RSA Encryption without Session Keys - (I know it's a bad idea)
- From: windcliff <windcliff@xxxxxxxxx>
- Date: Wed, 18 Jun 2008 07:30:08 -0700 (PDT)
I'm looking into replacing openssl in my application with CryptoAPI.
The problem I've run into is my application uses openssl to encrypt
passwords with a public key. This "encrypted" password is transmitted
to a server that decrypts the password with the appropriate private
key. I understand the correct thing to do would be to generate a
symmetric session key, encrypt the password with the session key,
encrypt the session key with the public key, and then transmit both
the encrypted key and message to the server. However, I can't do that,
I've been told to maintain backward compatibility, i.e., I can't touch
the server.
The samples that illustrate RSA usage all seem to follow the method of
generating a symmetric key. Is there a sample available that just
demonstrates a straight public-key encryption of a message without a
symmetric key? Am I mistaken in assuming that CryptoAPI seems oriented
towards the generation of symmetric session keys when using asymmetric
encryption? Is there a way I can use my public-key as my session key?
Any hints/help would be appreciated.
Thanks,
S
.
- Follow-Ups:
- RE: RSA Encryption without Session Keys - (I know it's a bad idea)
- From: Mounir IDRASSI
- RE: RSA Encryption without Session Keys - (I know it's a bad idea)
- Prev by Date: How to get credentials for network access in authentication package?
- Next by Date: Acquiring private key
- Previous by thread: How to get credentials for network access in authentication package?
- Next by thread: RE: RSA Encryption without Session Keys - (I know it's a bad idea)
- Index(es):
Relevant Pages
|
