Re: CryptExport private key only

From: Alun Jones [MS MVP] (
Date: 11/06/03

Date: Thu, 06 Nov 2003 14:59:18 GMT

In article <eHO88H4mDHA.3612@TK2MSFTNGP11.phx.gbl>, "Anatoly" <> wrote:
>from conventional use of Public/Private key pairs, it seems that one is
>supposed to use the public key to encrypt data and private key to always
>decrypt data.

Not necessarily. They are a pair of keys, one of which you keep hidden from
view. What you encrypt with one key may only be decrypted with the other
key from that pair.

>Is it legitimate to interchange the private/public keys in their purpose?
>that is can I use the public key to decrypt and private to encrypt and
>benefit from the same level of protection as the conventional scenario?

No - if you encrypt using your private key, anyone can decrypt it, because
anyone has access to your public key (that's what 'public' means - you
publish it to the world). That's not to say that this has no use, just that
encrypting with your private key does not provide the same kind of
protection as encrypting with your public key.

The use that this is commonly put to is "non-repudiation". If you encrypt
something with your private key, then everyone who receives and decrypts
that data knows that it can only have come from you. Because
public(/private) key encryption takes a long time, it's usual that what is
encrypted is not the message that you're asserting came from you, but a
'hash' of that message. Someone who wants to check that the message came
from you will compute their own hash of the message, and will compare that
with the decrypted hash from your signature.

>I seem to have been able to reproduce the exact results when exporting
>encrypting a symmetric type of key into a blob while protecting it with
>either public and private key, and then importing it from the blob again
>using the opposite key (private or public), and decrypting the data with
>that imported symmetric key. The resulting output data is exactly the same
>as the input data.
>So does this mean that mathematically the private and public keys are

Mathematically, you have a matched pair of keys (specific to the
encryption algorithm chosen), that can work to decrypt and encrypt against
one another's encrypted and decrypted data. What makes one private and the
other public is the fact that you keep one of them hidden, and publish the
other one. You could simply describe this as asymmetric key encryption,
because a different key is used to decrypt than is used to encrypt, but the
power of the system as a whole is only available when one key is published
and the other kept closely guarded.


[Please don't email posters, if a Usenet response is appropriate.]

Texas Imperial Software   | Find us at or email
1602 Harvest Moon Place   |
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.