-1

I have 128 bytes of RSA encrypted data. I know the 16 bytes of decrypted data. Is it possible to compute the 1024 bit RSA key from this?

Or is there a tool that recovers the key?

Example:

openssl rsautl -decrypt -inkey not_known_1024_key -in known_input.bin -out known_output.bin
d1str0
  • 2,348
  • 14
  • 24
Konrad Eisele
  • 383
  • 1
  • 3
  • 8
  • 2
    If this was possible even with symmetrical encryption then it would be considered flawed/broken. RSA keys are asymmetrical, meaning there are two different keys used for encryption/decryption. This is a system designed to keep the private key secure in cases where it is desirable to release the public key. I believe you should at least make an attempt to do some of your own research before posting such a question. – Jonathan Gray Feb 24 '16 at 20:01
  • Is "the key" the public key or private key? ​ ​ –  Feb 24 '16 at 20:05
  • Looks like "ask on stack exchange" is the first research step for some... – ThoriumBR Feb 24 '16 at 20:12
  • ThoriumBR: Yes I'm not an encryption expert, thats why I ask. – Konrad Eisele Feb 24 '16 at 20:38

2 Answers2

2

No, it is not possible. openssl rsautl performs encryption with PKCS#1 v1.5 padding, which is not known to be broken. Even if you have a large amount of fully known (ciphertext, plaintext) pairs, there is no way to recover the key that's better than general attacks on RSA. The record for RSA factorisation (recovering the private key from the public key) is with a 768-bit key, and the difficulty grows sharply with key size, so 1024 is out of reach (except possibly with NSA's budget).

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
1

What you are describing is called a known plaintext attack, where the attacker attempts to derive the key used to encrypt the plaintext, given the plaintext and the cyphertext. Modern cryptography algorithms are designed to highly resistant to this type of attack.

mti2935
  • 19,868
  • 2
  • 45
  • 64