1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
|
.. _usage:
Usage
==================================================
This section describes the usage of the Python-RSA module.
Before you can use RSA you need keys. You will receive a private key
and a public key.
.. important::
The private key is called *private* for a reason. Never share this
key with anyone.
The public key is used for encypting a message such that it can only
be read by the owner of the private key. As such it's also referred to
as the *encryption key*. Decrypting a message can only be done using
the private key, hence it's also called the *decryption key*.
The private key is used for signing a message. With this signature and
the public key, the receiver can verifying that a message was signed
by the owner of the private key, and that the message was not modified
after signing.
Generating keys
--------------------------------------------------
You can use the :py:func:`rsa.newkeys` function to create a keypair:
>>> import rsa
>>> (pubkey, privkey) = rsa.newkeys(512)
Alternatively you can use :py:meth:`rsa.PrivateKey.load_pkcs1` and
:py:meth:`rsa.PublicKey.load_pkcs1` to load keys from a file:
>>> import rsa
>>> with open('private.pem', mode='rb') as privatefile:
... keydata = privatefile.read()
>>> privkey = rsa.PrivateKey.load_pkcs1(keydata)
Time to generate a key
++++++++++++++++++++++++++++++++++++++++
Generating a keypair may take a long time, depending on the number of
bits required. The number of bits determines the cryptographic
strength of the key, as well as the size of the message you can
encrypt. If you don't mind having a slightly smaller key than you
requested, you can pass ``accurate=False`` to speed up the key
generation process.
Another way to speed up the key generation process is to use multiple
processes in parallel to speed up the key generation. Use no more than
the number of processes that your machine can run in parallel; a
dual-core machine should use ``poolsize=2``; a quad-core
hyperthreading machine can run two threads on each core, and thus can
use ``poolsize=8``.
>>> (pubkey, privkey) = rsa.newkeys(512, poolsize=8)
These are some average timings from my desktop machine (Linux 2.6,
2.93 GHz quad-core Intel Core i7, 16 GB RAM) using 64-bit CPython 2.7.
Since key generation is a random process, times may differ even on
similar hardware. On all tests, we used the default ``accurate=True``.
+----------------+------------------+------------------+
| Keysize (bits) | single process | eight processes |
+================+==================+==================+
| 128 | 0.01 sec. | 0.01 sec. |
+----------------+------------------+------------------+
| 256 | 0.03 sec. | 0.02 sec. |
+----------------+------------------+------------------+
| 384 | 0.09 sec. | 0.04 sec. |
+----------------+------------------+------------------+
| 512 | 0.11 sec. | 0.07 sec. |
+----------------+------------------+------------------+
| 1024 | 0.79 sec. | 0.30 sec. |
+----------------+------------------+------------------+
| 2048 | 6.55 sec. | 1.60 sec. |
+----------------+------------------+------------------+
| 3072 | 23.4 sec. | 7.14 sec. |
+----------------+------------------+------------------+
| 4096 | 72.0 sec. | 24.4 sec. |
+----------------+------------------+------------------+
If key generation is too slow for you, you could use OpenSSL to
generate them for you, then load them in your Python code. OpenSSL
generates a 4096-bit key in 3.5 seconds on the same machine as used
above. See :ref:`openssl` for more information.
Key size requirements
--------------------------------------------------
Python-RSA version 3.0 introduced PKCS#1-style random padding. This
means that 11 bytes (88 bits) of your key are no longer usable for
encryption, so keys smaller than this are unusable. The larger the
key, the higher the security.
Creating signatures also requires a key of a certain size, depending
on the used hash method:
+-------------+-----------------------------------+
| Hash method | Suggested minimum key size (bits) |
+=============+===================================+
| MD5 | 360 |
+-------------+-----------------------------------+
| SHA-1 | 368 |
+-------------+-----------------------------------+
| SHA-256 | 496 |
+-------------+-----------------------------------+
| SHA-384 | 624 |
+-------------+-----------------------------------+
| SHA-512 | 752 |
+-------------+-----------------------------------+
Encryption and decryption
--------------------------------------------------
To encrypt or decrypt a message, use :py:func:`rsa.encrypt` resp.
:py:func:`rsa.decrypt`. Let's say that Alice wants to send a message
that only Bob can read.
#. Bob generates a keypair, and gives the public key to Alice. This is
done such that Alice knows for sure that the key is really Bob's
(for example by handing over a USB stick that contains the key).
>>> import rsa
>>> (bob_pub, bob_priv) = rsa.newkeys(512)
#. Alice writes a message, and encodes it in UTF-8. The RSA module
only operates on bytes, and not on strings, so this step is
necessary.
>>> message = 'hello Bob!'.encode('utf8')
#. Alice encrypts the message using Bob's public key, and sends the
encrypted message.
>>> import rsa
>>> crypto = rsa.encrypt(message, bob_pub)
#. Bob receives the message, and decrypts it with his private key.
>>> message = rsa.decrypt(crypto, bob_priv)
>>> print(message.decode('utf8'))
hello Bob!
Since Bob kept his private key *private*, Alice can be sure that he is
the only one who can read the message. Bob does *not* know for sure
that it was Alice that sent the message, since she didn't sign it.
RSA can only encrypt messages that are smaller than the key. A couple
of bytes are lost on random padding, and the rest is available for the
message itself. For example, a 512-bit key can encode a 53-byte
message (512 bit = 64 bytes, 11 bytes are used for random padding and
other stuff). See :ref:`bigfiles` for information on how to work with
larger files.
Altering the encrypted information will *likely* cause a
:py:class:`rsa.pkcs1.DecryptionError`. If you want to be *sure*, use
:py:func:`rsa.sign`.
