Cryptography API, how to make RSA keys usable on another machine? RRS feed

  • Question

  • Hi all,

    I use Cryptography API to generate RSA key pair, export it. Then use the key pair to encrypt/decrypt.

    This works perfectly on one machine. But after I copy the key pair to another machine, it doesn't work any more.

    I guess the reason is that the key pair is encrypted with the key from the user of the machine generated the key.

    So my question is, how to NOT bind the RSA key to any user or machine, so I can give the key to arbitrary users on any machines?

    What I want to do is to encrypt some data with the private key, then put the encrypted data and public key in a program, send the program to users. When the users use the program, the program will use the public key to decrypt the data.

    My some code pieces looks like,

    CryptAcquireContextW(&handleProvider, NULL, MS_DEF_PROV, PROV_RSA_FULL, 0 | CRYPT_MACHINE_KEYSET | CRYPT_SILENT)

    CryptGenKey(handleProvider, AT_KEYEXCHANGE, (length << 16) | CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE, &handleKey)

    // get the public key in binary

    CryptExportKey(handleKey, 0, PUBLICKEYBLOB, 0, (BYTE *)buffer.data(), &size)

    CryptImportKey(handleProvider, (BYTE *)buffer.data(), size, 0, CRYPT_EXPORTABLE, &handlePublicKey)

    // get the private key in binary

    CryptExportKey(handleKey, 0, PRIVATEKEYBLOB, 0, (BYTE *)buffer.data(), &size)


    Monday, October 19, 2015 9:59 AM

All replies

  • I found the possible reason. I used private key to encrypt, then I used public key to decrypt. That doesn't work across machines.

    If I use public key to encrypt, then use private key to decrypt, that works across machine.

    Then my new questions:

    1, Is it possible to encrypt using private key and decrypt using public key?

    2, If I have to use public key to encrypt, can I encrypt the data on another machine safely if the key is machine bounded? I tested and seems it works, so may be no problem but I want to confirm.

    3, Public key is much much shorter than private key, then is it really safe if I put the private key to application to decrypt from the user end?


    Monday, October 19, 2015 10:51 AM