embedded in signature, this is why signature contains asymmetric algorithm and hash name, such as sha256RSA, otherwise, you will have to store hash algorithm somewhere in message. Since the combination (asymmetric algorithm and hash algorithm) is finite and quite small, it was good enough to assign unique OIDs to such combinations.
I'm trying to solve the following question (see below)
enter image description here
My understanding what in order to go encrypt the plain text (and get the cipher text). I must compute 9^15 mod 2 to get the cipher text? How is the answer 6?
Many thanks in advance!
You are confusing the modulus n and the public key e.
In your case, the RSA modulus is 15 and the public exponent is 2, and, in general, we write the public key is as a tuple (n,e)=(15,2)
now, RSA (textbook) encryption calculated as m^e = mod n; as a result
9^2 = 6 mod 15
see at WolframAlpha
Note: RSA encryption needs padding to be secure against some attacks.
as James noted in the comment, this cannot be RSA.
phi(15) = (3-1)*(5-1) = 8.
The inverse of 2 doesn't exist in mod 8. therefore there is no private key. Interestingly, in this case inverse of 3,5,7 mod 8 are also 3,5,8, respectively.
The 2 suggests that this is actually Rabin Cryptosystem.
By loading a pre-created .key file that includes an RSA Private Key only I noticed, that it contains the following numbers:
Modulus (private modulus)
Exponent (private exponent)
P (prime exponent)
Q (prime exponent)
DP
DQ
InverseQ
I am saving the key file somewhere, where storage is very small (portable). I though of only saving Modulus and Exponent. I understand P,Q and E are necessary to create modulus and exponent, however:
Question:
What is the purpose in saving all this data to a .key file, when PrivateModulus and PrivateExponent are enought to sign and decrypt messages?
Well, you need the public key Modulus and Exponent for encryption and the private key Modulus and D for decryption and signing.
P and Q are probably just added there for safety, since there is no efficient way to reconstruct them from the other given values. So in case your D gets corrupted, you can reconstruct it or if possibly a special implementation requires them for some Math-tricks to optimize the calculations.
The values of DP, DQ and InverseQ are used by some implementations to calculate RSA using the Chinese Remainder Theorem for speeding up the whole process.
DP = D mod (P - 1)
DQ = D mod (Q - 1)
InverseQ = Q^-1 mod (P - 1)
For more information on how that works, best check out this crpypto.stackexchange-question or the Wikipedia-article.
I was wondering:
1) if I compute the digest of some datas with SHA-512 => resulting in a hash of 64 bytes
2) and then I sign this hash with RSA-1024 => so a block of 128 bytes, which is bigger than the 64 bytes of the digest
=> does it mean in the end my signed hash will be exactly 128 bytes?
Thanks a lot for any info.
With RSA, as specified by PKCS#1, the data to be signed is first hashed with a hash function, then the result is padded (a more or less complex operation which transforms the hash result into a modular integer), and then the mathematical operation of RSA is applied on that number. The result is a n-bit integer, where n is the length in bits of the "modulus", usually called "the RSA key size". Basically, for RSA-1024, n is 1024. A 1024-bit integer is encoded as 128 bytes, exactly, as per the encoding method described in PKCS#1 (PKCS#1 is very readable and not too long).
Whether a n-bit RSA key can be used to sign data with a hash function which produces outputs of length m depends on the details of the padding. As the name suggests, padding involves adding some extra data around the hash output, hence n must be greater than m, leaving some room for the extra data. A 1024-bit key can be used with SHA-512 (which produces 512-bit strings). You could not use a 640-bit key with SHA-512 (and you would not, anyway, since 640-bit RSA keys can be broken -- albeit not trivially).