4.1.1 RSA Keys

An RSA asymmetric key pair is comprised of matching public and private keys.

An RSA public key consists of an encryption exponent e and an arithmetic modulus n, which are both public quantities typically carried in a public-key certificate. For the value of e, Annex C to X.509 suggests the use of Fermat's Number F4 (65537 decimal, or 1+2**16) as a value "common to the whole environment in order to reduce transmission capacity and complexity of transformation", i.e., the value can be transmitted as 3 octets and at most seventeen (17) multiplications are required to effect exponentiation. As an alternative, the number three (3) can be employed as the value for e, requiring even less octets for transmission and yielding even faster exponentiation. For purposes of PEM, the value of e shall be either F4 or the number three (3). The use of the number three (3) for the value of e is encouraged, to permit rapid certificate validation. An RSA private key consists of a decryption exponent d, which should be kept secret, and the arithmetic modulus n. Other values may be stored with a private key to facilitate efficient private key operations (see PKCS #1 [11]).

For purposes of PEM, the modulus n may vary in size from 508 to 1024 bits.

Two ASN.1 object identifiers have been defined to identify RSA public keys. In Annex H of X.509 [8], the object identifier

     rsa OBJECT IDENTIFIER ::= {
         joint-iso-ccitt(2) ds(5) algorithm(8)
         encryptionAlgorithm(1) 1
     }

is defined to identify an RSA public key. A single parameter, KeySize, the length of the public key modulus in bits, is defined for use in conjunction with this object identifier. When this object identifier is used with the ASN.1 type AlgorithmIdentifier, the parameters component of that type is the number of bits in the modulus, ASN.1 encoded as an INTEGER.

Alternatively, in PKCS #1 [11], the ASN.1 object identifier

     rsaEncryption OBJECT IDENTIFIER ::= {
         iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1)
         pkcs-1(1) 1
     }

is defined to identify both an RSA public key and the RSAEncryption process. There are no parameters defined in conjunction with this object identifier, hence, when it is used with the ASN.1 type AlgorithmIdentifier, the parameters component of that type is the ASN.1 type NULL.

A compliant PEM implementation may optionally generate an RSA public-key certificate that identifies the enclosed RSA public key (within the SubjectPublicKeyInformation component) with either the "rsa" or the "rsaEncryption" object identifier. Use of the "rsa" object identifier is encouraged, since it is, in some sense, more generic in its identification of a key, without indicating how the key will be used. However, to facilitate interoperability, a compliant PEM implementation shall accept RSA public-key certificates that identify the enclosed RSA public key with either the "rsa" or the "rsaEncryption" object identifier. In all cases, an RSA public key identified in an RSA public-key certificate with either the "rsa" or "rsaEncryption" object identifier, shall be used according to the procedures defined below for asymmetric encryption algorithms and asymmetric signature algorithms.