Public encryption

[Sam Johnson]

Hi

I'm currently developing two applications (in VB.NET)
that shall communicate in a secure way. As a matter of
fact, I wanted to use the RSA public key infrastructure
for this. One application creates a public and a private
key and sends the public key to the other application (I
only need one-way-communication), so that this one is
able to send encrypted messages to the first application.
Now, I've read about the RSA Cryptographic Provider in
the documentation, but I still don't get how to extract
the public key out of such an instance so that I can send
it. How can I create a public and a private key
correctly? Can anyone help me with this?

Thanks
Sam

 

[Michael Giagnocavo [MVP]]

RSA has:
public override string ToXmlString(
bool includePrivateParameters
);

And a FromXmlString() method as well. You can use that to pass around the
params.

-mike
MVP

 

[Michael Giagnocavo [MVP]]

Just a question: How do you authenticate the messages? If you use RSA, you
know that only the intended recipient can decrypt, but you still leave it
open for someone to send a false message. (Everyone has the public key).
-mike
MVP

 

[Peter Schmitz]

Your right with this. By the way, what possibilities exist to authenticate
securely in the context Sam described?

 

[Michael Giagnocavo [MVP]]

Well, he didn't really describe a context .

Since he's using RSA, I'd suggest using RSA to sign each outgoing message.
Other options could be with a shared secret (make sure you double hash to
avoid length extention!) but if he could do shared secrets, then I don't see
why he'd use RSA. So, I guess RSA both ways is the best.

For the block cipher, I hope he uses Rijndael, 256-bit keys.

-mike
MVP

 

[Michel Gallant]

For local secure encryption to recipients where there is a secure channel,
Sam's approach is fine. Also, if the session key is not reused (strongly
recommended) it is fairly secure, provided the encyrpted content is secured.

However, as described here:

http://msdn.microsoft.com/library/d...urity/procedure_for_storing_a_session_key.asp
if it is planned to reuse the session key, and the medium storing the key is compromised,
then no authentication is provided.
The best bet in this case is to sign the enveloped blob.

A forthcoming article to MSDN Security site will discuss various ways to extract
public and private key properties from CryptoAPI cert stores for use with .NET
RSACryptoServiceProvider.

- Michel Gallant
Visual Security MVP