# A Demonstration of the RSA Cryptosystem

The Rivest&ndash;Shamir&ndash;Adleman ([RSA](https://en.wikipedia.org/wiki/RSA_\(cryptosystem\))) cryptosystem illustrated below combines secure key&ndash;exchange with digital signature to provide for the _confidentiality_, _integrity_ and _authenticity_ of a private message exchanged between two parties (Alice and Bob) over an insecure channel. Moreover, an adversary (Eve) listening on this channel has no practical way of learning the content of the message, nor any way of tampering with it without the receiving party knowing the message has been corrupted.

The key&ndash;exchange component of this cryptosystem provides for message confidentiality utilizing a [_key&ndash;encapsulation mechanism_](https://en.wikipedia.org/wiki/Key_encapsulation_mechanism) (or _KEM_). This differs from more traditional approaches to key negotiation that utilize a key&ndash;_agreement_ mechanism, such as those based on the [discrete logarithm problem](https://en.wikipedia.org/wiki/Discrete_logarithm) introduced by Diffie and Hellman in their seminal 1976 paper [_New Directions in Cryptography_](https://ee.stanford.edu/~hellman/publications/24.pdf).

The digital signature component of this cryptosystem provides for message integrity and authenticity, ideas that were conceived by Diffie and Hellman in their 1976 paper, but not realized until Rivest, Shamir and Adleman published [_A Method for Obtaining Digital Signatures and Public&ndash;Key Cryptosystems_](https://people.csail.mit.edu/rivest/Rsapaper.pdf) in 1978.

### A Caveat
Note that the procedure as demonstrated provides no guarantee as to the authenticity of either party; that is, that the participants Alice or Bob (or both) are who they claim to be (see [_man&ndash;in&ndash;the&ndash;middle_](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack for elaboration). Nor does it guarantee that the shared key encrypted in the procedure cannot be decrypted by an adversary if the private key used to decrypt it is compromised at a future date (see [_forward secrecy_](https://en.wikipedia.org/wiki/Forward_secrecy) for elaboration). Protections against either vulnerability are not precluded by this implementation, but they are omitted here to minimize conceptual clutter.

## The Procedure
The following procedure, which utilizes the services of this repository's [rsa](https://github.com/dchampion/crypto/tree/master/src/core/rsa.py) module, illustrates a session in which Alice signs and encrypts a private message, and then transmits the message to Bob over an insecure channel. Meanwhile, an adversary (Eve) intercepts the message, but cannot feasibly learn its content, nor tamper with it without Bob detecting the message has been corrupted.

It is assumed that Alice, Bob and Eve all possess their own copy of the [rsa](https://github.com/dchampion/crypto/tree/master/src/core/rsa.py) module; but that only Alice and Bob possess the signing and decryption keys produced by this module to provide the aforementioned protections.

Alice and Bob start by importing the [rsa](https://github.com/dchampion/crypto/tree/master/src/core/rsa.py) module, and a module [sym](https://github.com/dchampion/crypto/tree/master/src/tests/core/sym.py) that implements a symmetric cipher they have agreed in advance will be used to encrypt and decrypt messages (the [sym](https://github.com/dchampion/crypto/tree/master/src/tests/core/sym.py) cipher used here is for illustrative purposes only, and in a real&ndash;world setting would be replaced with a cryptographically&ndash;strong symmetric cipher such as _3DES_ or _AES_).

In [1]:
import os
os.chdir("../src")

# Alice and Bob (and Eve?) import the rsa and sym modules required for the session
from core import rsa
from tests.core import sym

Alice begins by calling the `make_key()` function of the `rsa` module, which returns an `RSAKey` object representing an RSA keypair. She stores her keypair in `key_a` (the suffix `_a` identifies this keypair as belonging to Alice). Alice extracts and stores the public component of the keypair in `pub_key_a`.

