19

I know that RSACryptoServiceProvider can encrypt with the public key, then it can be decrypted with the private key.

Is it possible to encrypt with the private key and decrypt with the public key using the RSACryptoServiceProvider ?

Eugene Podskal
  • 10,270
  • 5
  • 31
  • 53
guaike
  • 2,471
  • 9
  • 31
  • 42
  • 1
    *"Encrypt with the private key"* is not a valid cryptographic operation. If you are trying to perform that operation, usually you want a ***Signature Scheme with Recovery***. – jww Feb 25 '17 at 07:23

9 Answers9

76

Just to clear things up a bit:

RSA can be used either for encryption (ensuring that Eve cannot read messages that Alice sends to Bob) or for signing (ensuring that if Alice sends a message to Bob, Bob knows that it was actually Alice that sent the message, and not Eve pretending to be Alice)

RSA generates a pair of keys - a public key and a private key. RSA is designed so that if you apply the public key and then apply the private key, or vice versa, you will get the same message back. And the public key can be derived from the private key, but the opposite is impossible.

To use RSA for encryption, Alice encrypts the message using Bob's public key. The only way to read this message is with Bob's private key, which only he has. Thus Eve can't read the message because he does not have this key. On the other hand, this provides no authentication of the source of the message. Eve can also get Bob's public key (since it's public) and send messages to Bob, pretending to be Alice.

To use RSA for signing, Alice takes a hash of the message, encrypts the hash using her own private key, and appends the result (this is the signature) to the message. Eve can of course still decrypt this using Alice's public key. However, Bob can decrypt the signature using Alice's public key and see if it matches. If it does, it must have been encrypted using Alice's private key, which only she has, so it must have come from Alice.

Now, I'm not familiar with the .NET cryptography API, so I'm not sure if it works exactly as described here. But this explanation might help you understand some of the answers you are getting.

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
Alex319
  • 3,818
  • 9
  • 34
  • 40
  • What do you mean by "apply the public key and then apply the private key, or vice versa"? What does "apply" mean here? – WarLord Oct 03 '17 at 12:05
  • What would happen if Alice encrypted the message itself instead of the hash? Wouldn't that be simpler, or is there a security flaw in this? I'm talking about signing of course, not encryption. – Maciej Krawczyk Nov 17 '17 at 19:50
  • 3
    Nitpick -- RSA does not guarantee that the public key cannot be derived from the private key. In fact, this is often trivial to do. [See this answer.](https://stackoverflow.com/questions/696472/given-a-private-key-is-it-possible-to-derive-its-public-key) – GregRos Mar 19 '18 at 13:04
  • @MaciejKrawczyk alice signs with her private key. if she signed the message instead of the hash of the message then Eve would be able to decrypt the signature with the public key and thus obtain the message – Cpt. Senkfuss Jun 21 '19 at 14:06
20

EDIT: I should preface this answer by saying that the specific .NET RSACyrptoServiceProvider likely will not support this, due the cargo cult "knowledge" that this is impossible or the more pragmatic knowledge that this is rarely useful to do in practice.

ORIGINAL:

Everyone claiming that there is no such thing either doesn't know how RSA works, or they are stuck in the "signing" rut.

It is entirely possible, and makes complete sense, to encrypt with the private key. Yes, this is similar to signing, but this is NOT at all what most modern libraries take as signing. To them, this means computing a message digest, or HMAC, and encrypting with the private key. Likening encryption with the private key to signing makes just as much sense as saying that sticking a document in a safe, and leaving the key lying around, is a stand-in for signing the document.

Yes, it IS encrypting, because its the same operation. The private-key encrypted ciphertext is just as illegible as the public-key encrypted ciphertext; one needs both keys to decrypt the ciphertext.

See http://fringe.davesource.com/Fringe/Crypt/RSA/Algorithm.html for reference on the RSA algorithm.

