locked
RSA Encryption using Microsoft Crypto API RRS feed

  • Question

  • Is it possible to encrypt data on one PC using secret RSA key and decrypt it on another with public RSA key. I am using Microsoft Crypto API.

    Can You give an example of source code?

    I am trying to extend this code: http://www.niris.co.uk/crypt.html

    I want to generate and save secret, public keys in files, encrypt data, then to read public key from file and decrypt data.

    One guy told me, that it is impossible to achieve, because RSA is used only as symmetric algorithm, no secret or public keys.

    I can only create a session key to encrypt and another session key to decrypt. But how encrypt and decrypt using different session keys ?

    • Moved by Helen Zhao Monday, June 4, 2012 9:02 AM (From:Visual C++ General)
    Friday, June 1, 2012 2:39 PM

All replies

  • On 6/1/2012 10:39 AM, Terminus Amulius wrote:

    Is it possible to encrypt data on one PC using secret RSA key and decrypt it on another with public RSA key. I am using Microsoft Crypto API.

    No. Nor does it make much sense. Since the decryption key is public, anyone can decrypt the data - what's the point of encrypting it then?

    Perhaps you are looking to create a digital signature (which is, basically, a hash of the data encrypted with the private key; it proves that the data does come from the party owning the public key). That you can indeed do with CryptoAPI

    I want to generate and save secret, public keys

    That's an oxymoron. A key can either be secret or public, it can't be both. If you want a secret shared key, just use a symmetric encryption algorithm, such as AES.

    One guy told me, that it is impossible to achieve, because RSA is used only as symmetric algorithm, no secret or public keys.

    No, RSA is an asymmetric algorithm, with a private and public key forming a pair.

    I can only create a session key to encrypt and another session key to decrypt.

    What do you mean, another session key? You have to decrypt with the same key that was used for encryption, otherwise you would just get random garbage. That's the whole point of encryption - if you don't know the key, you can't see the original data.


    Igor Tandetnik

    Friday, June 1, 2012 5:01 PM
  • I have made a mistake. This would be correct: Public key for encryption, private key for decryption.

    I have found interesting link:

    http://blogs.msdn.com/b/alejacma/archive/2008/01/28/how-to-generate-key-pairs-encrypt-and-decrypt-data-with-cryptoapi.aspx

    This is what i was asking, doesn't it ? I can make keys on one pc, transfer data and private key on another to decrypt it. I can move private key through secure channel and then send my data over none secure. Key generator make key pair (private and public keys), no session keys.

    Friday, June 1, 2012 6:59 PM
  • On 6/1/2012 2:59 PM, Terminus Amulius wrote:

    I have made a mistake. This would be correct: Public key for encryption, private key for decryption.

    This should work. However, it is ill-advised to encrypt data with RSA public key directly (and in fact, I believe CryptAPI limits the amount of data that can be thus encrypted). RSA is vulnerable to analysis of large amounts of ciphertext. Besides, RSA encryption is slow, orders of magnitude slower than symmetric encryption.

    So normally, you would generate a random session key, encrypt the data with some symmetric algorithm using that key, then encrypt that session key itself with RSA public key and send the encrypted key together with the data. The recipient would decrypt the session key with the private key, then decrypt the data with the session key.

    CryptAPI provides two functions, CryptEncryptMessage and CryptDecryptMessage, which do all this in one call. See

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa382376.aspx

    I can make keys on one pc, transfer data and private key on another to

    decrypt it. I can move private key through secure channel

    And what key would you use to secure that channel?

    If you can transport and store keys securely somehow, then you don't need public-key cryptography in the first place. Just generate a session key, transfer it to the other machine, and use the same key on both ends to encrypt and decrypt with a symmetric encryption algorithm. The whole point of public-key cryptography is to allow key exchange when keys cannot be trasported securely.

    Key generator make key pair (private and public keys), no session keys.

    Again, why do you want that? What benefit do you hope to achieve by using public-key cryptography, rather than plain vanilla symmetric encryption? What problem are you trying to solve?


    Igor Tandetnik

    Friday, June 1, 2012 7:26 PM
  • Hi Terminus,

    According to your description, I'd like to move this thread to "Application Security for Windows Desktop Forum" for better support.

    Thanks for your understanding and active participation in the MSDN Forum.
    Best regards,


    Helen Zhao [MSFT]
    MSDN Community Support | Feedback to us

    Monday, June 4, 2012 9:01 AM