Understanding RSA Key Pair Generation: Extracting Public Key from Private Key

Fundamental Principles of RSA Key Pair Generation

RSA (Rivest-Shamir-Adleman) is a widely used asymmetric encryption algorithm whose mathematical foundation relies on the computational difficulty of integer factorization. In the RSA scheme, a key pair consists of public and private keys that are mathematically interrelated. The public key encrypts data while the private key decrypts it, creating the asymmetric property that makes RSA valuable for secure communications.

Mathematical Mechanism of Private Keys Containing Public Key Information

From a mathematical perspective, an RSA private key actually contains all the information needed to generate the corresponding public key. Specifically, a complete RSA private key includes these critical parameters: modulus n, public exponent e, private exponent d, and the two prime numbers p and q used for computational acceleration. The public key consists only of modulus n and public exponent e. Therefore, when using the openssl genrsa command to generate a private key, the system actually creates a complete key pair but defaults to saving only the private key containing all parameters to the file.

This design is based on the mathematical properties of the RSA algorithm: the public key (n, e) and private key (n, d) share the same modulus n. The public exponent e is typically chosen as 65537 (0x10001), a prime number that provides a good balance between security and computational efficiency. The private exponent d is calculated using the extended Euclidean algorithm, satisfying the relationship e·d ≡ 1 mod φ(n), where φ(n) is Euler's totient function.

Extracting Public Key from Private Key Using OpenSSL

OpenSSL provides a comprehensive toolchain for handling RSA keys. The standard procedure for extracting a public key from a private key is as follows:

First, generate an RSA private key using this command:

openssl genrsa -out mykey.pem 1024

This command generates a 1024-bit RSA private key and saves it to the mykey.pem file. It's important to note that although the command specifies generating only a private key, the resulting file actually contains complete key pair information.

Next, use the rsa command to extract the public key from the private key file:

openssl rsa -in mykey.pem -pubout -out pubkey.pem

This command reads the private key file mykey.pem, extracts the public key portion, and outputs the public key to the pubkey.pem file. The -pubout option explicitly instructs the output of the public key rather than the private key.

Public Key Extraction in SSH Context

In SSH (Secure Shell) authentication scenarios, specific public key formats are typically required. While OpenSSL can generate RSA keys, SSH clients prefer using the ssh-keygen tool for key handling.

For existing OpenSSL-generated private keys, use this command to convert to SSH-compatible public key format:

ssh-keygen -y -f mykey.pem > mykey.pub

The -y option here instructs ssh-keygen to read the private key file and output the corresponding public key, while the -f option specifies the input file. The generated public key file can be directly used for SSH server authentication configuration by adding its content to the remote server's ~/.ssh/authorized_keys file to enable passwordless login.

In-depth Analysis of Key Generation Process

Understanding the RSA key generation process helps better grasp the relationship between public and private keys. Typical RSA key generation includes these steps:

1. Randomly select two large prime numbers p and q, ensuring they are similar in size but distinct
2. Calculate modulus n = p × q
3. Calculate Euler's totient function φ(n) = (p-1) × (q-1)
4. Select public exponent e, typically 65537, ensuring 1 < e < φ(n) and gcd(e, φ(n)) = 1
5. Calculate private exponent d such that e·d ≡ 1 mod φ(n)

In this process, the private key actually contains all parameters including (p, q, d, n, e), while the public key contains only (n, e). This explains why a public key can be completely derived from a private key, but deriving a private key from a public key is computationally infeasible—this forms the foundation of RSA security.

Practical Applications and Best Practices

In actual development, proper handling of RSA key pairs is crucial. Here are some common scenarios and best practices:

Web Server SSL/TLS Configuration: When generating server certificates using OpenSSL, typically generate a private key first, then extract the public key from it to create a Certificate Signing Request (CSR).

API Authentication: Many REST APIs use RSA key pairs for request signature verification. Servers store public keys to verify requests signed by clients using corresponding private keys.

Security Considerations:

• Private keys must be kept strictly confidential and should not be transmitted or stored in untrusted environments
• Recommend using at least 2048-bit key length, as 1024-bit is gradually considered insufficiently secure
• Regularly rotate key pairs, especially when suspecting private key compromise
• Use passphrase protection for private key files to add an additional security layer

Key Formats and Compatibility

Different tools and systems may use different key formats. OpenSSL defaults to PEM (Privacy-Enhanced Mail) format, a Base64-encoded text format. SSH typically uses OpenSSH format, and while structurally different, these formats can be converted between each other.

Understanding these format differences is crucial for correctly using keys across different systems. For example, when using OpenSSL-generated public keys for SSH authentication, format conversion using ssh-keygen may be necessary, or compatible format options should be ensured during generation.

By deeply understanding the generation mechanisms and extraction principles of RSA key pairs, developers can more confidently and securely use asymmetric encryption technology in various application scenarios, ensuring communication security and reliability.