In [2]:
# Alice computes her keypair, and stores her public key in pub_key_a
key_a = rsa.make_key()
pub_key_a = key_a.public_key()

Alice must keep the private components of her keypair secret. These are `key_a.p` and `key_a.q` (the prime factors of the public modulus `key_a.n`), `key_a.d3` (her signing key) and `key_a.d5` (her decryption key).

Let's inspect the sizes of some of the crucial components of Alice's keypair.

In [3]:
key_a.p.bit_length()

1024

In [4]:
key_a.q.bit_length()

1024

In [5]:
key_a.modulus_size()

2048

Note that the size of the public modulus `n` is exactly twice that of its prime factors `p` and `q`.

Further, we prove below that `n` is in fact the product of `p` and `q`. Note that `pub_key_a`, which Alice fetched previously from the method `key_a.public_key()`, is in fact the same value as `n`.

In [6]:
key_a.p * key_a.q == key_a.n == pub_key_a

True

Now it's Bob's turn to generate a keypair (to differentiate Bob's keypair from Alice's, we name Bob's `key_b`).

In [7]:
# Bob computes his keypair, and stores his public key in pub_key_b
key_b = rsa.make_key()
pub_key_b = key_b.public_key()

Now that Alice and Bob have generated their keypairs, they must transmit to each other their public keys `pub_key_a` and `pub_key_b`. Once they have done this, they can proceed with the secure message exchange.

Suppose Alice wants to send the following message securely to Bob.

In [8]:
# Alice's message to Bob
mA = "Sign and encrypt me!"

Alice first signs the message.

In [9]:
# Alice signs the message, and stores the signature in sA
sA = key_a.sign(mA)

Next, Alice calls the `rsa` module function `encrypt_key()`, passing it Bob's public key. This computes a session key that will be used to encrypt the private message using a symmetric cipher (e.g., _3DES_ or _AES_).

The function returns the pair `KA` and `cA`, which are, respectively, the symmetric encryption key, and the ciphertext of its input material; the same material Bob will use to recover the session key on his side of the channel.

In [10]:
# Alice computes a session key and stores the plaintext version KA, and the ciphertext version in cA
KA, cA = rsa.encrypt_key(pub_key_b)

Alice must keep the session key `KA` private.

Next, Alice encrypts the message, calling the `encrypt()` function of the symmetric cipher, passing the symmetric key and her message. The function returns the ciphertext of the message.

In [11]:
# Alice encrypts the message, and stores the ciphertext in mAC
mAC = sym.encrypt(KA, mA)

If we inspect the ciphertext, we see that to Eve it would appear as a random string of bytes bearing no resemblance to the original message.

In [12]:
mAC

b'\xa8\xc4p!\x8c\x91\x1f`\n\xdb\xf5\xfe\x06Q\x0c\x83i9$\x84%\xefTa\xf1\xec \x8dV\xfb@\xdc'

Alice transmits the ciphertext of the message `mAC`, the ciphertext of the symmetric key `cA`, and the message signature `sA` to Bob.

In order to decrypt the message, Bob must first decrypt the session key Alice used to encrypt it.

In [13]:
# Bob recovers the session key from its ciphertext
KB = key_b.decrypt_key(cA)

Here we prove that the key Bob decrypted (`KB`), is the same as the key Alice computed (`KA`).

In [14]:
KB == KA

True

Bob calls the `decrypt()` function of the symmetric cipher, passing it the session key and the message ciphertext, to recover Alice's original plaintext.

In [15]:
# Bob decrypts the message cipertext
mB = sym.decrypt(KB, mAC)

Here we prove that the recovered plaintext indeed matches Alice's original message.

In [16]:
mB

'Sign and encrypt me!'

All that remains is for Bob to verify Alice's signature, and thereby prove that the message has not been altered and, further, that it originated from Alice (or, more precisely, that it was signed with Alice's private key).

In [17]:
# Bob verifies the message signature
rsa.verify(pub_key_a, mB, sA)

True

If the `rsa` module function `verify` returns `True`, Bob can be assured that the message "Sign and encrypt me!", even if intercepted by Eve, can be read only by him and Alice; and, further, that the message was not corrupted in any way by Eve.