Implementing RSA Key Pair Management
Overview
RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric cryptographic algorithm, used for digital signatures, key exchange, and encryption. This guide covers generating, storing, rotating, and managing RSA key pairs following NIST SP 800-57 key management guidelines, including key serialization formats (PEM, DER, PKCS#8), passphrase protection, and key strength validation.
Objectives
- Generate RSA key pairs with appropriate key sizes (2048, 3072, 4096 bits)
- Serialize keys in PEM and DER formats with PKCS#8
- Protect private keys with strong passphrase encryption
- Implement key rotation with versioning
- Extract public key components and fingerprints
- Validate key strength and detect weak keys
- Sign and verify data using RSA-PSS
Key Concepts
RSA Key Sizes and Security Strength
| Key Size (bits) | Security Strength (bits) | Recommended Until |
|---|---|---|
| 2048 | 112 | 2030 |
| 3072 | 128 | Beyond 2030 |
| 4096 | ~140 | Beyond 2030 |
RSA Padding Schemes
| Scheme | Use Case | Standard |
|---|---|---|
| OAEP | Encryption | PKCS#1 v2.2 (RFC 8017) |
| PSS | Signatures | PKCS#1 v2.2 (RFC 8017) |
| PKCS#1 v1.5 | Legacy only | Deprecated for new systems |
Key Storage Formats
- PEM: Base64-encoded with headers, human-readable
- DER: Binary ASN.1 encoding, compact
- PKCS#8: Standard for private key encapsulation
- PKCS#12/PFX: Bundled key + certificate, password-protected
Security Considerations
- Minimum 3072-bit keys for new deployments (NIST recommendation)
- Always protect private keys with AES-256-CBC passphrase encryption
- Use RSA-PSS for signatures (not PKCS#1 v1.5)
- Use RSA-OAEP for encryption (not PKCS#1 v1.5)
- Store private keys with restrictive file permissions (0600)
- Implement key rotation at least annually
Validation Criteria
- [ ] Key generation produces valid RSA key pair
- [ ] Public key can be extracted from private key
- [ ] Private key is protected with passphrase
- [ ] RSA-PSS signature verification succeeds
- [ ] Tampered signature verification fails
- [ ] Key fingerprint is computed correctly
- [ ] Key rotation maintains old key access for verification
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.7 (Restriction on Transmission), CC6.1 (Logical Access)
- ISO 27001: A.10.1 (Cryptographic Controls)
- NIST 800-53: SC-12 (Cryptographic Key Management), SC-13 (Cryptographic Protection), SC-8 (Transmission Confidentiality)
- NIST CSF: PR.DS (Data Security)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add implementing-rsa-key-pair-management
# Or load dynamically via MCP
grc.load_skill("implementing-rsa-key-pair-management")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.