Cryptography-–-RSA-PKI_Blog-banner (1)

Introduction

RSA is a popular and reliable cryptographic algorithm widely used for encrypting and decrypting data. It provides a secure way to send sensitive information over the Internet. The RSA stands for the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman. The algorithm, first presented in their 1977 paper, uses logarithmic functions to maintain working complexity that can withstand brute force while remaining fast post-deployment.

The security of RSA depends upon the practical difficulty of factoring the product of two large prime numbers, which is called the factoring problem. However, RSA is a relatively slow algorithm, and because of this, it is not commonly used to encrypt user data directly. It is more often used to share or transmit shared keys for symmetric key cryptography, which is used for bulk encryption and decryption.

In the previous blogs, we learned about the basics of cryptography and some advanced cryptography techniques as well. Now, let’s discuss RSA PKI in detail.

Understanding Asymmetric – RSA Encryption

The RSA algorithm utilizes private and public keys as a key pair. The private key is kept secret, and only the creator of the key knows about it, while the public key can be shared with everyone. Messages can be encrypted by anyone via the public key and these messages can only be decrypted by someone who knows the private key. The computational complexity makes RSA relatively less efficient and resource-heavy.

The basic principle behind RSA algorithm is that it is practical to find three large positive integers (e, d, n), such that for all integers m (0 ≤ m < n), both (me)d and m have the same remainder when divided by n (they are congruent modulo n):

(me)d ≡ m (mod n)

However, it is difficult to find d when only e and n are given. Here, integers e and n represent the public key, d is the private key, and m is the message. The modular exponentiation of e and d relates to encryption and decryption. Furthermore, since the two exponents can be swapped, the public and private keys can be exchanged as well, allowing the use of the same algorithm for signing and verification.

How it works?

Imagine if (Jana) A wants to send messages to (Amir) B using RSA; then A should know B’s public key for encryption, and B should have their private key to decipher the encrypted message. B can transmit the public keys (n and e) through reliable, although it is not necessary that it needs to be the safest route, as public keys are open to everyone. However, B’s private key need not be distributed.

  1. Encryption

Once A receives the set of B’s public keys, then the message “M” can be sent to B. For this, the message “M” (un-padded plaintext) will be strictly converted into an integer “m” (padded plaintext), using an agreed-upon irreversible protocol called the padding scheme. Now, A will compute the ciphertext “c” using the public key “e” sent by B:

c ≡ me (mod n)

Even if the integers are large, the calculation can be done swiftly using the modular exponentiation. A can transmits “c” to B.

  1. Decryption

B can decipher the message “m” from “c” using the private component of the key set, which is “d”. It can be computed using the following formula:

cd  ≡ (me ) ≡ m (mod n)

Once m is obtained, it is straightforward to get the original message M, by reversing the padding scheme.

What’s in the Keys?

Here’s how a typical RSA private and public key looks like:

Source

Alt text: Representation of private and public keys

To recap:

  • Public Key has the following:
    • n – modulus
    • e – public exponent
  • Private key has the following:
    • n – modulus
    • d – private exponent
    • e – public exponent
    • p – first factor of n
    • q – second factor of n
    • u – (1/p) mod q

The optimal length of an RSA private/public key should be 2048 bits because it assures a decent level of security and doesn’t increase the CPU load much. The length can be increased by 4096 bits, however, it makes the process quite slow.

Encryption, Hashing and Signing

Now, let’s look into how Encryption, Hashing and Signing can be used to securely send a message from one party to another:

  • Sender’s End: (Jana)
    • Encrypt message using receivers Public Key
    • Compute Hash of message
    • Sign the Hash using sender’s Private key
  • Encrypted Message and Signed Hash are sent to the receiver
  • Receiver’s End: (Amir)
    • Get clear Hash using sender’s public key
    • Decrypt message using receiver’s private key
    • Compute Hash of decrypted message and compare with hash got in step 1. If the hashes match, it confirms that the message has not been tampered.

Above process enables us to securely transfer data from Sender to Receiver and also help us to verify that Jana (Sender) was indeed the sender of the image and that receiver got the exact same message, which was sent by Jana.

The Role of Public Key Infrastructure

Public Key Infrastructure (PKI) ensures the secure exchange of data between the user and the devices, maintaining the integrity, confidentiality, and authenticity of the transactions. Hence, the PKI involves a set of software, hardware, policies, processes, and procedures essential to creating, managing, distributing, and revoking digital certificates and public keys.

PKI consists of Certificate Authorities (CAs) and Registration Authorities (RAs). CAs provide the following services:

  • Issuing Digital Certificates
  • Validating Digital Certificates
  • Revoking Digital Certificates
  • Distributing Public Keys

With the increasing use of digital technologies and infrastructure to facilitate payment and other sensitive transactions, the role of PKI is not only limited to isolated systems, like secure email and smart cards for physical access or encrypted web traffic. It has expanded to govern a large number of applications, like maintaining mainstream business applications.

Components of a Digital Certificate

Source

A digital certificate can be considered as an equivalent to an electronic identity card. The certificates serve two purposes: first, to verify the user’s identity and second, to distribute the public key. Here are the components of a digital certificate:

  1. Distinguished Name of the Owner
  2. Public Key of the Owner
  3. Certificate Issue Date
  4. Certificate Expiry Date
  5. Distinguished Name of the Issuing CA
  6. Unique serial number for the certificate

This digital certificate is typically in X.509 format and signed by certificate authority. Common popular certificate authority’s are DigiCert, GoDaddy etc., Each Browser for example has a list of CA’s to be trusted. This forms the basis for HTTPS, which we will discuss in detail in our next blog.

Wrapping up

RSA is one of the oldest cryptography methods that is still in use, and it implements asymmetric encryption, which reduce the chances of intruder attacks. Encryption and decryption of messages without the exchange of keys make it more secure and safe.

In this article, we looked at what is RSA, how it works and PKI.