security

Creating RSA keys

RSA is an algorithm for public-key cryptography. Its advantage is that it does not require the initial exchange of secret keys unlike symmetric key algorithms. Each user has a pair of keys, one for encryption (the public key) and another one for decryption (the private key). The private key is kept in secret while the public key may be widely distributed.

OpenSSL is usually the tool used for creating an RSA key pair (the public and private ones).

$ openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
............................................++++++
.....++++++
e is 65537 (0x10001)

This command creates a 1024-bit key pair and stores it in a file called keys.pem. Let us see the content:

$ cat key.pem 
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDGtQRh3WBg1ENpD8QEOGKzUHOv7Fu9bbDct8dWdCYg5mthFX35
XX/gnFrAEmrHpY1/HfZFDkowGUAatxq943o6wBZYVT8T5whkToH6ragOyM7xr7oD
gwnYRDdLMDfXuKC4x04wD1QKO/JGH94dGZB39bNHG+i4SG60lJNCZdiVtQIDAQAB
AoGAYbDFAsgvhetVaOWTXO/LtpSrC6aMQ8kV1q2TlvFrfWlLCWPjlyFcqTS1eRCU
5qqBsiks1i58UsFXPssenpSjljjKXN09Pa9s4k3osmIm0FWh77Fn6ddiddvv3n0A
QVcAf4PeGwE8RyoBxkXmaK0G3JJEN2D6Ue9vJm7ODZ3d0NECQQDphmExZdmiF5GV
2cvou6gjAngVteFgDCvhK3xCqdmIaz3he2TWRlMsJicOZmrXCZR/IRLJuSsKUBTm
XXdY05C/AkEA2dTKfXzIpSeZx0jN2ETUQi1uCdOb5a6XVBhXvYr0gDhaKO7dqU/A
/bztdbuXylU7rf3mGOboaOux6FWqqoiCiwJBAKdEJ43YZCBkPVVWYWXcNDyPYjA6
zKmdTjjEiwa83iGGnxZI6htI1/5Bfawk09Ye+IxuxiRTS27hmXa/7+Jh98UCQQDW
2YrfOrSsMOL8LFLbfQfePfDKwGyDnjCkQV5JFUUTMoG63d7DoGY53p5YAS814dt7
QXIyHY4d7lsLTXOHwB0BAkEA6MseICM41X0NaAsB4xFtMt4vBtv4OfIVUiPdeI8p
bmhKkzUdphWPWsVUTEim42zDHLLPwhEItPxVgk58/Bv3YA==
-----END RSA PRIVATE KEY-----

If you add the -des|-des3|-idea option, the private key will be encrypted with the chosen cypher. If this option is used a passphrase will be asked for.

$ openssl genrsa -des3 -out keydes3.pem 1024
Generating RSA private key, 1024 bit long modulus
..++++++
....................................++++++
e is 65537 (0x10001)
Enter pass phrase for keydes3.pem:
Verifying - Enter pass phrase for keydes3.pem:

Now, you have a private key encrypted with the DES3 cypher in a file called keydes3.pem:

$ cat keydes3.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,90A0901B038FDB04

Y2Vuba/ALHPffCMFU2uEk/mF43DEuKBuFek/wSPxaacm1r2tjSmwgyCNluxYqLhD
huZX986L4MjEKNFkrKWvuTaw9xZbObUNz7KhUC1KrMjhOXzr/zA9NKDs/DvfJaGw
DQLJYx6acqlWToxJoi2on3oBZj7SdOAkqrnT2RaLWCRyMPgsXrJFc+pYIgSeIQ48
OT0lZpZYgw0uTuEaPvSF1QxkJ6rewseSuXz4OPipSYYVcSM7n3DpXiTeci2Dq8q8
Bl1HP/VcQG5wzB+VACJa3KZqqrEiVZU8DaFlFN2Ir4AEiqNomNzij+XgYOdZzVrA
FYmjGbtNC3vGS1x0YFqsRjGmkuKjI+EioCj5fN7S2TkfSFK+tRjEFtHhHihaGOz+
m6mHbu8tErue1wqNqprJ9KdjTSrP4yR0hAfQF4bjqrpe4ExqvBLODw2TUz03ld6y
mBr7J16MEfg+wb22lt5wyX59uUxNdsu4j6H/Vgg/TmACuADNzWx9Hst6cmVQbuN3
VXfDCP5G79UiihLIug/C+uswiAUA6jluh787NjowA8QXuMYRmTECeKHWezZuf+sQ
x9n0gMWMS9HQdg7gFRNc+Hg0JeW8YBGcYzDdQVXvPrgI30apKDidFf9jjLXaQQoq
OZVq0QC60XHF6UG9/nSoGj7VPAkj9b0+4lzBLCRikebrRQhLhBGsCy30J3WrGzei
UGGjeR4mPiZ6gG41MEQFZhr1Wy6I44f3Eln4qdaUDPhnusp0lv1QM5U41IgrVS6+
fnY2DivXaHil2Rl/GLz1GT7N60fqtK5g+wUeZGAmuodjGR3GGuGHog==
-----END RSA PRIVATE KEY-----

As a matter of curiosity the symbols shown during the creation indicate its progress. RSA private key generation essentially involves the generation of two prime numbers. A . (dot) represents each number which has passed an initial sieve test, + means a number has passed a single round of the Miller-Rabin primality test. A newline means that the number has passed all the prime tests (the actual number depends on the key size).

