## Overview
Symmetric encryption requires both parties to know the common secret key. In absence of a secure communication channel sharing this secret key becomes prone to eavesdropping. Asymmetric encryption is utilised in such scenario. It involves two keys a **public key** and a **private key**. The public key can be shared freely and is used to encrypt the plaintext. Private key is secret and is used to decrypt the ciphertext.

Asymmetric enryption offers **confidentiality**, but not **authentication**, **integrity** or **non-repudiation**.

## RSA Internals
RSA is the most commonly known asymmetric cryptographic algorithm. Asymmetric crypto algorithms depend upon trapdoor functions which are easy to calculate one way but very difficult the other way round.

RSA utilises the fact that it is eaasy to multiple two large prime numbers, but difficult to determine factors of the resultant product. The following example illustrates how it works. 

Let's say we have a pair of number $(5,14)$ which is the public key using which we will encrypt plaintext $B$. The steps involved are:
1. Convert $B$ to a number, lets say $B$ is represented by number $2$
2. Calculate $2^{5}(mod\ 14)$. It is equal to $32\ mod\ 14 = 4$
3. Convert $4$ back to letter which is $D$. Therefore the ciphertext is $D$

To decrypt, we need the private key which in this case is the pair $(11, 14)$. To decrypt the ciphertext:
1. Convert $D$ to a number, lets say $D$ is represented by number $4$
2. Calculate $4^{11}(mod\ 14)$. It is equal to $4194304\ mod\ 14 = 2$
3. Convert $2$ back to letter which is $B$. Therefore the plaintext is $B$

How did we come up with the public and private keypair?
1. Take two large prime numbers and multiply them. In this case we can take small primes for illustration.  
   $p=2, q=7, N=p\times q=14$
2. $p$ and $q$ are kept secret, $N$ is made public (along with $E$ explained l)
3. Calculate $\upphi(N)$ which is count of numbers coprime with $14$ between $1$ and $14$.  
   The numbers are $1$, $3$, $5$, $9$, $11$ and $13$. So $\upphi(N)=6$ which is same as $(p-1)(q-1)$
4. The number $E$, part of public key must a) $1 < E < \upphi(N)$ and b) coprime with $N$ and $\upphi(N)$.  
   Out of $2$, $3$, $4$ and $5$ only last satisfies both. So $E=5$
5. The number $D$, part of private key must satisfy $D\cdot E (mod\ \upphi(N)) = 1$ which is $D\cdot 5 (mod\ 6) = 1$.  
   There can be multiple solutions to this like $5$, $11$, etc. We choose $D=11$.
6. Thus the pairs are $(5,14)$ and $(11,14)$

## Algorithms
- **RSA (Rivest Shamir Adleman)**: can be used to directly encrypt decrypt data
- **ElGamal**: can be used to directly encrypt decrypt data
- **ECIES (Elliptic Curve Integrated Encryption Scheme)**: can be used to directly encrypt decrypt data
- **DSA (Digital Signature Algorithm)**: used for generating digital signatures
  **ECDSA (Elliptic Curve Digital Signature Algorithm)**: used for generating digital signatures
- **DH (Diffie-Hellman)**: used for key exhange
- **ECDH (Elliptic Curve Diffie–Hellman)**: used for key exchange

RSA can only encrypt data smaller than its key size, therefore in practise it is only used for small data. Size of the key is the size of modulus part (14 in the above example). The security in relation to key size is listed below:
<div style="display: inline-block" />
    
| RSA key size in bits | Security level in bits |
|----------------------|------------------------|
| 1,024                | 80                     |
| 2,048                | 112                    |                
| 3,072                | 128                    |       
| 4,096                | 152                    |      
| 7,680                | 192                    |    
| 8,192                | 200                    |      
| 15,360               | 256                    |   
</div>

To reach same security level of AES-256, RSA key needs to be 15360 bits long. Asymmetric encryption/decryption is also slower than symmetric equivalent and performance drops with increase in key size. Longer keys also take longer to generate. For RSA, the generated ciphertext is as long as the key. Thus, we have a trade-off between security and performance. What is the acceptable compromise? What RSA key size do we choose? NIST recommends using:
- At least 2,048 bits until 2030
- At least 3,072 bits after 2030

