Re: CryptoAPI, System.Security.Cryptography Interoperability
From: Valery Pryamikov (valery_at_harper.no)
Date: 07/18/05
- Next message: Dominick Baier [DevelopMentor]: "Re: Get an unauthenticated windowsIdentity?"
- Previous message: Joseph E Shook: "Re: IsInRole & SID/Token Caching in .NET v1.1"
- In reply to: Tom at SDI: "CryptoAPI, System.Security.Cryptography Interoperability"
- Next in thread: William Stacey [MVP]: "Re: CryptoAPI, System.Security.Cryptography Interoperability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Jul 2005 21:46:20 +0200
Tom,
a tip for the next time if you want your question to be answered ;-).
try asking short question, include a line of code that is failing and don't
forget to say what error you get.
In your case I guess you are getting padding error. That's because RSA
CryptoAPI implementation is expecting little endian, while as .Net is giving
you big endian. Reverse your bytes before you pass them to CryptAPI.
BTW: you don't need to encrypt IV - there is no use encrypting it, you don't
get any exra security by doing that.
-Valery.
http://www.harper.no/valery
"Tom at SDI" <notmyreal@email.com> wrote in message
news:ubxLjAIiFHA.4000@TK2MSFTNGP12.phx.gbl...
> I'm developing a WebService using C#. I've got a client app that is
> non-dot-net and thus will be invoking the Windows CryptoAPI directly.
> While tons of documentation states that .NET Cryptography is based on the
> CryptoAPI, I can't find anything showing any correspondence between the
> .NET routines and the CryptoAPI.
>
> What I'd like to do is (I would think) simple.
>
> 1. Upon establishing a connection, the two machines exchange public keys.
> 2. If sending sesnsitive data from the client to the server,
> 2a. Client creates a session (i.e., symmetric) key and uses it to encrypt
> the data.
> 2b. Client encrypts the session key with the server's public key.
> 2c. Client creates a temp file with (public-key) encrypted session key
> first and (session-key) encrypted data after.
> 2d. Client sends data to server.
> 3. Server then keeps data in its encrypted state until support comes to
> pick it up. This way, even if somehow the server is compromised and
> someone illegally gets to this data, it will be useless to them.
>
> I am trying to go about creating a test program. If anyone has a better
> idea, please tell me.
>
> Here's the relevant snippet from the C# program:
> -----------------------
> public bool DoEncrypt()
> {
> CspParameters cp = new CspParameters();
> cp.KeyContainerName = SDI_CONTAINER;
>
> RSACryptoServiceProvider
> rsaSvc = new RSACryptoServiceProvider(cp);
> byte[] byarrEncSKey;
> byte[] byarrEncSIV;
>
> RC2CryptoServiceProvider
> rc2Svc = new RC2CryptoServiceProvider();
> rc2Svc.GenerateKey();
> rc2Svc.GenerateIV();
>
> byarrEncSKey = rsaSvc.Encrypt(rc2Svc.Key, false);
> byarrEncSIV = rsaSvc.Encrypt(rc2Svc.IV, false);
>
> // ... The two byte arrays are written to the output file ...
> // Input/Output streams, byte arrays (byDataIn, byDataOut) declared.
>
> ICryptoTransform encryptor = rc2Svc.CreateEncryptor();
>
> while // ... not the last block of the input file ...
> {
> iActRead = streamInFile.Read(byDataIn, 0, iBlockSize);
> iEncBlockSize = encryptor.TransformBlock(byDataIn, 0, iActRead,
> byDataOut, 0);
> streamOutFile.Write(byDataOut, 0, iEncBlockSize);
> }
>
> // Transform the remainder as the final block.
> iActRead = streamInFile.Read(byDataIn, 0, iBlockSize);
> byDataOut = encryptor.TransformFinalBlock(byDataIn, 0, iActRead);
> streamOutFile.Write(byDataOut, 0, byDataOut.Length);
>
> // Streams closed.
> }
> -----------------------
>
> Now I'm trying to write a C program that decrypts what the above wrote.
> I'm getting caught immediately on the session key/IV decryption. Here's
> the relevant part of the C code:
>
> -----------------------
> bool CEncDec::DoDecrypt()
> {
> // Input/Output files opened, byte pointers (pByEncKey, pByEncIV)
> declared.
> // Memory malloc'd and encrypted key, IV are read in.
>
> HCRYPTPROV hProv = 0;
> HCRYPTKEY hRsaKey = 0;
> if (!CryptAcquireContext(
> &hProv,
> "MyContainer",
> NULL,
> PROV_RSA_FULL,
> 0))
> {
> FormatLastWinErr("Error during CryptAcquireContext: ");
> }
> else
> {
> if (!CryptGetUserKey(hProv, AT_KEYEXCHANGE, &hRsaKey))
> FormatLastWinErr("Error getting exchange key: ");
> else
> {
> // hProv == RSA Provider
> // hRsaKey == Asym RSA Key, also called the Exchange Key
> DWORD dwActKeyLen = byKeyLen;
> DWORD dwActIVLen = byIVLen;
> // Below call to CryptDecrypt is currently failing. What else do I
> need?
> if (!CryptDecrypt(hRsaKey, 0, true, 0, pByEncKey, &dwActKeyLen))
> FormatLastWinErr("Error decrypting Session Key: ");
> else
> {
> if (!CryptDecrypt(hRsaKey, 0, true, 0, pByEncIV, &dwActIVLen))
> FormatLastWinErr("Error decrypting Session IV: ");
> else
> {
> // Temp Debug:
> printf("Key Read. ");
> ConsoleShowBytes(pByEncKey, dwActKeyLen);
> printf("IV Read. ");
> ConsoleShowBytes(pByEncIV, dwActIVLen);
>
> // *** TODO *** Decrypt the actual content ***
>
> bRetVal = true;
> }
> }
> }
> }
>
> if (hProv != 0)
> CryptReleaseContext(hProv, 0);
> if (hRsaKey != 0)
> CryptDestroyKey(hRsaKey);
> }
> -----------------------
>
> Anyone care to hazard a guess or provide guidance?
>
> Thanks,
>
> Tom
>
- Next message: Dominick Baier [DevelopMentor]: "Re: Get an unauthenticated windowsIdentity?"
- Previous message: Joseph E Shook: "Re: IsInRole & SID/Token Caching in .NET v1.1"
- In reply to: Tom at SDI: "CryptoAPI, System.Security.Cryptography Interoperability"
- Next in thread: William Stacey [MVP]: "Re: CryptoAPI, System.Security.Cryptography Interoperability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
