Re: Encrypting Email: What do I Need?

From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 11/20/03 

Date: Wed, 19 Nov 2003 18:02:35 -0500

"Mike" <Michael.Serfass@LathamSoftware.com> wrote in message
news:eCp5lAvrDHA.4092@tk2msftngp13.phx.gbl...
> I am working on an application for a financial institution. It's written in
> C#, .NET framework 1.1, running on Win2K. The application runs a process
> that gathers sensitive information, and emails it to various lawyers. This
> information needs to be encrypted. I have a X.509 certificate. The
> recipients have their own X.509 certificates. I have a private/public key
> pair, as do the recipients. I have their public keys, they have mine. We are
> all keeping our private keys to ourselves. I must encrypt the email,
> including all it's attachments.
OK .. you understand the above correctly.

> What objects do I use for this? The only asymmetric class that will encrypt
> anything is the RSACryptoServiceProvider. That maxes out at 117 bytes, which
> is well below the size of one attachment, let alone the entire email. The
> symmetric encryption objects will handle more bytes, but that entails
> trading private keys. Trading private keys is not an option. So what do I
> use? I'm not a new developer, but I am new to encryption. What am I missing?

You are missing the concept of "enveloping" messages.
Here's how it works (and how S/MIME secure email does it):
 - you generate a secret random symmetric key (3DES, AES, ...) and
    use that key to bulk-encyrpt any size data
 - you use the PUBLIC key of any recipient(s) to encrypt THAT the symmetric key bytes
 - you can then send both the symetric-encrypted data and encrypted secret key to the
   recipients
 - the recipients can decrypt the secret symmetric key, with their RSA private key,
   and then use the "recovered symmetric key" to decrypt the data.
The preferred way to do this is with the format CMS/PKCS#7 EnvelopedData which
is supported in CryptoAPI, CAPICOM but currently NOT in .NET Framework 1.1.
Next release of .NET Framework will support EnvelopedData.

An article will appear either tomorrow or Friday describing EnvelopedData and
.NET usage (i.e. encryption of symmetric keys with recipient RSA public keys) at
 MSDN Security size.

- Michel Gallant
  MVP Security

Relevant Pages

  • Re: private key encryption - doubts
    ... >> Suppose I finally got the symmetric key decided by the originator. ... >> its just a key that will be used for encryption. ... > SSL2 from the netscape web site ... > slicking on the rfc number brings up the RFC summary. ...
    (comp.security.ssh)
  • Re: Does W2K hold users email, EFS etc private key securely ?
    ... the location of private keys doesn't depend on how the Encrypted Data ... the file encryption key is not the public key. ... It is the FEK that is encrypted using the user's EFS public key, ... protect your EFS keys by limiting the success of password guessing or theft. ...
    (Focus-Microsoft)
  • Re: Key Evolving Encryption
    ... >to form a key for encryption. ... Represent each node in a binary tree by a binary string x representing ... by revealing the private keys at just Ointernal nodes in the tree. ...
    (sci.crypt)
  • Re: CREATE SYMMETRIC KEY
    ... AES is only supported by SQL Server on Windows 2003. ... To test it out using encryption, I created a database, TestEncrypt, ... CREATE SYMMETRIC KEY SSN_Key_01 ... DECRYPTION BY CERTIFICATE HumanResources037; ...
    (microsoft.public.sqlserver.security)
  • SQL Server 2005 Reporting Services Problem
    ... these passwords are in turn stored encrypted in the registry, ... symmetric key to decrypt the relevant data in a table. ... reports (one of the symmetric keys locks down a column that says who ... encryption with a new password, ...
    (comp.databases.ms-sqlserver)