RSA Asymmetric Key Cryptography

RSA is an algorithm for asymmetric key cryptography for use in encryption and digital signatures.

Asymmetric key cryptography requires two separate keys generated by the same large random number. One key can be made public (public key) and is used to encrypt data or verify a signature. The other key should be kept private and is used to decrypt the data or sign a signature. This allows anyone with the public key to encrypt data and send it safely to the owner of the private key, who can decrypt it.

Encryption and Signature Schemes

There are several schemes available for RSA cryptography :

For encryption:
- RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding (RSAES-OAEP)
- RSA Encryption Scheme based on PKCS #1 v1.5 (RSAES_PKCS1V15); only for compatibility with existing applications.
For signature signing and verification:
- RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme (RSASSA-PSS)
- RSA Signature Scheme with Appendix based on PKCS #1 v1.5 (RSASSA_PKCS1V15) . This scheme is primarily provided for compatibility with existing applications. For new applications, RSASSA-PSS is preferred.

Supported RSA Algorithms
Algorithm	Meaning
`RSAES_OAEP_SHA1`	RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-1 hash function
`RSAES_OAEP_SHA224`	RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-224 hash function
`RSAES_OAEP_SHA256`	RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-256 hash function
`RSAES_OAEP_SHA384`	RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-384 hash function
`RSAES_OAEP_SHA512`	RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-512 hash function
`RSAES_PKCS1V15`	RSA Encryption Scheme based on PKCS #1 v1.5
`RSASSA_PSS_SHA1`	RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-1 hash function
`RSASSA_PSS_SHA224`	RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-224 hash function
`RSASSA_PSS_SHA256`	RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-256 hash function
`RSASSA_PSS_SHA384`	RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-384 hash function
`RSASSA_PSS_SHA512`	RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-512 hash function
`RSASSA_PKCS1V15_MD2`	RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with MD2 hash function. This is only for compatibility.
`RSASSA_PKCS1V15_MD5`	RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with MD5 hash function. This is only for compatibility.
`RSASSA_PKCS1V15_SHA1`	RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-1 hash function
`RSASSA_PKCS1V15_SHA224`	RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-224 hash function
`RSASSA_PKCS1V15_SHA256`	RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-256 hash function
`RSASSA_PKCS1V15_SHA384`	RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-384 hash function
`RSASSA_PKCS1V15_SHA512`	RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-512 hash function

Generating Keys

Uniface accepts the PKCS #8 private key format and X.509 public key format. For interoperability, PEM (Privacy Enhanced Mail) encoding is used for both keys. PEM encoding is a Base64 encoding with a header and footer. This encoding is commonly used.

You can generate the RSA private and public keys using OpenSSL. For example, the following command generates a 2048 -bit key saved to file named myPrivateKey.pem:

# Generate the RSA private key in the traditional SSLeay format.
openssl genrsa -out traditional.pem 2048

# Change the private key to PKCS#8 format in PEM encoding.
openssl pkcs8 -topk8 -in traditional.pem -inform pem -nocrypt -out myPrivateKey.pem -outform pem

To generate the corresponding public key:

openssl rsa -in myPrivateKey.pem -out myPublicKey.pem -pubout

For more information, consult the OpenSSL documentation (http://www.openssl.org/).

Encrypting and Decrypting Data Using the Keys

Using the $encode and $decode ProcScript functions, you can use the keys to encrypt and decrypt the data. The key needs to be loaded into a string

Uniface accepts the key parameter as string.

; Load keys
fileload "myPrivateKey.pem", vMyPrivateKey
fileload "myPublicKey.pem", vMyPublicKey

; Encrypt data by RSA-OAEP encryption scheme with SHA-512 hash
ciphertext = $encode("RSAES_OAEP_SHA512", plaintext, vMyPublicKey)

; Decrypt the ciphertext 
plaintext = $decode("RSAES_OAEP_SHA512", ciphertext, vMyPrivateKey)

Signing and Verifying Signatures

Using $encode and $decode you can sign and verify a message with a digital signature:

; Sign a message by RSA PSS with SHA512 hash.
vSignature = $encode("RSASSA_PSS_SHA512, vMessage, vMyPrivateKey)

; Verify the signed message.
if ($decode("RSASSA_PSS_SHA512", vMessage, vMyPublicKey, vSignature)) 
    message/info "This is a valid message." 
else 
    message/info "Signature doesn’t match with the message." 
endif