Generate an RSA key
Here is a tutorial on how to set up the components needed for RSA and to generate a new RSA key.1. Create a form or data module.
2. On this form put the following two components. You can find these components on the Lockbox component palette.
2.1 TCodec
2.2 TSignatory.
2.3 TCryptographicLibrary
3. Lets name components. We will use the same names as the demo program does:
Signatory1: TSignatory; codecRSA: TCodec; CryptographicLibrary1: TCryptographicLibrary;
4. Also put on your form a few buttons and a memo box (for output).
5. Select the TCodec and using the object inspector, at design time, set the following object properties.
AysmetricKeySizeInBites = 1024 ChainMode = CBC Cipher= RSA public key encryption system CryptographicLibrary=CryptographicLibrary1 Name=codecRSA
By way of explaination the above property settings have the following effects.
AysmetricKeySizeInBites = 1024
This sets the size of the keys in bits that you are about to generate. 512 bits is a good size for a demonstration. 1024 is a good size for most commerical purposes. 2048 bits is for military grade. Values beyond 4096 would be pointless given modern levels of Cryptanalysis. The larger the key size, the more secure (up to a point), but the slower will be basic cryptographic operations, particularly key generation.
ChainMode = CBC
Asymetric ciphers like RSA do not directly use chaining modes. When we use RSA to encrypt a file, the RSA codec will generate a random one-use-only key in a block mode symetric cipher, use RSA's native encryption to encrypt the symetric key, emit that so encrypted key, then emit the target "plaintext" file encrypted by the symetric key. It is this second phase, in which an asymetric cipher is leveraging a symetric one for performance reasons, that we use a chaining mode. Chaining modes specify the way that block oriented symetric ciphers protect the security of the ciphertext message from Repeated Message attack and Known Answer attacks. CBC is a popular chaining mode.
Cipher= RSA public key encryption system
This selects RSA as your encryption cipher.
CryptographicLibrary=CryptographicLibrary1
This connects you codec with the TCryptographicLibrary.
As an alternative to step 5, we could initialise the TCodec at run-time, instead of design-time, like so:
begin codecRSA.CryptographicLibrary := CryptographicLibrary1; codecRSA.StreamCipherId := 'native.RSA'; codecRSA.ChainModeId:= 'native.CBC'; codecRSA.AsymetricKeySizeInBits := 1024; end;
Instead of using the string literals above, you can use the constants defined in the uTPLb_Constants unit:
CBC_ProgId = 'native.CBC'; RSA_ProgId = 'native.RSA';
Feel free to use either method for setting the properties - design-time or run-time..
To learn more about a particular Cipher selection or Chaining mode selection, make the selection on your TCodec component at design-time and then press the elipses for the "About" property for the component. Explore the About dialog that pops up. The last page of this dialog may include additional descriptive information about your currently selected cipher and/or chaining mode.
6. Now to set-up the TSignatory. This part is really trivial. Just set the Codec property of the TSignatory to your TCodec. This can be done either at design-time or run-time.
7. Now to generate the keys. On a button event handler, write the following code:
if Signatory1.GenerateKeys then
Log( 'Done. RSA keys successfully created.' )
else if Signatory1.Codec.isUserAborted then
Log( 'Aborted at user request.' )
else
Log( 'Failed.' );Really simple right? Its just a call to the TSignatory.GenerateKeys() method. But beware, this method takes a random, but usually long time to execute. The longer the key length the longer the generation time. This method actually generates 4 keys. One is a private key for the purposes for signature and verification; another is the corresponding public key; another is a private key for encryption and decryption and the fourth is the corresponding public key. In line with recommended practise, TSignatory does not use the same pair of keys for Sign/Verify as it does for Encrypt/Decrypt.
To allow responsiveness duing key generation, implement the OnProgress event of the TCodec. If you do this, you can:
8.1. Enable other controls of your program to be responsive to user input, but invoking:
Application.ProcessMessages;
8.2. Update the user on how things are going. You can access the integer property during the OnProgress event.
codecRSA.FGenerateAsymetricKeyPairProgress_CountPrimalityTests;
and display it on the screen
8.3. Allow the user to abort the operation. Normally you would return True as the result of the OnProgress event. But if you have detected the user's wish to abort, then return False instead.
If the time it takes to generate the key pairs is an issue, then do not implement the OnProgress event. This event gets fired very often during key generation and its invocation can make a big difference in over-all key generation time.
9. After succesful generation, you can store the keys in a stream for use in a latter session, or for transport to another location. Write the following event handler for another button on your form to store the keys.
In the following code, it is assumed that Store is some kind of TStream (such as a TFileStream, TMemoryStream or TStringStream).
Store.Position := 0; Signatory1.StoreKeysToStream( Store, [partPublic, partPrivate] );
The above code stores both the public and private parts of both the sign/verify and encrypt/decrypt keys together in the stream. Of course if you want to store them separately then just use (partPrivate] or {partPublic] as required. Please remember, it is essential to the integrity of any asymetric cipher system, that users never expose thier private parts. The private part of a key (private keys) are the owning users's secret.
Well that's enough of for this tutorial session. In the next tutorial session, we will load the keys that we saved in the previous session, and use them to encrypt a file and then to decrypt back again.
Encryption in RSA