I have used the .pem extension because PEM is the default format in which the keys are stored. It consists of an ASN1 DER encoded form (compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format) base64 encoded with additional header and footer lines. There are two other common formats: DER and NET.

To output the public part of a private key:

$ openssl rsa -in key.pem -pubout -out pubkey.pem
writing RSA key

This way you get the public key in a file called pubkey.pem:

$ cat pubkey.pem 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGtQRh3WBg1ENpD8QEOGKzUHOv
7Fu9bbDct8dWdCYg5mthFX35XX/gnFrAEmrHpY1/HfZFDkowGUAatxq943o6wBZY
VT8T5whkToH6ragOyM7xr7oDgwnYRDdLMDfXuKC4x04wD1QKO/JGH94dGZB39bNH
G+i4SG60lJNCZdiVtQIDAQAB
-----END PUBLIC KEY-----

If you want to delve into RSA, you might want to view the modulus, exponent and prime key values:

$ openssl rsa -in keydes3.pem -noout -text
Enter pass phrase for keydes3.pem:
Private-Key: (1024 bit)
modulus:
    00:b0:ec:02:82:c2:c7:db:45:fd:34:df:bc:6a:bf:
    c1:cf:71:c9:07:87:64:b2:cb:ee:76:82:de:1a:a9:
    67:a3:7d:e0:31:d1:5b:ec:7e:34:3a:6e:a8:9b:74:
    c7:1d:70:52:bf:6a:a2:f1:d3:03:01:98:86:bc:83:
    dd:7f:2b:a6:18:ef:8e:f8:2b:6a:44:7d:33:6e:c5:
    e1:ba:85:b0:9c:e1:ae:52:ff:14:0b:ed:30:98:52:
    c5:e9:fd:82:00:40:dd:85:80:ca:f6:7d:48:74:56:
    5b:7e:5e:a4:4f:62:d3:60:f6:a1:7d:2d:66:2c:06:
    31:93:1d:69:bb:68:84:87:61
publicExponent: 65537 (0x10001)
privateExponent:
    00:99:88:66:71:65:69:1c:bf:b3:09:b4:73:85:4b:
    dd:7c:11:69:7c:50:21:b2:0b:c9:68:2d:0f:63:a1:
    c9:5f:96:f7:fd:23:8b:1b:43:36:3d:d3:14:1c:bc:
    0d:a3:5d:7b:61:c3:bf:9e:0e:19:58:c4:2d:80:e1:
    0a:51:b6:e6:4e:e1:84:03:bb:ae:91:58:c3:fc:e1:
    a7:7d:69:4a:34:3c:e1:c8:ff:95:2e:69:bc:0e:4e:
    0f:b7:8b:a3:e7:c7:9c:43:01:0c:84:db:16:d9:58:
    91:02:12:75:38:83:0e:b9:ed:13:0b:00:80:07:a4:
    09:14:25:91:63:72:4d:a0:b1
prime1:
    00:e0:9c:c6:5a:de:23:b9:4a:7c:9b:43:46:93:d1:
    91:e2:40:db:64:70:9d:3a:64:b5:56:16:0c:55:8e:
    89:92:5c:cd:bb:77:e5:08:f7:3b:9c:41:76:6b:f0:
    67:ae:48:38:9f:2a:6e:b9:ce:e3:14:08:ad:fe:c1:
    b0:57:a5:6e:bd
prime2:
    00:c9:a5:2a:ff:21:28:f4:c0:67:9c:42:b1:c9:df:
    f4:4f:a0:5b:e4:85:6f:a1:6c:89:4e:d8:04:d1:e4:
    47:6a:87:75:3d:a6:55:36:ab:5c:9f:63:be:c9:7a:
    9a:ae:d8:0b:2b:7f:36:5e:e8:54:56:9c:6e:b4:ee:
    d7:eb:64:c7:75
exponent1:
    00:80:21:af:1d:e3:1f:29:f2:8e:06:dc:68:04:a7:
    46:bb:75:18:32:c1:f3:4f:7e:67:db:c6:14:1f:32:
    82:d4:55:d0:9f:23:14:2a:fb:2e:ac:42:c3:d5:6b:
    7d:19:f4:e5:28:17:42:b7:08:88:8d:c3:2d:ce:e8:
    9b:3a:44:8b:59
exponent2:
    0f:db:9f:70:05:09:95:85:f4:20:03:d6:bb:8b:93:
    49:17:d1:62:3d:64:34:0b:b7:18:ae:40:62:c9:53:
    1c:7b:9e:aa:c4:83:fb:12:aa:ec:16:0a:11:0a:45:
    53:ee:c5:a2:1c:15:08:8d:b8:e4:3e:d5:2e:01:82:
    95:8e:8d:69
coefficient:
    00:bb:60:d9:2e:14:9c:18:76:e7:ed:c8:0f:de:b6:
    ff:a3:ae:c2:6f:da:7b:b3:5c:61:22:5d:45:50:2a:
    38:75:28:d4:75:5b:12:ba:04:48:73:b7:a3:8d:44:
    74:24:2d:71:0e:fa:c3:e2:cc:9a:3f:e4:22:ed:ab:
    13:e8:0d:79:98

As you can see, when you proccess encrypted RSA keys (as we did with keydes3.pem), you will have to enter the passphrase.

For more info, man openssl, man genrsa and man rsa.

speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*Required Fields