RSA (Rivest–Shamir–Adleman) is an asymmetric cryptographic algorithm, widely used for secure data transmission, especially for signing and encrypting data.

In the RSA signing process, a private key is used to sign the message, while a public key is used to verify the signature. Here’s how the signing and verification process works:

1. Public and Private Keys

  • Private Key: This key is kept secret and is used to sign data. Only the entity that owns the private key should be able to generate the signature.
  • Public Key: This key is shared with others. It is used to verify that the data was indeed signed by the corresponding private key holder.
  • Key Pair: RSA works on a pair of keys(one private and one public). A unique public/private key pair is generated together. There cannot be multiple private keys for a given public key.

For embedded systems, where resources (CPU, memory) are limited, RSA’s asymmetric nature means that only the private key holder can sign, while anyone with the public key can verify. This is useful in secure boot processes or authenticating firmware updates, as the system can verify code signed by the vendor.

2. RSA Signature Process

  1. Hashing: The data (or image) to be signed is first hashed using a cryptographic hash function such as SHA-256 or SHA-512. This hash, called the digest, is a fixed-size output.
  2. Padding: The hash is padded using a padding algorithm before encryption with the private key. This ensures that the message fits the RSA modulus size and provides security against certain attacks.
  3. Encryption: The padded hash is then encrypted using the RSA private key to generate the signature.
  4. Verification: To verify, the receiver decrypts the signature using the sender’s public key and compares it to the hash of the received message. If they match, the signature is valid.

3. [Padding Algorithms in RSA]({< ref “/posts/padding-algorithms-in-rsa/” >}})

4. Hashing in RSA Signatures

The message to be signed is typically hashed before encryption to reduce the size of the data being processed and ensure it can be signed with a given key size. Commonly used hash functions include:

  • SHA-256: A 256-bit hash function, widely used due to its security and performance.
  • SHA-512: A more secure 512-bit variant, though heavier for embedded systems due to larger output size and computational cost.

In embedded systems, especially where power and processing are limited, the choice of the hashing algorithm and padding scheme should balance security with efficiency.

5. Multiple Key Pairs in RSA

RSA typically uses one key pair (private and public) for a specific entity or purpose, like signing firmware or certificates. However, you could generate multiple key pairs for different purposes (e.g., separate keys for firmware, secure boot, and encrypted communication). Each key pair must remain associated with its specific function for security.

In the context of embedded systems, for example:

  • One key pair might be used for secure boot, where the bootloader verifies that the firmware is signed with the private key.
  • Another key pair might be used for communication security, where secure messages between two devices are encrypted with one key and decrypted with the other.

6. RSA in Embedded Systems

  • Secure Boot: RSA ensures that only firmware signed by the trusted entity (using the private key) can be executed, providing secure boot capabilities. The embedded system’s bootloader verifies the signature using the public key stored in secure memory.
  • Firmware Signing: When distributing firmware updates, RSA ensures that only legitimate, untampered updates are accepted by the system. Each firmware is signed with the private key, and the device uses the public key to verify it.
  • TLS/SSL: RSA can be used to establish secure communication channels between embedded devices and servers via SSL/TLS protocols.

RSA is widely used in embedded systems due to its security properties, but its performance overhead on resource-constrained systems may push developers to opt for elliptic curve cryptography (ECC), which offers similar security with smaller key sizes.