Re: Authenticode Certificate Asymmetric Encryption/Decryption Doesn't

On Oct 29, 7:16 pm, lelteto <lelt...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
1. The probable cause is that the authenticode certificate says that the
private key is for SIGNING only - and you try to use it for decryption.

2. What is the point of using private / public keys to encrypt / decrypt
data in your application if the PRIVATE KEY is stored inside your code?
- a cracker can find it, then calculate the public keay and can encrypt any
data of his choice (to replace your data - activa attack)
- the carcker can wait until the app decrypts the data then it is known and
can be saved from the app's memory (passive attack)
- decrypting with private key is SLOW

Can you tell WHY are you trying to do this strange encrypt / decrypt? What
is your threat model? (ie. what are you trying to protect from?)

If you really need to encrypt some data then just as well you can use
secret-key (eg. AES) encryption. The protection would be the same (as the key
embedded in your code anyway) - but AES at least would be much faster and
would allow any size data.

Laszlo Elteto
SafeNet, Inc.

Hey Laszlo, thanks for the reply. That was pretty much the answer I
was looking for. You can probably tell that I'm not a security guy.
I was actually doing this as an exercise, and I didn't understand why
the authenticode cert wasn't working. It was the only commercial cert
I had to attempt the test.

You're right. It was purchased as a code-signing cert. I wasn't
aware that you needed a special type of cert in order to do encryption/
decryption with. As I said, this was merely an exercise for me to get
asymmetric encryption to work. I have already implemented some decent
symmetric encryption methods using Rijndael. I needed an asymmetric
solution as well.

Anyway, the final solution is something like this:
http://www.codeguru.com/csharp/.net/net_security/encryption/article.php/c8511/

Thank you for your help.

.

Relevant Pages

  • Re: Encryption
    ... - make sure anything encrypted with the other cert was copied into ... If I encrypt a folder on the copied-to machine, ... The private key import for W2k I do not clearly recall at ...
    (microsoft.public.win2000.security)
  • Re: Encryption
    ... - make sure anything encrypted with the other cert was copied into ... If I encrypt a folder on the copied-to machine, ... The private key import for W2k I do not clearly recall at ...
    (microsoft.public.win2000.security)
  • Re: Encryption
    ... - make sure anything encrypted with the other cert was copied into ... If I encrypt a folder on the copied-to machine, ... The private key import for W2k I do not clearly recall at ...
    (microsoft.public.win2000.security)
  • Re: public key crypto
    ... decryption algorithm (and the public key) and find a sequence of numbers ... that can act as a private key which is used to encrypt data. ... > Normally Alice will use Bob's public key to encrypt a message to Bob. ... >> Can we reverse the decryption process so as to generate a private key? ...
    (sci.crypt)
  • Re: CAPICOM decryption error
    ... It looks as if the private key did not get imported properly. ... code only needs the cert not the private key so as long as the cert if ... corresponds to this certificate." ... > I am able to successfully encrypt some data using the sample code located ...
    (microsoft.public.platformsdk.security)