none
Key encryption algorithm RRS feed

  • Question

  • Is it possible to specify key encryption algorithm algorithm when encrypting using EnvelopedCms class?  The default algorithm is RSA OAEP, and it is not supported by smart card middleware we are using.
    Friday, February 6, 2015 7:36 PM

Answers

  • Hello Armen,

    >> Is it possible to specify key encryption algorithm algorithm when encrypting using EnvelopedCms class?

    Not sure if “key encryption algorithm” means the third statement in the description from this link:

    The Encrypt(CmsRecipientCollection) method encrypts the contents of the CMS/PKCS #7 message by using the information for the specified list of recipients. The message is encrypted by using a message encryption key with a symmetric encryption algorithm such as triple DES. The message encryption key is then encrypted with the public key of each recipient.

    If it is, from my experience, I think this part work is not included in the EnvelopedCms, as it says we need to encrypt the message encryption key with the public key of each recipient, during this process, we can specify the algorithm.

    >> Key encryption algorithm is what I'm trying to specify, its part of the RecipientInfo.

    After searching for this class and its two derived classes: KeyAgreeRecipientInfo Class and KeyTransRecipientInfo Class, unfortunately, it seems all three one are read-only class accessible, they does not expose property to set algorithm.

    If I misunderstand, please feel free to let me know.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, February 9, 2015 6:30 AM
    Moderator

All replies

  • I'm note familiar with the EnvelopedCms class, but the documentation says that it has constructors that allows you to specify the encryption algorithm
    • Edited by Blackwood Friday, February 6, 2015 7:52 PM Add link.
    Friday, February 6, 2015 7:52 PM
  • There are two encryption algorithms associated with Enveloped Data, one is content encryption algorithm which is what you can specify in the constructor and the other is the key encryption algorithm.  Key encryption algorithm is what I'm trying to specify, its part of the RecipientInfo.
    Friday, February 6, 2015 8:46 PM
  • Hello Armen,

    >> Is it possible to specify key encryption algorithm algorithm when encrypting using EnvelopedCms class?

    Not sure if “key encryption algorithm” means the third statement in the description from this link:

    The Encrypt(CmsRecipientCollection) method encrypts the contents of the CMS/PKCS #7 message by using the information for the specified list of recipients. The message is encrypted by using a message encryption key with a symmetric encryption algorithm such as triple DES. The message encryption key is then encrypted with the public key of each recipient.

    If it is, from my experience, I think this part work is not included in the EnvelopedCms, as it says we need to encrypt the message encryption key with the public key of each recipient, during this process, we can specify the algorithm.

    >> Key encryption algorithm is what I'm trying to specify, its part of the RecipientInfo.

    After searching for this class and its two derived classes: KeyAgreeRecipientInfo Class and KeyTransRecipientInfo Class, unfortunately, it seems all three one are read-only class accessible, they does not expose property to set algorithm.

    If I misunderstand, please feel free to let me know.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, February 9, 2015 6:30 AM
    Moderator
  • Thanks for your reply, I found the same thing that KeyTransRecipientInfo class os read-only so I was unable to change the key encryption algorithm.  I posted here in hope that I was missing something and there is another way.

    It looks the second parameter for RSACryptoServiceProvider.Encrypt method takes a flag which if true performs direct RSA encryption using OAEP padding (only available on a computer running Microsoft Windows XP or later); otherwise, false to use PKCS#1 v1.5 padding.  Do you know if there is anyway this can be used with EnvelopedCms class?

    Monday, February 9, 2015 3:44 PM
  • Hello Armen,

    From my experience, they are two same level classes means they are two different ways to encrypt and decrypt the data and are independent each other.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, February 10, 2015 7:05 AM
    Moderator
  • Hello Fred,

    reading this thread while experiencing the same issue I assume that behavior is a bug. The statement

    >> Key encryption algorithm is what I'm trying to specify, its part of the RecipientInfo.

    points into the right direction. RecipientInfo however is not part of the encryption process but used to examine received messages before decrypting them.

    To be correct, the key encryption algorithm is to be extracted from the certificate of the recipient.  Right now EnvelopedCms disregards this fact as long as one of the following conditions comes true:

    • one or more certificates are explicitly assigned to the Certificates collection property
    • one or more unprotected attributes are added the the UnprotectedAttributes collection property
    • the CmsRecipient's RecipientIdentifierType is set to  SubjectIdentifierType.SubjectKeyIdentifier
    • the certificate's public key algorithm is some Diffie Hellman stuff.

    (see http://referencesource.microsoft.com/#System.Security/system/security/cryptography/pkcs/envelopedpkcs7.cs)

    The contitions mentioned above all have effects on the resulting message like incorporating extra certificate information, extra unprotected attributes or using unsupported key identifiers. This fact results in incompatiblity to interchange protocols we need to support.

    Apard of this they seem weird. I do not know this kind of relationships between the message content and the key encryption algorithm from any of the common standards.

    Can you pass this into development?

    Best Regards
    Michael


    Friday, March 27, 2015 11:56 AM