Correctly using RSACryptoServiceProvider?

Correctly using RSACryptoServiceProvider?

Post by TmVlbGF » Sat, 24 Sep 2005 07:04:07



Hi guys,
I am writing a simple client-server app and the client sends requests to
the server. The client and server communicate using sockets.

I want to encrypt the client request using servers public key. This is
what I am currently doing...In the setup program, I created an object of
RSACryptoServiceProvider...That essentially creates a new public/private key
pair, right? So, I exported both the keys in xml and stored it on the local
filesystem. So, now the client has access to the servers public key xml file.

Now, when the client wants to send the request this is what I am doing...

RSACryptoServiceProvider * pobjRSACrypto = new RSACryptoServiceProvider();
pobjRSACrypto->FromXmlString (strServerPublicKey);
//strServerPublicKey is the contents of the ServerPublicKey.xml
Byte by *** crypted[] = pobjRSACrypto->Encrypt(byteData, false);

Now the server does the following

RSACryptoServiceProvider * pobjRSACrypto1 = new RSACryptoServiceProvider();
pobjRSACrypto1->FromXmlString(strServerKeyPair);
//strServerKeyPair has the contents of the ServerKeyPair.xml
Byte byteDecryptedText [] = pobjRSACrypto1->Decrypt(by *** crypted, false);
String * strDecryptedText = pAscii->GetString(byteDecryptedText);

But, this is what i have observed: Even though I am encrypting the same
plain text, the resulting encrypted text is different every time....Is that
right? Also, the decryption using the private key works...I am just wondering
if I am using the APIs correctly....I mean I am not using a new key pair
every time, right?

Also, is FromXml() should acheive the same as ImportParameters() right?

In short my idea is, generate the key pair once, have it on the local
filesystem and then at run time use that to encrypt and decrypt...

Please let me know if I am doing somethin wrong OR if my understanding is
wrong somewhere?

Thanks,
Neelay
 
 
 

Correctly using RSACryptoServiceProvider?

Post by SmFz » Wed, 28 Sep 2005 04:19:01

This reply is not an attempt to answer the questions you asked, but i wanted
to make a comment - You mentioned you would like to encrypt communications
between the client and server. Because RSA can be used to do more than
provide confidentialy, you might be over-engineering the solution. If you
would just like to protect yourself from an intermediate party being able to
read the transactions going over the wire you could just SSL. This will also
not require you to store the servers public key on the client, and get rid of
the whole key management issue.

 
 
 

Correctly using RSACryptoServiceProvider?

Post by William St » Wed, 28 Sep 2005 06:45:09

Right. And if using sockets, you can use 2.0s SslStream authenticated
stream class.

--
William Stacey [MVP]