smaudet
  • 609
  • 8
  • 17
  • The two links in [this post](http://stackoverflow.com/a/2350959/1299353) talk to RSA's specific implementation and how secure its private key encryption is – Jett Jan 27 '14 at 21:21
  • 1
    I find this answer is amusing... I'm not sure I would disagree with an academic body of cryptographers and mathematicians. – jww Feb 25 '17 at 05:13
  • Yeah- so this is specific to the RSA implantation though, correct? E and D are the public/private magic, and you only need 1 of them to encrypt/decrypt. It just so happens that RSA includes some other data in the public key P and Q (that could just as well also be in the private key). – therealsix Jan 04 '18 at 23:37
  • 4
    “Yes, it IS encrypting, because its the same operation” No, it is NOT encrypting, because it is not the same operation. The modular exponentiation is the same, but the padding part is different. No common library offers encryption with a private key. I think you're doing what you're accusing others of, which is confusing signature with encryption. – Gilles 'SO- stop being evil' Mar 19 '19 at 01:35
  • I think the only thing I did wrong was to not read the question closely enough @Gilles - https://pastebin.com/ekARXSgp - RSACryptoProvider's lib probably can't do it because that's how MS implemented it. But it does work. If I get around to it I can provide a C# implementation, but that's the C one. The point is it is the same operation "under the hood", not that there are non-primitive algorithms with non-RSA specific impls. RSA doesn't specify padding or encoding scheme. http://people.csail.mit.edu/rivest/pubs/RSA78.pdf Quote me where it does. – smaudet May 23 '19 at 10:27
  • @jww I don't know that I'm disagreeing with any academic bodies. I'm only implementing as commonly done and specified by the original academic paper. As stated before, my only mistake with my answer is that `RSACryptoServiceProvider` likely doesn't provide you with low enough basics to do this. To the best of my knowledge what I've written is not untrue, I'm only disagreeing with some popular nonsense. – smaudet May 23 '19 at 10:31
  • 1
    *"Encrypt with the private key"* is not a valid cryptographic operation. One encrypts with a public key, and decrypts with a private key. Go back to the [uncited] paper and read the definitions again. A signature will be described similar to *"treat the message as an instance of cipher text and perform the decryption operation [with the private key]"*. When folks want to *"encrypt with the private key"* they often mean *"signature scheme with recovery"*. – jww May 23 '19 at 10:50
  • 1
    @blowdart got the answer spot-on, but the crowd at Stack Overflow is no wiser. They rejected the correct answer that was handed to them on a silver platter... That's what happens on developers 2developer answer sites like Stack Overflow. – jww May 23 '19 at 10:54
  • 1
    You might want to read Bernstein's [RSA signatures and Rabin–Williams signatures:the state of the art](https://cr.yp.to/sigs/rwsota-20080131.pdf). It is very approachable, and provides background information and history of RSA, including attacks and counter measures. – jww May 23 '19 at 11:01
  • 1
    @smaudet The 1978 paper introducing the RSA trapdoor permutation is not the fully story in RSA, which wasn't yet understood. The document that codifies RSA as an encryption or signature mechanism is [PKCS #1](https://tools.ietf.org/html/rfc8017), currently at version 2.2. It's not about “cargo cult” or about it being “rarely useful”, it's about people who understand what they're doing, and the fact that applying the RSA trapdoor with the public key is one part of doing RSA encryption, while applying the RSA trapdoor with the private key is not encryption at all. – Gilles 'SO- stop being evil' May 23 '19 at 13:23
  • @Gilles Yes of course, I accept that the full story on RSA is much, much bigger. Nonetheless, the modulus operation doesn't change, the basic math hasn't changed (not AFAIK, the last I heard we were very good at factoring primes but not good enough to break every key over 2048 size reliably). Nevertheless, the 'conventional wisdom' is that it 'can't be done' but, as we say, the quality bar of developers on S.O. may mean that offering a nuanced explanation of what can or cannot be done is not really explored. I think knowledge of the fundamentals is more important than the implementations. – smaudet May 23 '19 at 13:42
