Develop Reference

RSA/ECB/PKCS1 Padding & AES/CBC/PKCS5Padding Encryption / Decryption

I have an API to call where I have to encrypt my data using RSA/ECB/PKCS1 Padding & AES/CBC/PKCS5PADDING.
Sample Data: {"KEY":"VALUE"}
Step.1:
I have to generate a random number of 16 digit. eg: '1234567890123456'
Step.2:
Do RSA/ECB/PKCS1Padding to random number and base64Encode the result. we get "encrypted_key"
Step.3:
Concatenate random number & data:
DATA = 1234567890123456{"KEY":"VALUE"}
Step.4:
Do AES/CBC/PKCS5Padding on DATA (from Step 3) using random number(1234567890123456) as KEY & Base64Encoded random number as IV. we get "ENCRYPTED_DATA"
So, for Step 1 I am using JSEncrypt javascript library.
for Step 4 I am using CrytoJS.AES.encrypt() function. I am pretty sure that my JSEncrypt function is running fine as the client is able to decrypt it but client is not able to decrypt my data. I feel that I am making a mistake while using CryptoJS.
Can someone guide me properly on how to use the library.
What I am doing is:
KEY = '1234567890123456'
IV = MTIzNDU2Nzg5MDEyMzQ1Ng== (result of btoa('1234567890123456') )
DATA = "1234567890123456{"KEY":"VAL"}"
cryptedData = Crypto.AES.encrypt(DATA, KEY, {iv: IV, mode: CryptoJS.mode.CBC,padding:CryptoJS.pad.Pkcs7})
I am told to use PKCS5Padding in AES/CBC Encryption ( Step 4 ) but it seems that AES does not support PKCS5Padding but PKCS7Padding.
I think I am making a mistake in the way I am passing KEY & IV to CryptoJS.
Any help will be greatly appreciated.

For the start lets see why are you doing the exercise. RSA is intended to encode only limited amout of data. So we use "hybrid encryption", where the data are encrypted using a symmetric cipher with a random key and the key itself is encrypted using RSA
Encryption works on binary data, to safely transmit binary data, the data are encoded to printable form (hex or base64)
Step.1: I have to generate a random number of 16 digit
What we see is 16 digits 0-9. That's not really safe. Generating 16 digits you will get a key of 10^16, which is equals of approx 2^53 (if I did the math wrong, please comment).
You need to generate 16 random bytes (digits 0-256 resulting in 2^128 key). That is your DEK (data encryption key).
You may encode the DEK to be in printable form, in hexadecimal encoding it will have 32 characters.
Step.2:
ok, you now get encrypted encoded_encryption_key
Step 3, Step 4
And here you should understand what are you doing.
encrypt DATA using DEK ( not encoded random number in binary form), you will get encrypted_data. You can encode the result to encoded_encrypted_data
concatenate the encrypted key and encrypted data. It. is up to you to choose if you encode it before or after encoding. I suggest you make concatenation of encoded_encryption_key and encoded_encrypted_data with some separator, because if RSA key length changes, the length of encoded_encryption_key changes too
Make sure to discuss with the client what format is expected exactly.
Notes:
IV needs to be 16 bytes long for AES and for CryptoJS I believe it needs to be Hex encoded, so using btoa may not be the best idea. I believe the CryptoJS just trims the value to 16 bytes, but formally it is not correct.
CBC cipher needs some sort of integrity check, I suggest to add some HMAC or signature to the result (otherwise someone could change the ciphertext without you being able to detect the tamper)
but it seems that AES does not support PKCS5Padding but PKCS7Padding.
Indeed AES supports Pkcs7. Pkcs5 is functionally the same, but defined on 64 blocks. The designation is still used in Java as heritage from DES encryption.

Should changing a few characters in a private key meaningfully change it?

so we have a private key used to sign requests which are later decrypted using the public key. I was messing around with it and replaced a few characters in it, say changing 'wnoy' to 'xxyy'
I suspected this would essentially change the key and the decryption fail as a result but this wasn't the case. Are the changes simply too small to result in a meaningful change to the key?
Thank you!

Any change to the modulus, exponent or CRT parameters that are used during calculation will result in failure of the algorithm to produce a correct signature or in failure during decryption (most likely producing a padding error).
However, because an RSA private key is not just a single number it is commonly saved in a PKCS#1 defined ASN.1 / DER encoded structure. Now it depends on what you change of this structure if the private key is damaged enough or not. The encoding of this structure (if it is a PEM private key) may also play a role.
Most likely you have changed the public or private exponent while the RSA CRT parameters are being used in the calculation (either the private exponent or CRT parameters are used for the calculations). In that case the calculation will proceed as normal. You would have about 256 bytes that can be changed without causing a problem for a 2048 bit key.
The slower "plain" RSA calculation uses the private exponent, which means that any change to the CRT parameters will go unnoticed (unless the structure doesn't parse anymore). For a 2048 bit key you would very likely have over 5 x 128 bytes that can be changed without causing a problem!
From PKCS#1:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER, -- (inverse of q) mod p
otherPrimeInfos OtherPrimeInfos OPTIONAL
}
here the CRT (Chinese Remainder Theorem) parameters are the prime1, prime2, exponent1, exponent2 and finally coefficient parameters.

D/DP/DQ Parameters in RSA Cryptography

I see some parameters in RSA cryptography such as D / DP/ DQ P and Q what this parameters really do is it some kind of padding for the cipher text?

