RSA Asymmetric Key Cryptography

RSA is an algorithm for asymmetric key cryptography for use in encryption and digital signatures.

Asymmetric key cryptography requires two separate keys generated by the same large random number. One key can be made public (public key) and is used to encrypt data or verify a signature. The other key should be kept private and is used to decrypt the data or sign a signature. This allows anyone with the public key to encrypt data and send it safely to the owner of the private key, who can decrypt it.

Encryption and Signature Schemes

There are several schemes available for RSA cryptography :

  • For encryption:
    • RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding (RSAES-OAEP)
    • RSA Encryption Scheme based on PKCS #1 v1.5 (RSAES_PKCS1V15); only for compatibility with existing applications.
  • For signature signing and verification:
    • RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme (RSASSA-PSS)
    • RSA Signature Scheme with Appendix based on PKCS #1 v1.5 (RSASSA_PKCS1V15) . This scheme is primarily provided for compatibility with existing applications. For new applications, RSASSA-PSS is preferred.
Supported RSA Algorithms
Algorithm Meaning
RSAES_OAEP_SHA1 RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-1 hash function
RSAES_OAEP_SHA224 RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-224 hash function
RSAES_OAEP_SHA256 RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-256 hash function
RSAES_OAEP_SHA384 RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-384 hash function
RSAES_OAEP_SHA512 RSA Encryption Scheme based on Optimal Asymmetric Encryption Padding with SHA-512 hash function
RSAES_PKCS1V15 RSA Encryption Scheme based on PKCS #1 v1.5
RSASSA_PSS_SHA1 RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-1 hash function
RSASSA_PSS_SHA224 RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-224 hash function
RSASSA_PSS_SHA256 RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-256 hash function
RSASSA_PSS_SHA384 RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-384 hash function
RSASSA_PSS_SHA512 RSA Signature Scheme with Appendix based on Probabilistic Signature Scheme with SHA-512 hash function
RSASSA_PKCS1V15_MD2 RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with MD2 hash function. This is only for compatibility.
RSASSA_PKCS1V15_MD5 RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with MD5 hash function. This is only for compatibility.
RSASSA_PKCS1V15_SHA1 RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-1 hash function
RSASSA_PKCS1V15_SHA224 RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-224 hash function
RSASSA_PKCS1V15_SHA256 RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-256 hash function
RSASSA_PKCS1V15_SHA384 RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-384 hash function
RSASSA_PKCS1V15_SHA512 RSA Signature Scheme with Appendix based on PKCS #1 v1.5 with SHA-512 hash function

Generating Keys

Uniface accepts the PKCS #8 private key format and X.509 public key format. For interoperability, PEM (Privacy Enhanced Mail) encoding is used for both keys. PEM encoding is a Base64 encoding with a header and footer. This encoding is commonly used.

You can generate the RSA private and public keys using OpenSSL. For example, the following command generates a 2048 -bit key saved to file named myPrivateKey.pem:

# Generate the RSA private key in the traditional SSLeay format.
openssl genrsa -out traditional.pem 2048

# Change the private key to PKCS#8 format in PEM encoding.
openssl pkcs8 -topk8 -in traditional.pem -inform pem -nocrypt -out myPrivateKey.pem -outform pem

To generate the corresponding public key:

openssl rsa -in myPrivateKey.pem -out myPublicKey.pem -pubout 

For more information, consult the OpenSSL documentation (http://www.openssl.org/).

Encrypting and Decrypting Data Using the Keys

Using the $encode and $decode ProcScript functions, you can use the keys to encrypt and decrypt the data. The key needs to be loaded into a string

Uniface accepts the key parameter as string.

; Load keys
fileload "myPrivateKey.pem", vMyPrivateKey
fileload "myPublicKey.pem", vMyPublicKey

; Encrypt data by RSA-OAEP encryption scheme with SHA-512 hash
ciphertext = $encode("RSAES_OAEP_SHA512", plaintext, vMyPublicKey)

; Decrypt the ciphertext 
plaintext = $decode("RSAES_OAEP_SHA512", ciphertext, vMyPrivateKey)

Signing and Verifying Signatures

Using $encode and $decode you can sign and verify a message with a digital signature: 

; Sign a message by RSA PSS with SHA512 hash.
vSignature = $encode("RSASSA_PSS_SHA512, vMessage, vMyPrivateKey)

; Verify the signed message.
if ($decode("RSASSA_PSS_SHA512", vMessage, vMyPublicKey, vSignature)) 
    message/info "This is a valid message." 
else 
    message/info "Signature doesn’t match with the message." 
endif