  • Not that implementation is not important to get right, but then to be under the impression that such and such is the case without a real case for why seems to be simply wrong. To put it somewhat vulgarly, 9.8 gravity is always the case, except when it isn't. – smaudet May 23 '19 at 13:44
  • @jww Thanks for the links! Perhaps I'll aim to improve this answer over time. I think in part there are too many definitions floating around in the common developer's mind about what constitutes a "cryptographic operation". I think you could perhaps provide or point to a well specified, semantically correct in a particular domain answer. – smaudet May 23 '19 at 13:50
  • @Gilles also one part of your response I didn't reply well to - your definition of "encrypt" meaning to obfuscate - yes this is still doable with the private key. Whether or not people may commonly do this as a way to keep their data secret is a business application. Without using a hashing algorithm you do have the option of going byte by byte and running the modulus operation on every byte. Nobody can see the data without applying your public key to it. Is it slow? Sure. Is it common? No. Is it possible? Yes. – smaudet May 23 '19 at 15:28
  • @smaudet “I think knowledge of the fundamentals is more important than the implementations” — well, precisely. You can _implement_ exponentiation with the private key. But if you understood the fundamentals, you'd understand that this is not _encryption_. It can, however, be part of a decryption or signature operation. If a tree falls in a free-falling accelerator, does it hit the floor? No, but that doesn't mean that it's possible to suspend a tree in the air. – Gilles 'SO- stop being evil' May 23 '19 at 16:26
  • @Gilles In what manner is it not "encrypted". "Encryption is a method of securing data by scrambling the bits of a computer's files so that they become illegible." Bytes are scrambled, they are secured. They are no longer legible without the public key. You can produce a ciphertext from a plaintext by applying the private key to the plaintext. The reverse operation will in fact reverse and the public key will produce a plaintext from a ciphertext. This much is demonstrated. – smaudet May 23 '19 at 17:24
  • Additionally, it is the exact same mathematical operation - so unless you are going to cite some specific counterexample I cannot agree with your position @Gilles - it seems to me you have taken some legal definition or other definition which doesn't line up with the reality. I'm fully aware of signature systems and what they are. Reversing the modulo op is not a signature system at all, and I don't think I ever claimed it to be. You can argue that you should not generally do this and I would generally agree, but you cannot say that you cannot do it. Perhaps an entropic argument could be used. – smaudet May 23 '19 at 17:44
  • I cited the standard that defines RSA above. If you raise an input to the private exponent, that's not encryption, because all you need to do to recover the original is to raise the input to the public exponent, which is not secret. To achieve encryption, the public exponent would have to remain secret, but RSA keys are generated with a fixed value (see e.g. the [NIST SP 800-56B §6.2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf)), usually a very small value (65537 is the overwhelmingly popular choice), so the public exponent is known or easily guessable. – Gilles 'SO- stop being evil' May 23 '19 at 18:21
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/193889/discussion-between-smaudet-and-gilles). – smaudet May 24 '19 at 13:43
  • As far as your analogy goes, no. You would have us believe to use a tree you must transplant it forest to forest - there are plenty of valid uses for twigs, branches, leaves. You speak of the RSA cryptosystem. There are primitive operations and non primitive operations. The operation remains the method of encryption, whether or not it completes the cryptosystem. – smaudet May 24 '19 at 13:48
  • NIST SP 800-56B or the security of the keys is not relevant to whether or not it constitutes an encryption operation or not. A Caesar cipher is an example of an extremely simple system with easily guessible key that is still encryption. – smaudet May 24 '19 at 14:58
6

