正在加载,请稍候…

RSA Key Pairs: How They Work and How to Generate Them

Understand RSA public/private key cryptography. Learn key sizes, use cases, and generate key pairs in your browser.

What Is RSA?

RSA (named after Rivest, Shamir, and Adleman, who published the algorithm in 1977) is the world's most widely used asymmetric encryption algorithm. Unlike symmetric encryption (one key for both encryption and decryption), RSA uses a mathematically linked key pair: a public key and a private key.

The fundamental property: what one key encrypts, only the other key can decrypt. This asymmetry enables secure communication between parties who have never met and shared a secret.

The Mathematics Behind RSA (Simplified)

RSA security is based on the integer factorization problem: multiplying two large prime numbers is computationally trivial, but factoring the result back into its prime factors is practically impossible for large enough numbers.

  1. Choose two large random primes: p = 61, q = 53 (in practice, 1024+ digit numbers)
  2. Compute n = p × q = 3233 (the modulus, shared publicly)
  3. Compute φ(n) = (p-1)(q-1) = 3120 (Euler's totient)
  4. Choose e such that gcd(e, φ(n)) = 1 — public exponent (commonly 65537)
  5. Compute d = e⁻¹ mod φ(n) — private exponent
  6. Public key: (e, n) = (17, 3233)
  7. Private key: (d, n) = (2753, 3233)

The private key's d value requires knowing p and q, which cannot be efficiently recovered from n.

Key Operations

Encryption

Encrypt message M with public key: C = M^e mod n Decrypt ciphertext C with private key: M = C^d mod n

Digital Signatures

Sign data D with private key: S = D^d mod n (or hash(D)^d mod n) Verify signature S with public key: D = S^e mod n

This means anyone can verify a signature using the public key, but only the private key holder could have created it.

Key Sizes and Security

Key Size Security Level Use Case
512 bit Broken Do not use
1024 bit Weak Legacy only
2048 bit ~112-bit security ✅ Minimum recommended
3072 bit ~128-bit security Good for 2030+
4096 bit ~140-bit security High-security systems

NIST recommends 2048-bit RSA as the minimum through 2030, then 3072+ bit thereafter. The overhead of 4096-bit keys is significant — handshake latency increases measurably for web servers under load.

Common RSA Applications

SSH Authentication

Replace password-based login with key-based authentication:

# Generate RSA key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# Copy public key to server
ssh-copy-id user@server.com

# Connect without password
ssh user@server.com

The public key is stored in ~/.ssh/authorized_keys on the server. The private key never leaves your machine.

HTTPS / TLS

Every HTTPS connection uses asymmetric cryptography (RSA or ECDSA) during the handshake to establish a shared symmetric session key. The website's RSA key pair is embedded in its TLS certificate.

Code Signing

Software publishers sign releases with their private key. Users can verify the signature with the public key to confirm the software hasn't been modified.

JWT (RS256 Algorithm)

JSON Web Tokens can be signed with an RSA private key (RS256). API consumers can verify signatures using the public key, enabling stateless authentication without sharing a secret.

RSA vs ECDSA: The Modern Alternative

Elliptic Curve Cryptography (ECDSA/ECDH) provides equivalent security to RSA with much smaller key sizes:

Algorithm Key Size Security Level
RSA 3072 bit 128-bit
ECDSA 256 bit 128-bit

A 256-bit ECDSA key is as secure as a 3072-bit RSA key. For new systems, ECDSA (or Ed25519) is generally preferred due to smaller key sizes, faster computation, and smaller signature sizes.

Public Key Infrastructure (PKI)

RSA keys are typically distributed via certificates following the X.509 standard. A Certificate Authority (CA) signs a certificate binding a public key to an identity (domain name, email address, or person). Browsers and operating systems maintain a list of trusted CAs.

Generating RSA Keys with This Tool

This browser-based tool generates RSA key pairs locally — no keys are transmitted to any server. You can:

  • Choose key size (1024, 2048, or 4096 bits)
  • Generate a new key pair instantly
  • Copy the public and private keys in PEM format for use in your applications

Security note: For production use, always generate private keys on secure, trusted hardware. Browser-generated keys are suitable for learning and testing.

→ Try the RSA Key Pair Generator