These parameters are used to speed up the private key operations using the Chinese remainder theorem.
The wikipedia article on RSA describes how this is done.

What is the difference between DSA and RSA?

It appears they are both encryption algorithms that require public and private keys. Why would I pick one versus the other to provide encryption in my client server application?

Check AVA's answer below.
My old answer seems wrong

Referring, https://web.archive.org/web/20140212143556/http://courses.cs.tamu.edu:80/pooch/665_spring2008/Australian-sec-2006/less19.html
RSA
RSA encryption and decryption are commutative
hence it may be used directly as a digital signature scheme
given an RSA scheme {(e,R), (d,p,q)}
to sign a message M, compute:
S = M power d (mod R)
to verify a signature, compute:
M = S power e(mod R) = M power e.d(mod R) = M(mod R)
RSA can be used both for encryption and digital signatures,
simply by reversing the order in which the exponents are used:
the secret exponent (d) to create the signature, the public exponent (e)
for anyone to verify the signature. Everything else is identical.
DSA (Digital Signature Algorithm)
DSA is a variant on the ElGamal and Schnorr algorithms.
It creates a 320 bit signature, but with 512-1024 bit security
again rests on difficulty of computing discrete logarithms
has been quite widely accepted.
DSA Key Generation
firstly shared global public key values (p,q,g) are chosen:
choose a large prime p = 2 power L
where L= 512 to 1024 bits and is a multiple of 64
choose q, a 160 bit prime factor of p-1
choose g = h power (p-1)/q
for any h<p-1, h(p-1)/q(mod p)>1
then each user chooses a private key and computes their public key:
choose x<q
compute y = g power x(mod p)
DSA key generation is related to, but somewhat more complex than El Gamal.
Mostly because of the use of the secondary 160-bit modulus q used to help
speed up calculations and reduce the size of the resulting signature.
DSA Signature Creation and Verification
to sign a message M
generate random signature key k, k<q
compute
r = (g power k(mod p))(mod q)
s = k-1.SHA(M)+ x.r (mod q)
send signature (r,s) with message
to verify a signature, compute:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= r.w(mod q)
v = (g power u1.y power u2(mod p))(mod q)
if v=r then the signature is verified
Signature creation is again similar to ElGamal with the use of a
per message temporary signature key k, but doing calc first mod p,
then mod q to reduce the size of the result. Note that the use of
the hash function SHA is explicit here. Verification also consists of
comparing two computations, again being a bit more complex than,
but related to El Gamal.
Note that nearly all the calculations are mod q, and
hence are much faster.
But, In contrast to RSA, DSA can be used only for digital signatures
DSA Security
The presence of a subliminal channel exists in many schemes (any that need a random number to be chosen), not just DSA. It emphasises the need for "system security", not just a good algorithm.

Btw, you cannot encrypt with DSA, only sign. Although they are mathematically equivalent (more or less) you cannot use DSA in practice as an encryption scheme, only as a digital signature scheme.

With reference to man ssh-keygen, the length of a DSA key is restricted to exactly 1024 bit to remain compliant with NIST's FIPS 186-2. Nonetheless, longer DSA keys are theoretically possible; FIPS 186-3 explicitly allows them. Furthermore, security is no longer guaranteed with 1024 bit long RSA or DSA keys.
In conclusion, a 2048 bit RSA key is currently the best choice.
MORE PRECAUTIONS TO TAKE
Establishing a secure SSH connection entails more than selecting safe encryption key pair technology. In view of Edward Snowden's NSA revelations, one has to be even more vigilant than what previously was deemed sufficient.
To name just one example, using a safe key exchange algorithm is equally important. Here is a nice overview of current best SSH hardening practices.

And in addition to the above nice answers.
DSA uses Discrete logarithm.
RSA uses Integer Factorization.
RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman.

What is DES-X?

What is DES-X?
And
DES-X and DES, are they backwards compatible?

Well, DES-X is a variant of the DES block cipher (as I'm sure you already knew).
The reason for the introduction of the DES-X was an attempt to increase the security of the original DES algorithm (which was limited to a 56bit key). The proposed solution with DEX-X was to use two more 64-bit keys which would be applied to make it harder for an attacker to guess the key of the DES algorithm. Basically, the first additional key is XORed to the plain text which is then encrypted with DES. The second additional key is XORed to the resulting cypher.
However, as far the backwards compatibility.. I'm not sure what you mean by that? If you're asking if you can use DES to decrypt DES-X messages then NO (it the strict sense). If you're asking whether a DES-X implementation could be configured to encrypt/decrypt DES messages then the answer is YES.
Here's an example:
DES(msg) = CYPHER
DES-X(msg) = K2 X DES(K1 x msg) = CYPER-X
If you choose K2 and K1 to be the all 0 then:
DES-x(msg) = K2 x DES(K1 x msg) [where K1 = 0, K2 =0] = DES(msg)
It should be pointed out that what I mean by making K1 and K2 0 is actually choosing a key which is 64 bits of 0 = {0,0,0,0,0...0} (64 times). Such a key does not modify the plaintext of the cypher at all when the XOR operation is applied.

DES and DES-X are both block ciphers.
See http://en.wikipedia.org/wiki/DES-X
for more details. In short, DES-X adds key whitening.

Here's the wikipedia article on DES-X. DES-X increases the key size by appending XOR'd versions of the key before and after the encryption.

The summary of this paper says that DES-X is "compatible." However, I'm not sure if that includes backwards-compatibility.
http://www.cs.ucdavis.edu/~rogaway/papers/cryptobytes.ps