Given a private key, is it possible to derive its

2019-01-13 06:11发布

问题:

From whatever little I understand by reading various material, public-private key pair are the basis of assymetric encryption and also something about choosing 2 prime numbers (which is roughly your private key) and multiplying them (which is roughly your public key), I appears that it is possible to generate a public key if you know the private key. Is it correct or I am mistaking something?

[EDIT]

What made me more confusing was that it is not possible to serialize the RSA key to XML with only private key (using .NET class RSACryptoServiceProvider). Not sure whether this limitation is intentional or not!

回答1:

That depends on the crypto system.

In RSA, we have (citing Wikipedia):

The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the modulus n and the private (or decryption) exponent d which must be kept secret.

Now if we have n and d (the private key), we are only missing e for the public key. But e is often fairly small (less than three digits), or even fixed (a common value is 65537). In these cases getting the public key is trivial.

For Elliptic Curve Diffie-Hellman, the private key is d, and the public key dG (with G also public), so it's trivial as well.



回答2:

In most asymmetrical crypto system implementation, the only fact that is ensured is that you cannot find the private key from the public key. The other way round, finding the public key from the private key is trivial in most case.

For instance, in RSA, you can create public key from private key with:

openssl rsa -in private.pem -pubout -out public.pem

What is misleading is the terminology: "private key" refers to 2 different concepts whether you are speaking of the theory, or wether you are speaking of practical implementation:

  • The theoretical private key is the couple (d, n) which shares perfect symmetrical (mathematical) relation with (e, n). If you are comparing these, one cannot be computed from the other.
  • The practical private key (as in openssl implementation for example), refers to a file containing (d, n) but also several important intermediate values for decoding speed purpose. In addition to that, the theoretically "unknown" part of the public key e is often fixed to common values by convention (which is 0x10001 by default in openssl and albeit it can be changed, it is strongly recommended to stick to only very specific values). So deducing the public key (e, n) from the private key is trivial for more than one reason.


回答3:

It depends on the algorithm, and what you mean by "private key".

RSA private keys are often stored in their "Chinese Remainder Theorem" form. For example, the RSAPrivateKey structure defined in PKCS #1 and re-used by many other crypto standards take this form. This form includes the two secret numbers often denoted p and q, from which the totient is computed. With totient and the private exponent, the public exponent is quickly computed.

In any case, most RSA key pairs use 65537 as the public exponent, and the modulus is always carried as part of the private key.



回答4:

In ANY public key crypto system the public key is mathematically related to the private key. It's very simple.

The public key is derived from the private key at generation time, and with the private key at any point in the future it is possible to re-derive the public key easily.

It is not feasible to go the other way. Given a public key it is not easy to derive the private key. That's why we can safely share public keys with other people. If you have enough time/CPU cycles you could brute force it but it's probably easier to wait for a mathematical attack on the key.



回答5:

For the specific case of OpenSSH and ssh-keygen, yes you can:

ssh-keygen -y

This option will read a private OpenSSH format file and print an public key to stdout.


Generally, it depends on the algorithm and what you label the private key. However, any sensible implementation will include the complete information (public and private keys) in the secret file.



回答6:

Yes with access to the private key the public key can be generated



回答7:

public key is modulus N (and public exponent e, usually 65537), private key is given by the two primes p, q (and private exponent d, sometimes also CRT parts d_p, d_q for speedup) essentially you have N=pq and ed=1 mod ((p-1)(q-1)), you can also compute d_p and d_q using CRT given private key, computation of public key modulus is "boring" multiplication and public exponent is in specification or computed using extended euclid algorithm if standard e was not good enough. given public key, computation of private key requires either finding d (RSA problem) or p,q (factoring, see number field sieve for best algo to do this). These problems are shown to be equivalent under reasonable conditions [Breaking RSA Generically is Equivalent to Factoring, D. Aggarwal and U. Maurer, 2008]



回答8:

There is a misconception on what the private key is. The private key is just the (d,n) pair and, given only that, it is infeasible to generate the public key from it unless you can assume that the public exponent is 65537, which is the case on almost all rsa keys.

If, for any reason, the public exponent is a larger number you cannot create the public key from the private one.

That said, the value stored as "private key" to pem files is not just the private key, but also contains the prime factors (among other things) and, therefore, it's easy to generate the public key from it.



回答9:

It is theoretically possible but for large keys computationally infeasible.