Re: Problems with public key decryption with RSA


Hi,

I am also working the similar solution. That is I want to encrypt the
data with the private key (from smart card) and decrypt the data usnig
the public key in a web service.

To do this, I am using the CryptoAPI. And right now I am trying to do
this without using the web server, but implement as form based
applicaiton.

I have been able to encrypt with the private key and decrypt with the
public kye on machine. But when I take that code on any other machine,
the decryption fails.

I am pasting the code I am using for decryption below, any Idea on how
to go about it.

//--------------
hSysStore = CertOpenSystemStore(IntPtr.Zero,
HeaderConstants.OtherStore) ; // MyStore


// Finding the certificate in store for the using subject string
"rachit"
// This function returns handle to the certificate
pDesiredCert = CertFindCertificateInStore(hSysStore,
HeaderConstants.X509_ASN_ENCODING, 0,
HeaderConstants.CERT_FIND_SUBJECT_STR, "rachit", pDesiredCert);

resultPK=CryptAcquireCertificatePrivateKey( // gets the acquires the
private key for the specified certificate
pDesiredCert,
HeaderConstants.CRYPT_ACQUIRE_USE_PROV_INFO_FLAG|HeaderConstants.CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
0,
ref hKey, //Pointer to the returned HCRYPTPROV value
ref dwKeySpec, // Pointer to a uint value identifying the private key
to use from the acquired provider's key container. It can be
AT_KEYEXCHANGE or AT_SIGNATURE.
ref fCallerFreeProv);
//Retrieves a handle of one of a user's two public/private key pairs.
resultPK = CryptGetUserKey(hKey,dwKeySpec,ref hPublicKey);

buffer = new byte[dataLength];
Buffer.BlockCopy(data, 0, buffer, 0, data.Length);
dataLength = (uint)data.Length;
bufLength = (uint)buffer.Length;
CryptDecrypt(hPublicKey, IntPtr.Zero, true, 0, buffer, ref
dataLength);
//--------------

Rajesh

jared wrote:
*a1. Generate a random symmetric key on the server.
a2. Encrypt the symmetric key with the server's own public key.
a3. Sign the encrypted key blob with the server's own private key.
a4. Store the signed, encrypted blob someplace.
-----------------
To encrypt a package:
e1. retrieve what you believe to be the signed, encrypted symmetric
keyblob.
e2. verify the signature on the key blob using the server's public
key
e3. if the signature is valid, decrypt the symmetric key using the
server's public key.
e4. use the plaintext symmetric key to encrypt the data you want to
send to the client.
e5. erase the plaintext symmetric key from memory
e6.store a signed md5 hash of the encrypted client data
e7. store the encrypted client data
---------------
To send a formerly encrypted package to a client:
s1. retrieve the encrypted client data and your signed hash of it
s2. verify the integrity of the encrypted client data
s3. initiate Diffie Hellman key agreement between the server and
client, the result of which will be your key transport session key
s4. use e1, e2, e3 above to get a plaintext version of your
symmetric
data encryption key
s5. re-encrypt the symmetric data encryption key using the key
transport session key agreed upon via diffie hellman
s6. send the encrypted symmetric data encryption key to the client
machine
s7. erase the plaintext data encryption key from memory
s8. erase the key transport session key from memory
-----------
The client machine should decrypt the symmetric key using its copy
of
the key transport session key, decrypt the data you just sent it,
and
erase both keys from memory as soon as possible. Your secret
symmetric
key should never reside anywhere in plaintext when it is not
actually
in use, and should only be stored protected by the server's private
key
(which itself, ideally, will only exist in hardware).

The hard part is implementing Diffie Hellman, and I'm guessing
there's
a good free implementation available.

Cheers- *



--
Rajesh.Thareja
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1384679.html

.

Relevant Pages

  • [OT] Re: Basic question about Public Private Key Pairs
    ... > and private keys allow me to decrypt, but vice versa is not possible (or ... a public key and a corresponding private key. ... You can encrypt something with each key; ...
    (microsoft.public.dotnet.security)
  • Re: More on learning "Public Key Authentication"
    ... let me say that in public key ... >> encrypt the result with Alice's public key. ... >> is sent to Alice who decrypts the message with her private key (which ... > encrypted with my private key and they can then decrypt it with the ...
    (comp.sys.mac.system)
  • Re: RSACryptoServiceProvider decrypt with public key
    ... key/decrypt with the private key and encrypt with the private key/decrypt ... encrypt data and send it back to Alice. ... only she can decrypt Bob's data. ... see the public key and the encrypted data, but she could not decrypt Bob's ...
    (microsoft.public.dotnet.security)
  • Re: EFS File Recovery
    ... and settings associated with the security boundary. ... > I have also tried to use my user private key to decrypt these files that are> on non-domain server2003 box without success. ... How can this be considered a solution to anything when there> are no keys that can ultimatly decrypt the files when all else fails,> including all domain manhines???? ... > how he cannot have his stock investment files because the domain in which> was used to encrypt the files no longer exsists, and although we do have his> data backed up, we cannot decrypt the data because the keys that were used> to encrypt that are no longer any good. ...
    (microsoft.public.windows.server.security)
  • RE: NTE_BAD_DATA
    ... They are NOT used DIRECTLY to encrypt / decrypt data; ... you should generate a RANDOM SESSION KEY and select a SYMMETRIC ENCRYPTION ... // imported from a BLOB read in from the source file or having ...
    (microsoft.public.platformsdk.security)