What is RSA encryption? How it works and why it still matters
Digital security relies on several key systems that most people never interact with directly. Rivest–Shamir–Adleman (RSA) is one of the earliest practical public-key cryptosystems and continues to help secure online communications.
In this guide, RSA encryption is explained in simple terms, including how it works, where it's used, and how it compares with other cryptographic methods.
What is RSA encryption?
RSA is an asymmetric (public-key) algorithm used for encryption and digital signatures. Its security relies on the practical difficulty of reversing its underlying mathematical operation without the private key. Factoring the product of two sufficiently large prime numbers would break RSA, but doing so is considered computationally infeasible for properly generated keys of an appropriate size using current classical computers.
Although the term “RSA encryption” is widely used, it's somewhat simplified. RSA is a form of cryptography that can perform two distinct tasks. The first is encryption, which keeps data confidential so only the intended recipient can read it. The second is creating digital signatures, which can verify that the holder of a particular private key signed a message and that the message hasn’t been altered. When the corresponding public key is reliably linked to an identity, this can also help authenticate the sender.
RSA uses two mathematically linked keys: a public key and a private key. The public key can be shared openly, while the private key must remain secret. For encryption, the sender uses the recipient's public key to encrypt data, and the recipient uses the corresponding private key to decrypt it.
For digital signatures, the private key creates the signature, and the corresponding public key verifies it. Although RSA encryption and signatures use related mathematics, they are distinct operations with different encoding and padding procedures. With current computing methods, it's computationally infeasible to derive a properly generated private key from its public key.
A brief history of RSA
RSA was first publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at the Massachusetts Institute of Technology (MIT). Its name comes from the initials of its three inventors. It was one of the first practical public-key cryptosystems and marked an important moment in the history of cryptography.
An equivalent algorithm had been developed independently four years earlier by Clifford Cocks at the U.K. Government Communications Headquarters (GCHQ), but the work remained classified until the late 1990s.
Despite the emergence of newer methods, RSA remains widely used for digital signatures, certificates, and authentication. It's also still used for key transport in some systems, although modern protocols such as Transport Layer Security (TLS) 1.3 use other methods to establish session keys.
Why RSA encryption matters
Before public-key cryptography, secure communication largely relied on symmetric encryption, where both parties use the same secret key. This created a key-distribution problem: the parties needed a secure way to share the key before they could communicate securely.
RSA helped address this problem by allowing a public key to be shared openly while the corresponding private key remains secret. However, users still need a trustworthy way to confirm who owns a public key, commonly through digital certificates.
RSA enabled systems to encrypt or transport key material without requiring a pre-shared secret. This capability helped shape secure communication on the internet.
How RSA encryption works
RSA’s security is based on mathematical operations that are easy to perform but extremely difficult to reverse without the private key. In practice, its security also depends on strong key generation, suitable key sizes, secure padding, and correct implementation.
How RSA key generation works
If the processes used to create keys are weak, an encryption method has little value. As such, key generation is central to how RSA secures data. The calculations used to generate the keys are relatively straightforward. However, for an attacker who knows only the public key, factoring the public modulus back into the secret prime factors is considered computationally infeasible when the primes are properly generated and sufficiently large.
In RSA, public and private keys are generated together using a series of related calculations.
1. Choosing two large prime numbers
RSA key generation begins with a cryptographically secure process that generates two large, distinct prime numbers, traditionally denoted as p and q. Multiplying them is easy for a computer and produces a composite number. However, factoring that number back into its prime components is considered computationally infeasible for classical computers when the primes are properly generated and sufficiently large.
2. Calculating the modulus and a private value
Multiplying p and q yields the modulus, usually denoted n. The modulus is used during key generation and forms part of both the public and private keys.
RSA then calculates a private value from p and q, commonly using Euler’s totient function. This value is used to generate the private exponent and must not be disclosed.
3. Creating the public and private keys
Once the modulus and the private value have been calculated, RSA’s key-generation process selects a public exponent, usually denoted by e. It then uses the private value to calculate the corresponding private exponent, d.
