RE: Authenticode Certificate Asymmetric Encryption/Decryption Doesn't

1. The probable cause is that the authenticode certificate says that the
private key is for SIGNING only - and you try to use it for decryption.

2. What is the point of using private / public keys to encrypt / decrypt
data in your application if the PRIVATE KEY is stored inside your code?
- a cracker can find it, then calculate the public keay and can encrypt any
data of his choice (to replace your data - activa attack)
- the carcker can wait until the app decrypts the data then it is known and
can be saved from the app's memory (passive attack)
- decrypting with private key is SLOW

Can you tell WHY are you trying to do this strange encrypt / decrypt? What
is your threat model? (ie. what are you trying to protect from?)

If you really need to encrypt some data then just as well you can use
secret-key (eg. AES) encryption. The protection would be the same (as the key
embedded in your code anyway) - but AES at least would be much faster and
would allow any size data.

Laszlo Elteto
SafeNet, Inc.

"SugarDaddy" wrote:

I wrote an app to encrypt strings using the public key within an
authenticode certificate purchased from Thawte. The app will also use
the private key to (attempt to) decrypt the resulting cypher text as
well.

The problem is, I get a "Bad key" message every time I try to
decrypt. The actual C# code is pretty simple:

public static byte[] EncryptStringAsym(string ptext, X509Certificate2
cert, out string error)
{
error = string.Empty;

byte[] encBytes = null;
try
{
RSACryptoServiceProvider rsa =
(RSACryptoServiceProvider)cert.PublicKey.Key;
encBytes = rsa.Encrypt(Encoding.UTF8.GetBytes(ptext),
false);
}
catch (Exception x)
{
error = x.Message;
}

return encBytes;
}

public static string DecryptStringAsym(byte[] ctext, X509Certificate2
cert, out string error)
{
error = string.Empty;

if (!cert.HasPrivateKey)
{
error = "Private key required to decrypt.";
return null;
}

byte[] decBytes = null;
try
{
RSACryptoServiceProvider rsa =
(RSACryptoServiceProvider)cert.PrivateKey;
decBytes = rsa.Decrypt(ctext, false);
}
catch (Exception x)
{
error = x.Message;
}

return (decBytes == null ? null :
Encoding.UTF8.GetString(decBytes));
}

I also generated a certificate using makecert to test it and it
decrypts the text just fine. I am aware of the block size issue. My
messages don't exceed the size of the block (on the authenticode it's
256, on the custom cert it's 128).

Any ideas on why this could be?


.

Relevant Pages

  • [OT] Re: Basic question about Public Private Key Pairs
    ... > and private keys allow me to decrypt, but vice versa is not possible (or ... a public key and a corresponding private key. ... You can encrypt something with each key; ...
    (microsoft.public.dotnet.security)
  • Re: Back Doors
    ... >> Design into the system a master key. ... Encrypt that with public key. ... Decrypt random symmetric key with private key. ...
    (sci.crypt)
  • Re: More on learning "Public Key Authentication"
    ... let me say that in public key ... >> encrypt the result with Alice's public key. ... >> is sent to Alice who decrypts the message with her private key (which ... > encrypted with my private key and they can then decrypt it with the ...
    (comp.sys.mac.system)
  • Re: RSACryptoServiceProvider decrypt with public key
    ... key/decrypt with the private key and encrypt with the private key/decrypt ... encrypt data and send it back to Alice. ... only she can decrypt Bob's data. ... see the public key and the encrypted data, but she could not decrypt Bob's ...
    (microsoft.public.dotnet.security)
  • Re: EFS File Recovery
    ... and settings associated with the security boundary. ... > I have also tried to use my user private key to decrypt these files that are> on non-domain server2003 box without success. ... How can this be considered a solution to anything when there> are no keys that can ultimatly decrypt the files when all else fails,> including all domain manhines???? ... > how he cannot have his stock investment files because the domain in which> was used to encrypt the files no longer exsists, and although we do have his> data backed up, we cannot decrypt the data because the keys that were used> to encrypt that are no longer any good. ...
    (microsoft.public.windows.server.security)