Re: EncryptByCert Problem

Also, in the meantime, you may want to use the following reference:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptencrypt.asp

The relevant paragraph extracted from above is:

The Microsoft Enhanced Cryptographic Provider supports direct encryption
with RSA public keys and decryption with RSA private keys. The encryption
uses PKCS #1 padding. On decryption, this padding is verified. The length of
plaintext data that can be encrypted with a call to CryptEncrypt with an RSA
key is the length of the key modulus minus eleven bytes. The eleven bytes is
the chosen minimum for PKCS #1 padding. The ciphertext is returned in
little-endian format.

Thanks

--
Laurentiu Cristofor [MSFT]
Software Design Engineer
SQL Server Engine
http://blogs.msdn.com/lcris/

This posting is provided "AS IS" with no warranties, and confers no rights.

"Laurentiu Cristofor [MSFT]" <laur@xxxxxxxxxx> wrote in message
news:Ovyex47xGHA.1288@xxxxxxxxxxxxxxxxxxxxxxx
I'll ask for an update of these BOL topics to mention the restrictions
related to the key lenghts. If you access BOL online, you can also rate
the articles and submit feedback directly. Here are the links for the
topics we discussed:

http://msdn2.microsoft.com/en-us/library/ms188061.aspx
http://msdn2.microsoft.com/en-us/library/ms186950.aspx

Thanks

--
Laurentiu Cristofor [MSFT]
Software Design Engineer
SQL Server Engine
http://blogs.msdn.com/lcris/

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Mike C#" <xyz@xxxxxxx> wrote in message
news:%23vuAcc6xGHA.3500@xxxxxxxxxxxxxxxxxxxxxxx
Someone needs to tell the BOL writers to update the page on this then.
It currently indicates that EncryptByCert can return a varbinary up to
8,000 bytes in length, which is ludicrous if the input is really limited
to 421 bytes and the output is limited to 432 bytes. I'm not advocating
using certificates and asymmetric keys to encrypt all data. I am
advocating accurate documentation of system limitations.

"Laurentiu Cristofor [MSFT]" <laur@xxxxxxxxxx> wrote in message
news:e2ASWY6xGHA.4336@xxxxxxxxxxxxxxxxxxxxxxx
Yes, this is a restriction of asymmetric key encryption - the actual
data that you can encrypt with one call will depend on the size of the
private key that is used.

For example: 512 bit RSA key can encrypt up to 53 bytes, 1024 bit up to
117 bytes, and 2048 bit up to 245 bytes.

See http://blogs.msdn.com/yukondoit/archive/2005/11/24/496521.aspx for a
workaround, if you really want to encrypt more.

Certificates should only be used to protect other keys, not to encrypt
data directly, so this limit does not impact the intended use of
certificates.

Thanks

--
Laurentiu Cristofor [MSFT]
Software Design Engineer
SQL Server Engine
http://blogs.msdn.com/lcris/

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Mike C#" <xyz@xxxxxxx> wrote in message
news:fuaHg.586$k%3.406@xxxxxxxxxxxxxxx
I posted this message to the wrong group (sqlserver.programming), so I'm
reposting here. Sorry for the repost... it's late... so here goes:

OK, so I'm testing EncryptByCert with some code like the following:

DECLARE @v varchar(8000);
SELECT @v = REPLICATE('A', 117);
SELECT @v;
DECLARE @e varbinary(8000);
SELECT @e = EncryptByCert(Cert_ID(N'TestCertificate'), @v);
SELECT @e;

The function encrypts fine and I'm able to use DecryptByCert to get the
result. Problem is if I change the line SELECT @v = REPLICATE('A',
117) to:

SELECT @v = REPLICATE('A', 118);

The EncryptByCert function returns NULL every time with 118 or higher.
BOL states that the result is returned as a varbinary with a max length
of
8,000. I keep getting a varbinary with a max length of 128. Can
anyone else reproduce this, or am I doing something wrong?

Thanks









.

Relevant Pages

  • Re: Portable hard drive through airport security?
    ... encrypt using the built-in MS system. ... How do you make sure you export all the keys? ... For example, if you're traveling between offices, simply transferring ... "With AEFSDR (Advanced EFS Data Recovery), ...
    (rec.travel.air)
  • Re: Java Security
    ... (We can pick a private algorithm but decompiling ... Never give encrypt keys on an application. ... give them by phone or letter, or use a SSL http website with the user login, ...
    (comp.lang.java.help)
  • Re: Encrypting Data...
    ... > I know that MySQL has an AES encrypt function, ... * Store the keyin the database. ... choose new keys, reencrypt all the data, distribute the new keys ... ... use his password to decrypt the keys and then decrypt ...
    (perl.dbi.users)
  • Re: Encrypting Logon Passwords
    ... it reaches 0 the DefaultPassword is automatically removed from the registry. ... >> Therefore I've been looking at ways to encrypt and save the password ... It assigns all of the keys identified above except the ... >> I had to change my Administrator Permissions to access this key in the ...
    (microsoft.public.dotnet.security)
  • Re: PGP scripting...
    ... PGP was choosen as it will be used by external as well as internal ... we will also use the same public key to encrypt ... if they work without user interaction, ... > reading the keys, of course). ...
    (SecProg)