Public Key Cryptography with RSA

RSA is the most popular public key algorithm currently in use, despite the fact that it was encumbered by patent restrictions until the patent expired in September of 2000. It is named after its creators, Ron Rivest, Adi Shamir, and Leonard Adleman. One of the reasons that it is so popular is because it provides secrecy, authentication, and encryption all in one neat little package.

Unlike Diffie-Hellman and DSA, the RSA algorithm does not require parameters to be generated before keys can be generated, which simplifies the amount of work that is necessary to generate keys, and authenticate and encrypt communications. The command-line tool provides three commands for generating, examining, manipulating, and using RSA keys.

OpenSSL's genrsa command is used to generate a new RSA private key. Generation of an RSA private key involves finding two large prime numbers, each approximately half the length of the key. A typical key size for RSA is 1,024. We don't recommend that you use smaller key lengths or key lengths greater than 2,048 bits. By default, the generated private key will be unencrypted, but the command does have the ability to encrypt the resultant key using DES, 3DES, or IDEA.

The rsa command is used to manipulate and examine RSA keys and is the RSA version of the dsa command for DSA keys. It is capable of adding, modifying, and removing the encryption protecting an RSA private key. It is also capable of producing an RSA public key from a private key. The command can also be used to display information about a public or private key.

The rsautl command provides the ability to use an RSA key pair for encryption and signatures. Options are provided for encrypting and decrypting data, as well as for signing and verifying signatures. Remember that signing is normally performed on hashes, so this command is not useful for signing large amounts of data, or even more than 160 bits of data. In general, we do not recommend that you use this command at all for encrypting data. You should use the enc command instead. Additionally, encryption and decryption using RSA is slow, and for that reason,
it should not be used on its own. Instead, it is commonly used to encrypt a key for a symmetric cipher.


The following examples illustrate the use of the RSA commands:

[root@host]# openssl genrsa -out rsaprivatekey.pem -passout pass:trousers -
des3 1024 

Generates a 1,024-bit RSA private key, encrypts it using 3DES and a password of
"trousers", and writes the result to the file rsaprivatekey.pem.

[root@host]# openssl rsa -in rsaprivatekey.pem -passin pass:trousers -pubout
-out rsapublickey.pem 

Reads an RSA private key from the file rsaprivatekey.pem, decrypts it using the password "trousers", and writes the corresponding public key to the file rsapublickey.pem.

[root@host]# openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in
plain.txt -out cipher.txt 

Using the RSA public key from the file rsapublickey.pem, the contents of the file plain.txt are encrypted and written to the file cipher.txt.

[root@host]# openssl rsautl -decrypt -inkey rsaprivatekey.pem -in cipher.txt
-out plain.txt

Using the RSA private key from the file rsaprivatekey.pem, the contents of the file
cipher.txt are decrypted and written to the file plain.txt.

[root@host]# openssl rsautl -sign -inkey rsaprivatekey.pem -in plain.txt -
out signature.bin

Using the RSA private key from the file rsaprivatekey.pem, the contents of the file
plain.txt are signed, and the signature is written to the file signature.bin.

[root@host]# openssl rsautl -verify -pubin -inkey rsapublickey.pem -in
signature.bin -out plain.txt 

Using the RSA public key from the file rsapublickey.pem, the signature in the file
signature.bin is verified, and the original unsigned data is written out to the file plain.txt.