Python pyCrypto RSA encrypt method gives same results using private or public key

Question

I'm trying to understand the pyCrypto encrypt and decrypt methods for public and private keys, and I'm seeing something strange. Suppose I have a set of private and public keys, stored in files dummy_private.txt and dummy_public.txt.

I create a private key object and public key object like this:

private_key_file='dummy_private.txt'
f = open(private_key_file, 'r')
privateKey = RSA.importKey(f.read(),None)
f.close()

public_key_file='dummy_public.txt'
f = open(public_key_file, 'r')
publicKey = RSA.importKey(f.read(),None)
f.close()

Now suppose I want to encrypt some message. I can do it like this:

s='This is a super secret message'
sutf8=s.encode('utf8')

enc=publicKey.encrypt(sutf8,None)[0]
encb64=base64.encodestring(enc)
print "Public key Encoded message is %s" % (encb64,)

This makes sense because I am encrypting with the public key and I should be able to decrypt with the private key.

However, I can also encrypt the above using the private key, and it gives me the same result!

enc2=privateKey.encrypt(sutf8,None)[0]
encb642=base64.encodestring(enc2)
print "Private key Encoded message is %s" % (encb642,)

When I print out the base64 encoded version of the encrypted data, using either the private key or the public key, they are the same! Why is that?

And this raises the problem of digitally signing something with the private key. If I can sign something with the public key and get the same results, then how does signing verify that I am who I say I am? This must be some issue with the encrypt method that I don't understand. Can someone please explain?

Since encrypting with both the public key and private key gives the same results, it appears that decrypting with the private key can be done regardless of whether the encryption was done with the private key or the public key. I'm totally confused as to why one could encrypt with the private key and get a result that is the same as if it were done with the public key.

Answer 1

When you encrypt with a private key, pycrypto is actually using the public key (which can be generated from the private key).

Source: PyCrypto: Decrypt only with public key in file (no private+public key)

You'll find that pycrypto doesn't allow you to decrypt using the public key for good reason:

>>> publicKey.decrypt(enc2)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/pycrypto-2.6-py2.7-linux-x86_64.egg/Crypto/PublicKey/RSA.py", line 174, in decrypt
    return pubkey.pubkey.decrypt(self, ciphertext)
  File "/usr/local/lib/python2.7/site-packages/pycrypto-2.6-py2.7-linux-x86_64.egg/Crypto/PublicKey/pubkey.py", line 93, in decrypt
    plaintext=self._decrypt(ciphertext)
  File "/usr/local/lib/python2.7/site-packages/pycrypto-2.6-py2.7-linux-x86_64.egg/Crypto/PublicKey/RSA.py", line 239, in _decrypt
    mp = self.key._decrypt(cp)
  File "/usr/local/lib/python2.7/site-packages/pycrypto-2.6-py2.7-linux-x86_64.egg/Crypto/PublicKey/_slowmath.py", line 52, in _decrypt
    raise TypeError("No private key")
TypeError: No private key

Mathematically, RSA makes it possible to encrypt with the private key and decrypt with the public key, but you're not supposed to do that. The public key is PUBLIC - it's something you would readily share and thus would be easily disseminated. There's no added value in that case compared to using a symmetric cipher and a shared key (see: https://crypto.stackexchange.com/questions/2123/rsa-encryption-with-private-key-and-decryption-with-a-public-key)

Conceptually, "encrypting" with the private key is more useful for signing a message whereas the "decryption" using the public key is used for verifying the message.

More background: exchange public/private key in PKCS#1 OAEP encryption/decryption