Reverse Encryption in .NET

Discussion in 'ASP .Net Security' started by James Chou, Feb 26, 2004.

  1. James Chou

    James Chou Guest

    Hi,

    I saw several posts asking for reverse encryption (encrypt with
    private key instead of public key) in .NET. I am having the same
    question and wonder anybody has a good solution to it.

    Basically, my client application generates a key pair and exports the
    public key to server. The client application needs to encrypt a string
    with the private key and send it to server. Server authenticates the
    client after decrypts the stirng with the public key. It looks like a
    very simple procedure but it seems impossible with the RSA encryption
    provided by .NET. The Encrypt() method of RSACryptoServiceProvider
    seems to do encryption with public key ONLY. It does use private key
    to encrypt content when generating a signature though.

    Does anybody have a solution to it? If .NET doesn't support it, is
    there any way I can do it through Win32 CryptoAPI?


    Thanks

    James
     
    James Chou, Feb 26, 2004
    #1
    1. Advertising

  2. I don't know the value of this method for your business but certainly, from
    a security perspective, it's value is null. Worst yet, its highly
    "insecure". I wonder why you
    don't create the key pair on the server side and send the public key to the
    client, so he can use this key to encrypt the message (as normal practice)
    and decrypt it on the server with it's private key. In the signature
    scenario, the point is different because of the signature procedure nature
    (see specs), this procedure DO need to be done by encrypting the hash with
    the private key in order for the receiver to decrypt it with it's public
    key, therefore achieving the "non-repudiation" key goal of the digital
    signatures. The scenario you are describing applies to the signature case.


    "James Chou" <> wrote in message
    news:...
    > Hi,
    >
    > I saw several posts asking for reverse encryption (encrypt with
    > private key instead of public key) in .NET. I am having the same
    > question and wonder anybody has a good solution to it.
    >
    > Basically, my client application generates a key pair and exports the
    > public key to server. The client application needs to encrypt a string
    > with the private key and send it to server. Server authenticates the
    > client after decrypts the stirng with the public key. It looks like a
    > very simple procedure but it seems impossible with the RSA encryption
    > provided by .NET. The Encrypt() method of RSACryptoServiceProvider
    > seems to do encryption with public key ONLY. It does use private key
    > to encrypt content when generating a signature though.
    >
    > Does anybody have a solution to it? If .NET doesn't support it, is
    > there any way I can do it through Win32 CryptoAPI?
    >
    >
    > Thanks
    >
    > James
     
    Hernan de Lahitte, Feb 26, 2004
    #2
    1. Advertising

  3. James Chou

    james chou Guest

    Thanks for your reply. As I understand, one way to authenticate a client
    is to have server use client's public key to decrypt a token that is
    encrypted with client's private key. That is exactly how a signature is
    generated and verified except signature is generated by encrypting a
    digest of a message. If a private key can be used to encrypt a digest of
    a message, why can it be used to encrypt the message? I believe it is
    technically possible. As matter of fact, I even found a well known
    commercial PKI product that can do that. However, Windows cryptoAPI and
    Java JCE(with default provider) don't provide this capability.

    To keep the private key at server and distribute the public key to
    clients doesn't seem to work. Every client can use the public key to
    encrypt something and server will be able to decrypt it with no
    problems. The server won't be able to tell which client is which unless
    we have a keypair for each client. Since the public key is a public
    information, everyone including unauthorized users can get it and use it
    to access the server.

    For my usage, looks like the signature will do it. However, I am
    interested to the reason why reverse encryption is not provided in
    Windows CryptoAPI and Java JCE.

    Again, thanks for your information. Really appreciate that.



    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    james chou, Feb 27, 2004
    #3
  4. I agree with the singature scheme for your scenario. Regarding your question
    about ecripting with the private key, I guess (IMO) the CAPI and JCE might
    addere to the PKCS#1 standard
    (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf) and therefore
    only permits to encript with the public key and decrypt with the private
    key.

    See section 7 of the above document.

    7 Encryption schemes

    For the purposes of this document, an encryption scheme consists of an
    encryption operation and a decryption operation, where the encryption
    operation produces a ciphertext from a message with a recipient's RSA public
    key, and the decryption operation recovers the message from the ciphertext
    with the recipient's corresponding RSA private key.



    Hernan de Lahitte
    Lagash Systems S.A.
    http://weblogs.asp.net/hernandl



    "james chou" <> wrote in message
    news:%23Q8EHVN$...
    > Thanks for your reply. As I understand, one way to authenticate a client
    > is to have server use client's public key to decrypt a token that is
    > encrypted with client's private key. That is exactly how a signature is
    > generated and verified except signature is generated by encrypting a
    > digest of a message. If a private key can be used to encrypt a digest of
    > a message, why can it be used to encrypt the message? I believe it is
    > technically possible. As matter of fact, I even found a well known
    > commercial PKI product that can do that. However, Windows cryptoAPI and
    > Java JCE(with default provider) don't provide this capability.
    >
    > To keep the private key at server and distribute the public key to
    > clients doesn't seem to work. Every client can use the public key to
    > encrypt something and server will be able to decrypt it with no
    > problems. The server won't be able to tell which client is which unless
    > we have a keypair for each client. Since the public key is a public
    > information, everyone including unauthorized users can get it and use it
    > to access the server.
    >
    > For my usage, looks like the signature will do it. However, I am
    > interested to the reason why reverse encryption is not provided in
    > Windows CryptoAPI and Java JCE.
    >
    > Again, thanks for your information. Really appreciate that.
    >
    >
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    Hernan de Lahitte, Feb 27, 2004
    #4
  5. James Chou

    james chou Guest

    Hi,

    Thank you for the link to the RSA document. I took a look at the
    document and was convinced that CAPI and JCE must follow that standard
    when implementing their encryption/decryption scheme. For folks that
    really want to do reverse encryption (for whatever reasons), they just
    have to look for something else.

