I have modulus and private exponent. How to construct RSA private key and sign a message?

Question

I am newbie in cryptography and pycrypto.

I have modulus n and private exponent d. From what I understand after reading some docs private key consists of n and d.

I need to sign a message and I can't figure out how to do that using pycrypto. RSA.construct() method accepts a tuple. But I have to additionally provide public exponent e to this method (which I don't have).

So here is my question. Do I have to compute e somehow in order to sign a message?

It seems I should be able to sign a message just by using n and d (that constitute private key). Am I correct? Can I do this with pycrypto?

Thanks in advance.

You DON'T have the public key? – Emil Vikström May 21 '12 at 16:52 — Emil Vikström, May 21 '12 at 16:52

mata · Accepted Answer · 2012-05-22T07:57:03.727

4

Actually for decrypting a message encrypted with the public key it's enough to have the private exponent.

That also means you can sign a message, because signing basically is just *de*crypting the plaintext with the private key, which when *en*crypted with the public key will give the plaintext again. Usually you use a hash digest on the plaintext before and sign that...

The reason why you can't decrypt a message uing only n and d with pyrcypto is that it does a blinding step during message decryption, which involves the public exponent, but isn't really needed for the decryption.

But by using some calls to the private API this step can be bypassed.

Therefore this should work:

from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long, long_to_bytes

full = RSA.generate(2048)

# construct key using only n and d
try:
    # pycrypto >=2.5, only tested with _slowmath
    impl = RSA.RSAImplementation(use_fast_math=False)
    partial = impl.construct((full.n, 0L))
    partial.key.d = full.d
except TypeError:
    # pycrypto <=2.4.1
    partial = RSA.construct((full.n, 0L, full.d))   



pub = full.publickey()

# create message with padding
# http://en.wikipedia.org/wiki/RSA_%28algorithm%29#Padding_schemes
cleartext = ...

signature = partial.sign(cleartext, None)

print "validating message: ", pub.verify(cleartext, signature)


message = pub.encrypt(cleartext, None)

# bypassing the blinding step on decrypt
enc_msg=map(bytes_to_long, message)
dec_msg = map(partial.key._decrypt, enc_msg)

print "decrypting: "
for m in dec_msg:
    print long_to_bytes(m)

edited May 22 '12 at 07:57

answered May 21 '12 at 18:36

mata

67,110
10
163
162

4

Any piece of code (like this one) where RSA signing is done without padding is *dead* *wrong*, no matter if it works or not. – SquareRootOfTwentyThree May 21 '12 at 19:34
Modded down for the very first sentence, you cannot sign with the public key. – Maarten Bodewes May 21 '12 at 20:33
@owlstead - uups, that was a mistake of course... fixed that. – mata May 21 '12 at 20:46
1

@SquareRootOfTwentyThree - wrong? not to use padding makes attacks easier, but it doesn't really change how the algorithm basically works. I'm no expert in cryptography, so I just gave a simple example. I've changed it now not to use any concrete message format. – mata May 21 '12 at 21:18
@SquareRootOfTwentyThree, is [this RSA signing example](http://stackoverflow.com/questions/4232389/signing-and-verifying-data-using-pycrypto-rsa) also wrong due to no padding? – Mike Pennington May 21 '12 at 21:22
2

@mike-pennington Yes, that example is totally wrong. First, RSA is used without padding (you should create it by yourself or use the [PKCS#1 module](https://www.dlitz.net/software/pycrypto/api/current/Crypto.Signature.PKCS1_v1_5-module.html) ). Second, K is chosen incorrectly for DSA and ElGamal. – SquareRootOfTwentyThree May 22 '12 at 04:43
@mata Thanks for your answer. But when I construct RSA such as `partial = RSA.construct((full.n, 0L, full.d))` it throws an error: `ValueError: Unable to compute factors p and q from exponent d`. So is there another way to construct RSA partially, just to be able to sign a message? – Maxim May 22 '12 at 05:43
@Maxim - seems there was a change in the API on pycrypto 2.5. Should work now. – mata May 22 '12 at 07:30

score 3 · Answer 2 · answered May 21 '12 at 17:02

No, you can't compute e from d.

RSA is symmetric in d and e: you can equally-well interchange the roles of the public and the private keys. Of course, we choose one specially to be private and reveal the other -- but theoretically they do the same thing. Naturally, since you can't deduce the private key from the public, you can't deduce the public key from the private either.

Of course, if you have the private key that means that you generated the keypair, which means that you have the public key somewhere.

Maarten Bodewes · Answer 3 · 2012-05-22T19:23:01.060

2

If you don't have the public exponent you may be able to guess it. Most of the time it's not a random prime but a static value. Try the values 65537 (hex 0x010001, the fourth number of Fermat), 3, 5, 7, 13 and 17 (in that order).

[EDIT] Simply sign with the private key and verify with the public key to see if the public key is correct.

Note: if it is the random prime it is as hard to find as the private exponent; which means you would be trying to break RSA - not likely for any key sizes > 512 bits.

edited May 22 '12 at 19:23

answered May 21 '12 at 18:20

Maarten Bodewes

90,524
13
150
263

Good answer. I would add that it may be even quicker to check what the party verifying the signature is going to use... – SquareRootOfTwentyThree May 21 '12 at 19:29
@SquareRootOfTwentyThree hmm, was indeed about signing, changed my answer slightly :) – Maarten Bodewes May 21 '12 at 20:31
@owlstead Thanks for pointing that out. The main question is: how do I sign a message provided that I only have modulus `n` and private exponent `d`? – Maxim May 22 '12 at 05:52
1

Just try out the above values, sign with the resulting private key. Leave the private exponent out and verify with the resulting public key. If the verify is correct, then you've found the public exponent. Note that it is a stupid restriction of pycrypto to require the public exponent, even though it would be useful for blinding. It's officially not part of the private key. Normally it's not a problem because you should always have the public key as well. – Maarten Bodewes May 22 '12 at 07:33
@owlstead Public exponent is officially part of the private key. Please check definition of ASN.1 RSAPrivateData object. Additionally, blinding should be mandatory in all libraries. A library that allowed to import private exponent only without the public one would surely expose you to side channel attacks. **That** I call a stupid library... – SquareRootOfTwentyThree May 22 '12 at 09:36
1

@SquareRootOfTwentyThree ASN.1 is only a container format. Check paragraph 3.2 of RFC 3447 for the definition of a private key (and notice that I did not write that standard, RSA labs did). Of course I'm with you regarding the blinding issue, at least for 90% of use cases. Distributing an RSA private key without the public key or exponent is a a mild form of madness, both PKCS#1 ASN.1 definition and XML definitions contain the public exponent. So somebody made a proprietary format without one, bad call that. – Maarten Bodewes May 22 '12 at 19:20

I have modulus and private exponent. How to construct RSA private key and sign a message?

3 Answers3