The public key contains the modulus and public exponent, denoted as (n, e). In its simplest mathematical form, the private key contains the modulus and private exponent, denoted by (n, d). Practical private-key formats usually store additional secret values derived from p and q to make private-key operations more efficient.
How RSA encryption and decryption work step by step
Once the keys are ready, RSA follows a straightforward process:
- Share the public key: The recipient makes the public key available, and the sender verifies that it belongs to the intended recipient.
- Encrypt the data: The sender uses the recipient’s RSA public key and a secure padding scheme to encrypt a small amount of data. In hybrid encryption, this is often the shared key for a separate symmetric algorithm, which encrypts the actual message.
- Send the ciphertext: The encrypted data travels across the network. When RSA is properly implemented, an attacker who intercepts it cannot feasibly recover the protected data without the private key.
- Decrypt with the private key: The recipient uses the corresponding RSA private key to recover the shared symmetric key, which is then used to decrypt the message.
The padding scheme
Data encrypted using RSA must be small enough that its encoded value is less than the modulus. Before encryption, RSA applies a padding scheme to the plaintext.
Padding prepares the data by combining it with additional structured values. Modern schemes such as optimal asymmetric encryption padding (OAEP) use a random seed, hashing, and a mask-generation function. This encoded data is what gets encrypted. During decryption, the padding is validated and removed to recover the original message.
Padding also helps protect RSA encryption against analysis and attacks. For this reason, secure RSA implementations use an established padding scheme rather than raw RSA.
Where RSA encryption is used
RSA is used in systems that need to protect key material, authenticate parties, or verify data integrity.
RSA in secure communications
Historically, RSA played a significant part in securing internet traffic from interception, but its role has been significantly reduced. Earlier versions of TLS, used by HTTPS, could use RSA to transport key material during the handshake. TLS 1.3 removed RSA key transport and instead supports ephemeral Diffie–Hellman methods, commonly Elliptic Curve Diffie–Hellman Ephemeral (ECDHE), as well as pre-shared key modes.
RSA's remaining role in TLS is primarily authentication. It's one of several algorithms supported by public key infrastructure (PKI), which manages digital certificates and the trust relationship behind them. When a server presents a certificate, the browser or app validates the certificate chain and verifies that the certificate matches the intended server. If RSA signatures are used, the client verifies them with the corresponding public keys. In TLS 1.3, a server with an RSA certificate may also use RSA to sign the handshake and prove that it holds the associated private key.
RSA in digital signatures
RSA is commonly used to verify that data was signed with a particular private key and hasn’t been changed. When the corresponding public key is reliably linked to an identity, it can also help verify who signed the data.
Instead of encrypting the data with a public key, the sender signs it with their private key. The system first generates a fixed-length hash of the data, then signs it with an RSA signature scheme. Anyone with the corresponding public key can verify the signature and check whether the data has changed.
RSA is commonly used for software and code signing, although other signature algorithms are also available. For example, when installing an update, a system may check its signature to confirm that it came from the identified publisher and hasn’t been altered since it was signed.
Challenges and limitations of RSA encryption
Various practical limitations affect how and where RSA can be effectively used.
Why RSA is slow for large amounts of data
RSA isn't designed to encrypt full files, long messages, or continuous data streams directly. Its core operation (modular exponentiation) is more computationally intensive than symmetric encryption. RSA’s security relies on the difficulty an attacker faces in reversing this operation without the private key, but its computational cost makes it inefficient for bulk data.
The amount of data RSA can process in a single operation is also limited by key size, with padding further reducing the usable space. RSA is therefore generally reserved for smaller, high-value tasks, such as protecting a session key or creating a digital signature.
Common RSA vulnerabilities
RSA is secure when implemented correctly, but weak configurations or implementations can introduce risks.
Without randomized padding, raw RSA encryption is deterministic: it uses a fixed mathematical formula with no random element. This means encrypting the same message with the same public key always produces identical ciphertext. Because the public key is available to anyone, an attacker who intercepts a ciphertext could encrypt likely messages and compare the results. For short or predictable messages, such as a simple confirmation or a small numeric value, this could reveal the message without breaking the key.
