Public key encryption is generally used to encrypt a session key and the session key used to encrypt the main body of the message using a faster, symmetric block cipher.
There are occasions when we want to encrypt a short message, shorter than the key length.
In that case, we can use the
functions to carry out encryption and decryption directly.
[Version 2.6 update: you can do this much easier using the new
See RSA Techniques.]
The general principle is that the recipient, Bob, who wants secret messages sent to him publishes his public key and keep his private key secret. If Alice wants to send a secret message to Bob, she encrypts it using Bob's public key and sends the resulting ciphertext. Bob uses his private key to decrypt the message. An eavesdropper who intercepts the ciphertext cannot use the public key to decrypt it.
This example shows how we could do encryption of a short text message. We use a 512-bit key, which is the smallest you should use for security. 1024 is the recommended minimum these days, but we use 512 to keep the output a bit shorter in this example.
Copy this Visual Basic module into your VB project or VBA application
(in VBA remove the first line beginning with
Attribute VB_Name). Add another module with
basCrPKI.bas in it from the PKI download.
CreateTestKeys is a one-off function that creates a unique pair
of public and private keys.
In practice, you would run this once on your
system and keep the private key file and its password somewhere safe (and please use
a decent password!).
Each time you run this function, you will get a completely different pair of keys.
You will never get your first set back again.
Use these BIN files which we created earlier so you can see similar results to what we got. You won't get exactly the same because of the random padding bytes, but the keys should match.
TestEncrypt shows the two parts to the process. The first part
reads in the intended recipient's public key into a string in "internal" format.
The function then creates an
encryption block of exactly the correct length (in this case 512 bits / 8 = 64 bytes) and encrypts it using the
The encryption block is made as follows:-
|<------------------(64 bytes)---------------->| +--+--+-------+--+-----------------------------+ |00|02|PADDING|00| DATA TO ENCRYPT | +--+--+-------+--+-----------------------------+
The padding is made up of at least eight non-zero random bytes.
IMPORTANT: It is critical that the encryption block is exactly the same length as the key (in this case 64 bytes) or an error will occur.
The second half shows how to decrypt using the private key. As this is just a demonstration, we have hard-coded the password for the encrypted private key. NEVER do this in practice.
For proper security, you would re-write this part of the code to require the user to enter the password at the time and not have any secrets hard-coded at all.
To send the encrypted data to the recipient, you could do one of the following:
abBlock()into base64, which is shorter although still a handful. In your app you would need to decode this string back to binary before decrypting.
abBlock()directly to a binary file.
As we say in the manual, the Toolkit assumes a reasonable knowledge of cryptography and advanced VB/VBA skills. You also need to understand the difference between binary characters and the same data encoded in hexadecimal or base64. Also it helps to remember that "Encrypt = make secret" but "Encode = convert format, not necessarily in a secret manner".
See a simple example of using RSA for digital signing.
This page last updated: 27 August 2006