## OpenSSL
### Generating Key Pair
For simplicity, we can assume that when mentioning a private key, OpenSSL means a keypair, and when mentioning a public key, OpenSSL means what it says – a public key. To generate RSA keypair:

```bash
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out rsa_keypair.pem
$ cat rsa_keypair.pem
  -----BEGIN PRIVATE KEY-----
  MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC0kpk0YyIRGmWP
  HteLTY+KZPYNDcDaEwr1/aFe9R1ATjW7mNgLZGCaGUHWljZ3AFmUHb4sQs4L9NiY
  ...
  -----END PRIVATE KEY-----
```

The keypair is saved in **PEM** format (Privacy Enhanced Mail). The content is base64 representation of some binary data. Another format is **DER** (Distinguished Encoing Rules) which is a binary format described by ASN.1 notation.

To get more information on the keypair file, run
```bash
$ openssl pkey -in rsa_keypair.pem -noout -text
```

The output contains all information about the key such as:
- Key length
- modulus: 14 in the above example
- publicExponent: 5 in the above example
- privateExponent: 11 in the above example
- prime1: 2 in the above example
- prime2: 7 in the above example
- some other information

To extract public key out of this:
```bash
$ openssl pkey -in rsa_keypair.pem -pubout -out rsa_public_key.pem
$ cat rsa_public_key.pem
  -----BEGIN PUBLIC KEY-----
  MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtJKZNGMiERpljx7Xi02P
  imT2DQ3A2hMK9f2hXvUdQE41u5jYC2RgmhlB1pY2dwBZlB2+LELOC/TYmILKfFhw
  ...
  -----END PUBLIC KEY-----
```

On inspecting the key, we would get only the modulus and the publicExponent:
```bash
$ openssl pkey -pubin -in rsa_public_key.pem -noout -text
```

### Encrypting Data
RSA is typically used to encrypt symmetric encryption key called session key. That session key is then used to encrypt plaintext. To generate a 256 bit session key:
```bash
$ openssl rand -out session_key.bin 32
```
To encrypt the session key, use `pkeyutl` command:
```bash
$ openssl pkeyutl -encrypt -in session_key.bin -out session_key.bin.encrypted -pubin -inkey rsa_public_key.pem -pkeyopt rsa_padding_mode:oaep
```
Even though the input was 256 bits, the output is 4096 bits. Use of OAEP padding mode results in different ciphertext each time we encrypt. With this padding maximum file size that can be enrypted is 4096 - 42 = 4054 byes.

To decrypt the data:
```bash
$ openssl pkeyutl -decrypt -in session_key.bin.encrypted -out session_key.bin.decrypted -inkey rsa_keypair.pem -pkeyopt rsa_padding_mode:oaep
```

## Java

In [None]:
// Generate AES-256 key
KeyGenerator aesKeyGen = KeyGenerator.getInstance("AES");
aesKeyGen.init(256);
SecretKey aesKey = aesKeyGen.generateKey();

byte[] aesKeyBytes = aesKey.getEncoded();

// Generate RSA 4096-bit key pair
KeyPairGenerator rsaKeyGen = KeyPairGenerator.getInstance("RSA");
rsaKeyGen.initialize(4096);
KeyPair rsaKeyPair = rsaKeyGen.generateKeyPair();

PublicKey publicKey = rsaKeyPair.getPublic();
PrivateKey privateKey = rsaKeyPair.getPrivate();

// Encrypt AES key using RSA public key
Cipher rsaEncryptCipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
rsaEncryptCipher.init(Cipher.ENCRYPT_MODE, publicKey);

byte[] encryptedAesKey = rsaEncryptCipher.doFinal(aesKeyBytes);

// Decrypt AES key using RSA private key
Cipher rsaDecryptCipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
rsaDecryptCipher.init(Cipher.DECRYPT_MODE, privateKey);

byte[] decryptedAesKeyBytes = rsaDecryptCipher.doFinal(encryptedAesKey);