CryptoSys PKI Toolkit Simple RSA Encryption

Public key encryption is generally used to encrypt a session key and the session key used to encrypt the main body of the message using a faster, symmetric block cipher.

There are occasions when we want to encrypt a short message, shorter than the key length. In that case, we can use the RSA_RawPublic and RSA_RawPrivate functions to carry out encryption and decryption directly.

[Version 2.6 update: you can do this much easier using the new RSA_EncodeMsg function. See RSA Techniques.]

The general principle is that the recipient, Bob, who wants secret messages sent to him publishes his public key and keep his private key secret. If Alice wants to send a secret message to Bob, she encrypts it using Bob's public key and sends the resulting ciphertext. Bob uses his private key to decrypt the message. An eavesdropper who intercepts the ciphertext cannot use the public key to decrypt it.

This example shows how we could do encryption of a short text message. We use a 512-bit key, which is the smallest you should use for security. 1024 is the recommended minimum these days, but we use 512 to keep the output a bit shorter in this example.

Copy this Visual Basic module into your VB project or VBA application (in VBA remove the first line beginning with Attribute VB_Name). Add another module with basCrPKI.bas in it from the PKI download.

The function CreateTestKeys is a one-off function that creates a unique pair of public and private keys. In practice, you would run this once on your system and keep the private key file and its password somewhere safe (and please use a decent password!). Each time you run this function, you will get a completely different pair of keys. You will never get your first set back again.

Use these BIN files which we created earlier so you can see similar results to what we got. You won't get exactly the same because of the random padding bytes, but the keys should match.

The function TestEncrypt shows the two parts to the process. The first part reads in the intended recipient's public key into a string in "internal" format. The function then creates an encryption block of exactly the correct length (in this case 512 bits / 8 = 64 bytes) and encrypts it using the public key.

The encryption block is made as follows:-

|<------------------(64 bytes)---------------->|
+--+--+-------+--+-----------------------------+
|00|02|PADDING|00|      DATA TO ENCRYPT        |
+--+--+-------+--+-----------------------------+

The padding is made up of at least eight non-zero random bytes.

IMPORTANT: It is critical that the encryption block is exactly the same length as the key (in this case 64 bytes) or an error will occur.

The second half shows how to decrypt using the private key. As this is just a demonstration, we have hard-coded the password for the encrypted private key. NEVER do this in practice.

For proper security, you would re-write this part of the code to require the user to enter the password at the time and not have any secrets hard-coded at all.

To send the encrypted data to the recipient, you could do one of the following:

  1. Send the data encoded in hexadecimal, e.g. "93A89A40...2D282285".
  2. Encode abBlock() into base64, which is shorter although still a handful. In your app you would need to decode this string back to binary before decrypting.
  3. Save the byte data in abBlock() directly to a binary file.

As we say in the manual, the Toolkit assumes a reasonable knowledge of cryptography and advanced VB/VBA skills. You also need to understand the difference between binary characters and the same data encoded in hexadecimal or base64. Also it helps to remember that "Encrypt = make secret" but "Encode = convert format, not necessarily in a secret manner".

See a simple example of using RSA for digital signing.

Data files

This page last updated: 27 August 2006

Valid HTML 4.01!

Home | PKI Home | Purchase | Cryptography Software Code | Contact us
Copyright © 2004-6 D.I. Management Services Pty Limited ABN 78 083 210 584, Sydney, Australia. All rights reserved.
<www.di-mgt.com.au>   <www.cryptosys.net>