    Thanks for your information.

    --James





    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    james chou, Feb 27, 2004
    #5
  6. Hi, I have the same problem, I checked out the answer you received I would like to know how you resolved the problem finally. I need to reverse the keys because I would like to use it like an authentication method. My model depends of it

    I would appreciate your help

    Johanna Espinos

    ----- James Chou wrote: ----

    Hi

    I saw several posts asking for reverse encryption (encrypt wit
    private key instead of public key) in .NET. I am having the sam
    question and wonder anybody has a good solution to it

    Basically, my client application generates a key pair and exports th
    public key to server. The client application needs to encrypt a strin
    with the private key and send it to server. Server authenticates th
    client after decrypts the stirng with the public key. It looks like
    very simple procedure but it seems impossible with the RSA encryptio
    provided by .NET. The Encrypt() method of RSACryptoServiceProvide
    seems to do encryption with public key ONLY. It does use private ke
    to encrypt content when generating a signature though

    Does anybody have a solution to it? If .NET doesn't support it, i
    there any way I can do it through Win32 CryptoAPI


    Thank

    Jame
     
    Johanna Espinosa, Jun 1, 2004
    #6
  7. Well, I dont' know if I'm missing something here but (IMO) I would call this
    "verifying a digital signature" procedure. In this scenario, you sign (hash
    and encrypt with private key) a kind of token and on the server side you
    verify the signature with the client public key.
    The .NET classes follow the PKCS1 standard and won't let you do "reverse
    encryption" as you described.
    On the other hand, I wonder if the main reason for this kind of unusual
    scenario may be "confidentiality" that might give you this "reverse
    encryption" strategy. As you may already know, if you use the public key to
    decrypt the message, anybody with the public key (the term "public" is
    crutial here) will be able to decrypt it as well.
    So if you want to authenticate the client and to provide confidentiality at
    the same time, you should use the already known and proven pratices and
    protocols and leave this kind of hack out of you security knowledge bag.

    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://weblogs.asp.net/hernandl


    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Johanna Espinosa" <> wrote in message
    news:D...
    > Hi, I have the same problem, I checked out the answer you received I would

    like to know how you resolved the problem finally. I need to reverse the
    keys because I would like to use it like an authentication method. My model
    depends of it.
    >
    > I would appreciate your help,
    >
    > Johanna Espinosa
    >
    > ----- James Chou wrote: -----
    >
    > Hi,
    >
    > I saw several posts asking for reverse encryption (encrypt with
    > private key instead of public key) in .NET. I am having the same
    > question and wonder anybody has a good solution to it.
    >
    > Basically, my client application generates a key pair and exports the
    > public key to server. The client application needs to encrypt a

    string
    > with the private key and send it to server. Server authenticates the
    > client after decrypts the stirng with the public key. It looks like a
    > very simple procedure but it seems impossible with the RSA encryption
    > provided by .NET. The Encrypt() method of RSACryptoServiceProvider
    > seems to do encryption with public key ONLY. It does use private key
    > to encrypt content when generating a signature though.
    >
    > Does anybody have a solution to it? If .NET doesn't support it, is
    > there any way I can do it through Win32 CryptoAPI?
    >
    >
    > Thanks
    >
    > James
    >
     
    Hernan de Lahitte, Jun 2, 2004
    #7
  8. Thanks Hernan,

    I'm agree with you that reverse encryption isn't the a good idea for
    confidentiality but my problem is that funny me I have to propose a
    model for component authentication (academic porpuse), right now I just
    have a trivial idea but I would like your appreciation, do you have a
    e-mail to write you, you can send it to

    Any help will be appreciate,


    Johanna Espinosa L.

    *** Sent via Devdex http://www.devdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Johanna Espinosa, Jun 4, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David
    Replies:
    1
    Views:
    581
    Steve C. Orr [MVP, MCSD]
    Sep 2, 2005
  2. dogbite
    Replies:
    4
    Views:
    701
    osmium
    Oct 10, 2003
  3. =?Utf-8?B?YW5vb3A=?=
    Replies:
    0
    Views:
    438
    =?Utf-8?B?YW5vb3A=?=
    Mar 19, 2007
  4. Dave Mathew

    ASP.Net reverse proxy image problem

    Dave Mathew, Jun 20, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    632
    George Ter-Saakov
    Jun 21, 2007
  5. Replies:
    1
    Views:
    421
    Ian Collins
    Jan 8, 2008
Loading...

Share This Page