3

I want to encrypt some data with my private RSA key and then decrypt it on the client machine with the public key. As far as I know, this is a normal way of using RSA. However, as far as I see, there is a problem with this in RSACryptoServiceProvider of the .NET Framework. While the decryption works fine when you provide both the public and the private key to the RSACryptoServiceProvider, it doesn't when you only provide only the public key. In this case, I get a padding error:

Error occurred while decoding OAEP padding.

at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)

Notes :

  • I encrypt/decrypt with fOAEP set to true.
  • I use a 1024 key size and the data that I want to encrypt are no longer than 65 bytes.
  • I load my keys from XML.

Am I missing sth? I don't see any setting for the padding that I can change.

Definitely, I can't send my private key to the client machine...

Should I try another library like Bouncy Castle ?

I have found this question too, but there is no clear solution and, according to the author, his final solution was to use code from this article. However, I would prefer to use the .NET Framework's code if possible and I don't understand why my decryption fails.

Also, I don't think that my data is so long that this answer is of any relevance.

Perhaps I could use SignHash()/VerifyHash() but I think those calculate the hash from the data before encrypting it while I already have a hash computed and I just need to encrypt it. Using SignHash() will limit the variety of hashing algorithms that I could use, so it may be better to avoid it.

Improve this question
5
  • 2
    "I want to encrypt some data with my private RSA key and then decrypt it on the client machine with the public key." I think you've got that backwards. You can only decrypt with the private key, but you can encrypt with the public key. Commented Aug 5, 2013 at 20:44
  • 1
    @Steven V : When you sign a hash that is used to authenticate the source of some data (adding digital signature), isn't the signature the encrypted hash which was encrypted using the private key? That's what I want to do. Commented Aug 5, 2013 at 20:47
  • en.wikipedia.org/wiki/Public-key_cryptography "Each user has a pair of cryptographic keys – a public encryption key and a private decryption key." Commented Aug 5, 2013 at 20:52
  • @Orch : Yes, I know that. I just need to sign a hash with my private key (creating a digital signature) and release to the public my public key (so that they authenticate the origin of the data that I send). Commented Aug 5, 2013 at 20:56
  • Your RSA key size is rather low, see keylength.com for good sizes. With such a key size, SHA-1 may not be your largest problem. Commented Aug 6, 2013 at 0:50

1 Answer 1

Reset to default
1

A signature generation contains 3 distinct parts. First the hash is calculated, then padding is added and finally RSA performs modular exponentiation (possibly helped by using the Chinese Remainder Theorem to speed things up).

All three of these parts of signature generation are part of the signature algorithm. It is wrong to think of signature generation as three distinct parts. It is particularly wrong to think of RSA signature generation as using RSA encryption. RSA encryption uses it's own padding mechanisms which are incompatible with the ones used for signing.

This is all very well explained in the PKCS#1 v2.2 standard.

The main mathematical operation in each primitive is exponentiation, as in the encryption and decryption primitives of Section 5.1. RSASP1 and RSAVP1 are the same as RSADP and RSAEP except for the names of their input and output arguments; they are distinguished as they are intended for different purposes.

So even the standard very explicitly uses different functions, even though they perform essentially the same mathematical operation.

The final outcome is simply this: you must use the RSACryptoServiceProvider class for PKCS#1 v1.5 compatible signatures, or the Bouncy Castle C# libraries to use the newer RSA PSS signature scheme. If you want to create a signature for a pre-calculated hash, use SignHash, although - as you mentioned - this function is currently restricted to SHA-1 or MD5.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.