Poor error handling can make RSA implementations vulnerable to oracle attacks, in which a system unintentionally leaks information through its responses to malformed requests. For example, if a system responds differently to valid and invalid padding, an attacker may submit modified ciphertexts and use the responses to gradually reconstruct the original message.
RSA can also be exposed through side-channel attacks. Rather than directly breaking the algorithm, these attacks exploit clues about how a device performs RSA operations, such as timing patterns, power consumption, or electromagnetic emissions, to uncover information about the private key.
Risks from weak key generation
RSA keys are generated using large prime numbers. Longer keys allow larger prime factors and generally provide greater resistance to factorization attacks. RSA keys should typically be at least 2048 bits, although the required key size depends on the application, desired security lifetime, and relevant standards. Larger keys, such as 3072- or 4096-bit keys, provide greater security at the cost of additional processing and storage.
Aside from key length, the prime numbers must be generated using a cryptographically secure random process. If the random number generator is weak, predictable, or poorly seeded, different systems may accidentally generate related keys or share a prime factor. An attacker could potentially use these relationships to calculate the private keys. This is an implementation or device problem rather than a flaw in RSA itself.
Is RSA still secure today?
RSA remains secure against known classical attacks when implemented correctly, with appropriate key sizes, secure padding, and properly generated keys. Many systems still rely on it, although a significant long-term threat remains.
A sufficiently large and reliable quantum computer could use Shor’s algorithm to factor large numbers much more efficiently, undermining RSA’s security. However, no publicly known quantum computer can currently break properly implemented RSA at commonly used key sizes.
This threat has led to the development of post-quantum cryptography. These systems use mathematical problems, including lattice- and hash-based constructions, that are believed to resist known attacks from both classical and quantum computers.
ExpressVPN’s Lightway protocol integrates the Module Lattice–Based Key Encapsulation Mechanism (ML-KEM) into a hybrid post-quantum design. Its implementation of WireGuard also uses hybrid ML-KEM to add post-quantum protection.
How RSA fits into modern cryptography
Asymmetric and symmetric cryptography solve different problems, which is why modern systems commonly use them together. Asymmetric methods can establish or protect keys and authenticate parties, while symmetric encryption protects the bulk data. RSA can perform some of these asymmetric functions, although modern systems may use alternatives such as Diffie–Hellman or elliptic curve cryptography.
Read more: Symmetric vs. asymmetric encryption: What’s the difference and why it matters.
RSA vs. symmetric encryption
| Asymmetric cryptography using RSA | Symmetric encryption | |
| Key used | Two keys (public + private) | One shared secret key |
| How it works | Public key encrypts or verifies; private key decrypts or signs | The same key encrypts and decrypts data |
| Speed | Slower and more computationally intensive | Faster and more efficient |
| Typical use | Protecting keys; creating and verifying signatures | Protecting bulk data |
The speed difference comes down to the mathematical operations involved. RSA relies on modular exponentiation with very large numbers, while symmetric algorithms like Advanced Encryption Standard (AES) use operations that processors can perform far more efficiently, often with hardware acceleration. In practice, symmetric encryption is much faster, so RSA is generally limited to protecting small values or creating signatures rather than ongoing data transfer.
Alternatives to RSA encryption
RSA is not the only asymmetric cryptographic algorithm. Widely used alternatives include:
- Elliptic curve cryptography (ECC): ECC can provide a comparable level of security to RSA with much smaller keys, often reducing storage, bandwidth, and processing requirements. It's widely used in modern systems, including mobile and resource-constrained devices.
- Diffie-Hellman: Diffie–Hellman allows two parties to establish shared keying material over an open network. It doesn’t encrypt application data directly and must be combined with authentication to prevent impersonation. It's commonly used instead of RSA key transport during key establishment.
Learn more: Encryption protocols explained: What they are and how they work.
FAQ: Common questions about RSA encryption
What RSA key size is considered secure?
Can RSA encrypt large amounts of data?
What is the difference between RSA and AES?
Can quantum computing break RSA?
When should RSA be used instead of ECC?
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN
