# RSA is deceptively easy (and enjoyable)

*by*Phil Tadros

Whereas studying Real-World Cryptography, I got here throughout the “million message attack”.

That is an assault that Daniel Bleichenbacher demonstrated in 1998, which successfully broke RSA with a selected encoding perform known as PKCS #1.

It was solely talked about briefly, so I dug in and determined to attempt to perceive the assault, ultimately to implement it.

Most crypto libraries don’t ship with a susceptible implementation of this, for good purpose.

It has been damaged!

And if I implement the total assault towards an actual implementation, it could additionally include utilizing sensible key measurement.

As an alternative, I made a decision to implement RSA myself in order that I might implement a weak encoding scheme so I might implement the Bleichenbacher assault!

To date, I’ve an implementation of RSA and of PKCS (the susceptible one).

The fundamentals of RSA took an hour to implement, then what felt like days to debug. And now it (seemingly) works!

The assault will observe quickly, hopefully.

RSA is a public-key cryptosystem, in distinction to symmetric key cryptosystems.

With symmetric keys, the sender and the recipient each share a key and use the identical key to encrypt and decrypt the message.

In distinction, public-key cryptosystems have a key *pair*, a public and a personal key.

The general public key can be utilized to *encrypt* messages and the personal key to *decrypt* them.

One of many drawbacks of a symmetric key system is that you must share the important thing.

This implies you must use a *totally different* safe channel to transmit the important thing, after which each events should be actually cautious to maintain it a secret.

This is not manageable for a system with lots of members, just like the web!

However symmetric key encryption is commonly *very quick*, and we now have a few of the operations for it even baked into hardware.

It will be good to make use of it the place we will for that effectivity.

In distinction, with public-key cryptography, you possibly can freely share the general public key, and anybody can then use that to encrypt a message to you.

This implies you don’t want a separate safe channel to share the important thing!

(Though this ignores the entire drawback of validating that the important thing comes from the proper particular person, so you are not having your connection spoofed by an outsider.)

And that is nice!

That is what RSA offers us, however the computations for RSA are sluggish and the messages you possibly can ship are additionally small.

In apply, RSA was used (regrettably, typically nonetheless is) to ascertain a safe connection and carry out a key trade, after which the keys you trade allow you to use symmetric key encryption.

You most likely shouldn’t use RSA.

Fashionable options exist which can be higher, like Curve25519 and different types of elliptic-curve cryptography.

However for worse, we run into RSA, and it is also a enjoyable historic artifact!

It is value understanding in, and hey, implementing it’s simply plain enjoyable.

RSA is a properly elegant cryptosystem.

Its safety is predicated on the problem of factoring the product of enormous prime numbers, and in its purest kind it has no recognized breaks.

Nevertheless, as talked about above, relying on how information is encoded, explicit makes use of of it *can* be damaged.

The essential operations of it are simple to specific.

There are three parts:

- Producing keys
- Encrypting and decrypting!
- Encoding messages

We’ll undergo every of these, beginning with producing keys.

## Producing your keys

To begin with, what even is a key?

We all know that it is used to encrypt or decrypt a message, however what’s inside it?

For RSA, a key contains two numbers.

One in all these is known as the **exponent** and one is the **modulus**.

A key may very well be **(exp=3, mod=3233)**, for instance.

It is actually simply this pair of numbers.

The rationale the items of it are known as the exponent and modulus is due to how we use them!

RSA depends on modular arithmetic (like clock math, for those who’re not acquainted).

These are the exponents and modulus for the encryption or decryption operations which we’ll see later.

To generate a key, you observe a brief process.

- First, decide two prime numbers which we’ll name
**p**and**q**. Then we compute**n = p * q**. - Compute a quantity
**t = lcm(p-1, q-1)**. That is the totient, and we use this as our modulus for producing the keys however then by no means once more. - Decide the general public exponent, which we’ll name
**e**. The requirement is that it shares no elements with**t**and is bigger than 2. One easy means is to begin with 3, however go up by way of the primes till you discover one coprime with**t**. Selecting 65537 can also be fairly frequent, because it’s sufficiently small to be environment friendly for encryption however giant sufficient to keep away from some explicit assaults. - Calculate the personal exponent, which we’ll name
**d**. We compute this as**d = e^-1 mod t**, or the inverse of**e**in our modulus.

Now you have got **d** and **e**, the personal and public exponents, and you’ve got **n**, the modulus.

Bundle these up into two tuples and you’ve got your keys!

Let’s work an instance shortly to see the way it finally ends up.

For our primes, we will select **p = 17** and **q = 29**.

So then **n = 493**.

Now we discover **t = lcm(17 – 1, 29 – 1) = lcm(16, 28) = 112**.

We’ll select **e = 3**, which works since **2 < 3** and **gcd(3, 112) = 1** so we all know they share no elements.

Now we compute **d = e^-1 = 3^-1 = 75 mod 112**.

After which we now have our keys!

Our public secret is **(exp=3, mod=493)**, and our personal secret is **(exp=75, mod=493)**.

We’ll use these once more in our examples on encrypting and decrypting!

## Encrypting and decrypting a message

Now that we now have our keys, we will encrypt and decrypt a message!

Usually, we’d consider a message as one thing like “good day, world” however to RSA, each message is a single integer.

Let’s assume for now that we’re okay with this, however we’ll come again to how we get from a message to an integer later.

Our message integer must be lower than our modulus, in any other case we will not decrypt it, since you will by no means get again one thing *bigger* than the modulus in modular arithmetic.

Let’s name that message **m**.

To encrypt the message, we take our exponent *e* and modulus *n* from the general public key and we compute the ciphertext **c = m^e mod n**.

This provides us again *one other* integer, which we will ship to the recipient!

For them to decrypt it, they use the exponent *d* and the identical modulus *n* from the personal key, and compute the plaintext as **m = c^d = (m^e)^d mod n**.

This works out and the exponents basically cancel out (we’re hand waving, however belief me—or not less than belief Rivest, Shamir, and Adleman).

For example, let’s encrypt one thing and decrypt it once more.

For instance our message is **m = 42**, for arbitrary reasons.

To encrypt it utilizing our keys from earlier, we compute **c = m^e = 42^3 = 138 mod 493**.

And to decrypt our ciphertext, we compute **m = c^d = 138^75 = 42 mod 493**.

That is it so far as encrypting and decrypting goes!

It is elegant, and deceptively easy: this simplicity is why so many individuals implement their very own variations of RSA and roll their very own crypto vulnerabilities.

Do not do it for something that issues!

However *do* roll your individual for the enjoyable of it.

## How do you encode messages?

Okay, so how will we get from a string of characters, like “good day, world”, to an integer?

We encode it!

And if the message is simply too giant to slot in one integer, we will break up it into a number of integers and encrypt every of them.

Every little thing in a reminiscence in a pc is simply bytes.

You might have a string of characters, and underlying that may be a byte array.

You might have an integer, and underlying which can be some bytes!

That is how we will go between them.

Let’s assume for simplicity that we’re utilizing 64-bit integers.

Then every integer is 8 bytes.

In our message “good day, world”, we now have 12 bytes!

Every character has a byte worth.

Right here, we’re assuming it is ASCII encoded for simplicity.

This converts properly into an array of 8-bit integers, or single bytes.

And now we will flip this into two byte arrays of size 8.

The primary 8 bytes turn into one array, and the final 4 bytes turn into the second.

We are able to left-pad it with 0s, however we might additionally proper pad if we choose; both means we now have to pad, after which we now have to recollect to stay with the identical big-endian or little-endian encoding.

Now since these are 8 bytes every, we will use them because the reminiscence for a 64-bit integer!

They’re 7522537965569712247 and 1869769828, respectively.

You may encrypt every of those (given a key that has a excessive sufficient modulus), and then you definately’re in enterprise!

In apply, you wish to use one of many different encoding schemes.

PKCS #1 was fashionable for some time, however has some flaws.

Notably, this made issues for some variations of SSL.

There are enhancements to PKCS now, nevertheless it’s nonetheless not one thing it is best to use since that may imply you are utilizing RSA!

(Sure, I will maintain reminding all of us to not use RSA.)

I realized rather a lot within the means of implementing RSA right here.

Listed below are a number of of the important thing issues, in type of a scattered checklist.

**Implementing cryptosystems is enjoyable.**This was considered one of my greatest takeaways. One time I bought to cut down a tree and it was*precisely*as enjoyable as I imagined it could be. This was the identical: I might lengthy imagined how satisfying it could be however was intimidated, and diving in let me perceive that this is not so scary, and it is lots of enjoyable.**There are lots of delicate methods to be susceptible.**We use libraries with constant-time operations to keep away from timing assaults. Bleichenbacher’s complete assault depends on having the ability to detect if encoding is inaccurate, so any delicate sign of the place the decryption fails is helpful for this. There are myriad different methods to be susceptible. This jogs my memory why we have to depend on deep experience in cryptography, moderately than go round implementing these ourselves.**Large-endian vs. little-endian**I can by no means bear in mind which is which, so I actually desperately want to jot down a weblog put up about it as my very own reference.*nonetheless*journeys me up.**Debugging that is tough!**Specifically, I might initially missed the requirement that the message was lower than the modulus, and ended up having sporadic failures relying on the primes chosen and the message. That made for powerful debugging, however setting fixed small*p*and*q*helped. There have been a number of different powerful cases of debugging, and I count on there are some points that stay!**Safety properties will be at odds with ergonomics.**The bigint library I am utilizing has lots of properties you need: constant-time operations, checked or wrapping operations, good effectivity. Nevertheless it’s additionally typically arduous to learn code written with it, since you must be pretty express in regards to the operations you are utilizing. There are some enhancements to be made, nevertheless it seems like there’s an inherent rigidity right here.**Studying RFCs and a few cryptography papers is… accessible?**I used to be stunned once I learn the Bleichenbacher paper and felt prefer it was fairly straightforward to learn. I’ve a math diploma, however not a lot background in cryptography (and a decade between me and a math classroom), so this was very encouraging! The RFC for PKCS was additionally readable, which was good to search out out.

Now I’ve a toy implementation of RSA and PKCS, so it is time to do what I got here right here for: break the factor.

The toy implementation is published on crates.io, and the source is available.

In a future weblog put up, I am going to discuss how the assault works and supply a demo.

I may additionally take a swing at a few of the different traditional cryptosystems.

The Diffie-Hellman key trade is looking out to me, for instance.

When you’ve carried out a cryptosystem only for enjoyable, I might love to see it.

If this put up was pleasurable or helpful for you, **please share it!**

If in case you have feedback, questions, or suggestions, you possibly can e mail my personal email.

To get new posts and help my work, subscribe to the newsletter. There may be additionally an RSS feed.