RSA

RSA (Rivest-Shamir-Adleman) Cryptography

Asymmetric encryption algorithm that uses a mathematically related key pair - one public key and one private key
Foundation of modern PKI (Public Key Infrastructure) systems used extensively in network security protocols
Solves the key distribution problem that plagued symmetric encryption (no need to share secret keys beforehand)
Security relies on the mathematical difficulty of factoring large prime numbers (typically 1024-4096 bits)

Key Generation: Creates two mathematically related keys from large prime numbers
- Public key can be shared openly and is used for encryption or signature verification
- Private key must be kept secret and is used for decryption or digital signing
Encryption Process: Data encrypted with public key can only be decrypted with corresponding private key
Digital Signatures: Data signed with private key can be verified using the corresponding public key
Computational intensity makes RSA slower than symmetric algorithms (AES, DES) for bulk data encryption

SSH (Secure Shell): Uses RSA for initial key exchange and host authentication
- Default RSA key size is 2048 bits (can verify with ssh-keygen -t rsa -b 4096)
HTTPS/TLS: RSA used for certificate-based authentication and initial handshake
- Web servers present RSA public key certificates to prove identity
IPSec VPNs: RSA certificates can authenticate VPN peers instead of pre-shared keys
SNMP v3: Can use RSA-based certificates for device authentication

Term	Definition
Asymmetric Encryption	Uses different keys for encryption/decryption (public/private key pairs)
Key Pair	Mathematically related public and private keys generated together
Digital Signature	Cryptographic proof that data came from private key holder and wasn’t altered
Certificate Authority (CA)	Trusted entity that signs and validates RSA public key certificates
Key Exchange	Process of securely sharing encryption keys between network devices

Key Size	Security Level	Use Case	Performance Impact
1024 bits	Deprecated	Legacy systems only	Fastest
2048 bits	Current standard	Most implementations	Moderate
3072 bits	High security	Government/financial	Slower
4096 bits	Maximum common	Highly sensitive data	Slowest

Certificate-Based Authentication: Devices authenticate using RSA certificates instead of passwords
- Example: Enterprise wireless networks using 802.1X with certificate authentication
Secure Key Exchange: RSA encrypts symmetric keys for bulk data encryption
- Hybrid approach: Use fast RSA to exchange slow AES keys, then use AES for data
Code Signing: Network device firmware verified using RSA signatures before installation
Email Security: S/MIME uses RSA for email encryption and digital signatures

RSA vs Symmetric (AES): RSA solves key distribution but is much slower for bulk encryption
RSA vs ECC (Elliptic Curve): ECC provides equivalent security with smaller key sizes and better performance
RSA vs Diffie-Hellman: DH is for key exchange only, RSA can do both encryption and digital signatures

Never reuse RSA key pairs across different applications or devices (compromises security isolation)
RSA private keys should be stored in hardware security modules (HSMs) or secure key storage when possible
Key rotation policies typically require new RSA keys every 1-3 years depending on security requirements
RSA performance degrades significantly with key size - 4096-bit keys are ~8x slower than 2048-bit keys
Modern networks often use RSA only for initial authentication/key exchange, then switch to faster symmetric encryption
Quantum computing threat: RSA will become vulnerable when large-scale quantum computers exist (driving adoption of post-quantum cryptography)
Always verify RSA certificate chains back to trusted root CAs to prevent man-in-the-middle attacks
Default SSH RSA host keys are generated during initial device setup - changing them requires regenerating and redistributing to clients