>>> crypto = rsa.encrypt(b'hello', bob_pub)
>>> crypto = crypto[:-1] + b'X' # change the last byte
>>> rsa.decrypt(crypto, bob_priv)
Traceback (most recent call last):
...
rsa.pkcs1.DecryptionError: Decryption failed
.. warning::
Never display the stack trace of a
:py:class:`rsa.pkcs1.DecryptionError` exception. It shows where
in the code the exception occurred, and thus leaks information
about the key. It’s only a tiny bit of information, but every bit
makes cracking the keys easier.
Low-level operations
++++++++++++++++++++++++++++++
The core RSA algorithm operates on large integers. These operations
are considered low-level and are supported by the
:py:func:`rsa.core.encrypt_int` and :py:func:`rsa.core.decrypt_int`
functions.
Signing and verification
--------------------------------------------------
You can create a detached signature for a message using the
:py:func:`rsa.sign` function:
>>> (pubkey, privkey) = rsa.newkeys(512)
>>> message = 'Go left at the blue tree'
>>> signature = rsa.sign(message, privkey, 'SHA-1')
This hashes the message using SHA-1. Other hash methods are also
possible, check the :py:func:`rsa.sign` function documentation for
details. The hash is then signed with the private key.
In order to verify the signature, use the :py:func:`rsa.verify`
function. This function returns True if the verification is successful:
>>> message = 'Go left at the blue tree'
>>> rsa.verify(message, signature, pubkey)
True
Modify the message, and the signature is no longer valid and a
:py:class:`rsa.pkcs1.VerificationError` is thrown:
>>> message = 'Go right at the blue tree'
>>> rsa.verify(message, signature, pubkey)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/sybren/workspace/python-rsa/rsa/pkcs1.py", line 289, in verify
raise VerificationError('Verification failed')
rsa.pkcs1.VerificationError: Verification failed
.. warning::
Never display the stack trace of a
:py:class:`rsa.pkcs1.VerificationError` exception. It shows where
in the code the exception occurred, and thus leaks information
about the key. It's only a tiny bit of information, but every bit
makes cracking the keys easier.
Instead of a message you can also call :py:func:`rsa.sign` and
:py:func:`rsa.verify` with a :py:class:`file`-like object. If the
message object has a ``read(int)`` method it is assumed to be a file.
In that case the file is hashed in 1024-byte blocks at the time.
>>> with open('somefile', 'rb') as msgfile:
... signature = rsa.sign(msgfile, privkey, 'SHA-1')
>>> with open('somefile', 'rb') as msgfile:
... rsa.verify(msgfile, signature, pubkey)
.. _bigfiles:
Working with big files
--------------------------------------------------
RSA can only encrypt messages that are smaller than the key. A couple
of bytes are lost on random padding, and the rest is available for the
message itself. For example, a 512-bit key can encode a 53-byte
message (512 bit = 64 bytes, 11 bytes are used for random padding and
other stuff).
How it usually works
++++++++++++++++++++++++++++++++++++++++
The most common way to use RSA with larger files uses a block cypher
like AES or DES3 to encrypt the file with a random key, then encrypt
the random key with RSA. You would send the encrypted file along with
the encrypted key to the recipient. The complete flow is:
#. Generate a random key
>>> import rsa.randnum
>>> aes_key = rsa.randnum.read_random_bits(128)
#. Use that key to encrypt the file with AES.
#. :py:func:`Encrypt <rsa.encrypt>` the AES key with RSA
>>> encrypted_aes_key = rsa.encrypt(aes_key, public_rsa_key)
#. Send the encrypted file together with ``encrypted_aes_key``
#. The recipient now reverses this process to obtain the encrypted
file.
.. note::
The Python-RSA module does not contain functionality to do the AES
encryption for you.
Only using Python-RSA: the VARBLOCK format
+++++++++++++++++++++++++++++++++++++++++++
As far as we know, there is no pure-Python AES encryption. Previous
versions of Python-RSA included functionality to encrypt large files
with just RSA, and so does this version. The format has been improved,
though.
Encrypting works as follows: the input file is split into blocks that
are just large enough to encrypt with your RSA key. Every block is
then encrypted using RSA, and the encrypted blocks are assembled into
the output file. This file format is called the :ref:`VARBLOCK
<VARBLOCK>` format.
Decrypting works in reverse. The encrypted file is separated into
encrypted blocks. Those are decrypted, and assembled into the original
file.
.. note::
The file will get larger after encryption, as each encrypted block
has 8 bytes of random padding and 3 more bytes of overhead.
Since these encryption/decryption functions are potentially called on
very large files, they use another approach. Where the regular
functions store the message in memory in its entirety, these functions
work on one block at the time. As a result, you should call them with
:py:class:`file`-like objects as the parameters.
Before using we of course need a keypair:
>>> import rsa
>>> (pub_key, priv_key) = rsa.newkeys(512)
Encryption works on file handles using the
:py:func:`rsa.bigfile.encrypt_bigfile` function:
>>> from rsa.bigfile import *
>>> with open('inputfile', 'rb') as infile, open('outputfile', 'wb') as outfile:
... encrypt_bigfile(infile, outfile, pub_key)
As does decryption using the :py:func:`rsa.bigfile.decrypt_bigfile`
function:
>>> from rsa.bigfile import *
>>> with open('inputfile', 'rb') as infile, open('outputfile', 'wb') as outfile:
... decrypt_bigfile(infile, outfile, priv_key)
.. note::
:py:func:`rsa.sign` and :py:func:`rsa.verify` work on arbitrarily
long files, so they do not have a "bigfile" equivalent.
|