Performing the raw RSA operation with the private key is usually called the decryption operation (just as performing it with the public key is called the encryption operation).

It is useful to have access to this operation - for example to implement an operation that is not supported by the framework.

The operation exists: it is the DecryptValue-method, which is defined by RSACryptoServiceProvider's base-class: System.Security.Cryptography.RSA. Unfortunately, it is not supported by RSACryptoServiceProvider (since the underlying win32-api, CryptoAPI, does not support it). If you could get hold of another .NET-implementation of the RSA-class, you would be able to do it, however.

Rasmus Faber
  • 48,631
  • 24
  • 141
  • 189
5

No. That's not how any public/private key encryption works. You can only encrypt with the public key, and only decrypt with the private key.

If you want to apply the private key to a message, maybe you're looking for a signature, rather than encryption? This is a different cryptographic scheme that can also use RSA keys.

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
blowdart
  • 55,577
  • 12
  • 114
  • 149
  • 1
    Thanks!I want to do Serial Number for protect my software,if RSA can't encrypt with private key,How to do by other way? – guaike Jul 25 '09 at 07:16
  • 19
    Actually, encrypting with a private key can have it's uses. You can encrypt and release something, and the "public" can decrypt the message with your *public* key, therefore knowing that the encrypted file came from you. It works as a rudimentary form of a signature/authentication. The old dos-based PGP allowed this. – CraigTP Jul 25 '09 at 08:05
  • 8
    Craig you're talking about signing, which is an entirely different thing. Signing isn't encryption (although it is cryptography). Even then the signature can only be generated with the private key, but checked with the public one. – blowdart Jul 25 '09 at 08:15
  • Guakie if you want to do it with encryption then have the client software generate it's own RSA keypair. Then as part of the registration it sends you the public key and you encrypt the serial number for that client against it. That way only that client can decrypt it. – blowdart Jul 25 '09 at 08:17
  • Hi,blowdart,thank you for your reply. This is very helpful to me. By the way,If I use the privatekey in the server-side signature generation licence,and client use publicKey validate it,Is this way secure? – guaike Jul 25 '09 at 13:39
  • 1
    It really depends what you want to do. If all you want is signed issuance of license keys that's fine. If you want to encrypt the license key against a specific client then you should sign it with a private key on the server, and expose the public key so the signature can be checked. – blowdart Jul 25 '09 at 13:54
  • 3
    To clear things up, if you're using RSA, mathematically, yes you can encrypt with your private key, which can only be decrypted by the public key. However, workflow-wise, it usually doesn't really make much sense to do so (except in the specific use case as part of creating a digital signature). – Lie Ryan Jun 17 '15 at 13:45
  • 1
    This answer seems misleading...the question asked is _can_ it be done (which is the question I had), and this answer begins with "No", when in fact it can (although as stated, why you would want to do that is another question) – davidhood2 May 14 '17 at 11:46
  • 5
    @davidhood2 No, this answer is correct. It's of course possible to apply the RSA exponentiation with the private key, but then what you're doing is not encryption. – Gilles 'SO- stop being evil' May 23 '19 at 13:26
5

Fortunately no. You can however sign with the private key and verify the signature with the public key.

While the math involve makes sense when the key roles are reversed (and this is how signatures work), encrypting for privacy doesn't make much sense when the decryption key is well know and public.

Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569
  • Well when the math is reversed the inverse function would take a much longer time to finish, an unfeasibly long time. – Sean A.O. Harney Jul 25 '09 at 07:23
  • 1
    by 'reverse the math' I mean the math doesn't care if e and d in the algorithm are swapped. This is what signing does: encrypt the message hash digest with the private key (the private exponent 'd'). Obviously I did not mean the computation direction can be reversed. – Remus Rusanu Jul 25 '09 at 17:06
1

You can do both; encrypt with private and decypt with public, OR, encrypt with public and decrypt with private. You can not encrypt then decrypt with private key only, nor can you do the same with public keys alone.

Remus nailed it; encrypting with the private key doesn't make much sense when the decryption key is well know and public.

Also, you can derive the public key from the private key, but not vice versa.

Attila
  • 19
  • 2
  • I find this answer is amusing, too... I'm not sure I would disagree with an academic body of cryptographers and mathematicians. – jww Feb 25 '17 at 05:14
  • 1
    Yes, even I am wondering the point of encrypting with the private key, when the public key is supposed to be known. Unless, its like , that the public key (even though) named 'public; is not really made public to all, but only to the concerned party. – Binita Bharati Jul 24 '17 at 07:22
1

This is what I understand RSA signature.

pseudo code:

First Alice made a signature:

alice_signature = encrypt(alice_message, alice_private_key)

Then Bob Eve... (anyone who having alice_public_key) verify the signature:

decrypted_message = decrypt(alice_signature, alice_public_key)

To confirm:

if(received_message_from_alice == decrypted_message)
  the signature proved the message is from alice
JustWe
  • 4,250
  • 3
  • 39
  • 90
0

You can both encrypt and decrypt with PrivateKey. PrivateKey infact contains both Private and PublicKey.

Theoretically at least you can encrypt with PublicKey and decrypt with PrivateKey and vice-versa. In VB.net I see the first case works and secondcase throws BadKey error

user1770145
  • 9
  • 1
  • 3
    I have to encrypt with PrivateKey and decrypt with PublicKey. After one day of failed attempts I understood that `RSACryptoServiceProvider.Encrypt` always uses PublicKey even when `RSACryptoServiceProvider` object is created from PrivateKey. On the other hand I cannot use `Sign` because it requires hash algorithm but I want to encrypt data w/o hash. In other words, the problem is in .Net implementation. – i486 Jun 30 '15 at 09:52
-1

The security of public key cryptosystems rests on the fact that the sign()/encrypt() function is a one-way function in that it would take an infeasible amount of time to decrypt it without the public key "trap-door".

Also, usually the generated keys are not the same length, although they could be. There is a lot of papers about asymmetric key length with RSA.

Sean A.O. Harney
  • 23,901
  • 4
  • 30
  • 30