SILK SPUN

Performing RSA (Asymmetric) Data Encryption and Decryption in C# (Part 1)

Published by

The Owner

on

When selecting a Data Encryption method for your Application, there are a couple of different options available. This articles discusses the method for encrypting data using Asymmetric Encryption/Decryption using Digital Certificates issued from a Microsoft PKI Certificate Authority.

 

Symmetric and Asymmetric Encryption for Dummies

Let’s start with a short introduction of Symmetric and Asymmetric Encryption.  If this is old news, and more interested in the .NET Sample itself, its possible to skip all this conceptual background and jump directly to Part 2.

 

Symmetric Encryption

This is probably the best known method of encryption.  The process is very well known as it has been around for a VERY long time.  You probably used it yourself as a child when exchanging secret messages with your friends at school.

Sym_enc

Simple put, both the Sender and the Receiver agree on, and have knowledge of, a Shared Key.  Only these two guys or girls know about this Shared Key.  Once its agreed and known by both parties, they can then use it to ‘Encrypt’ the actual data they would like to securely transmit.  The data can then be ‘Decrypted’ using this same shared key by the receiver of the message.

One of the major drawbacks of Symmetric Encryption is the ‘Shared Key’ must be in the possession of both parties (the sender and the receiver in this case).  In the scenario shown, this would not be such an issue since only two parties are involved, who most likely trust each other to keep the key safe.  However, when this scenario is expanded to multiple senders and receivers, maintaining control over who has access to this SharedKey becomes quickly unmanageable, ultimately voiding the security altogether once the key falls into the wrong hands.  We all know how quickly and easily a ‘secret’ can become public!

Examples of Symmetric Key Algorithms are DES, Triple-DES (3DES), AES

 

Asymmetric Encryption

One was to overcome the disadvantage mentioned for Symmetric Encryption is to split this shared key into two distinct keys (known as a Key-Pair).  The first key (known as the Public Key) in the pair can only be used to Encrypt the data, whereas the second key (known as the Private Key) can only be used to Decrypt the data encrypted by the Public Key.

ASym_enc

As shown, the Sender has access to the Public Key so can Encrypt data.  Only the Receiver has access to the Private Key, therefore is the only person who can Decrypt the data.  If we were to expand this scenario to have multiple senders, all senders would have access to the public key, so can send to the Receiver.  Only the Receiver can actually read the data since they are the only one with access to the Private Key.

The important aspect is of course the protection of the Private Key.  This is stored securely and well protected so that only the Receiver ever access to it.  It is never distributed to anyone.  The Public Key can of course be distributed freely without any worry about who has access to it, since the only function available is to Encrypt data. 

You most likely use Asymmetric Encryption every day, since any secured web page (https) on the Internet implements this algorithm.  The web page will publish its Public Key (the Digital Certificate) as part of the Https response to the web browser, which can then be used to encrypt communication between the Client and the Web Server.  Since the server hosting this web page is the only person with access to the Private Key, only the web server can Decrypt the content.

One of the major drawbacks of Asymmetric Encryption algorithm is the mathematically complexity, which introduces high CPU overhead and is therefore extremely slow when encrypting data.  This algorithm is therefore only intended to Encrypt small amounts of data. 

In the .NET framework this limitation is set to only allow encryption of blocksize’s of 128 bytes.  This doesn’t prevent you from encrypting the data in 127 byte chunks of course, but the process will be very slow (and will only get slower the longer the encryption key used).   It’s much more efficient to follow the combined Asymmetric – Symmetric encryption approach discussed next.

Examples of Asymmetric Algorithms are RSA, DSA, ELGAMAL

 

Combining (Hybrid) Asymmetric and Symmetric Encryption

So far we covered both well known encryption algorithms and discussed the drawbacks to each.  The most common scenario out there today combines both algorithms to get the best of both algorithms; The speed of Symmetric Encryption and the security of Asymmetric Encryption.

Asym_sym_enc

As shown, the two algorithms are combined to perform the encryption and decryption. 

The sender has a SharedKey, which is the Symmetric Key used to Encrypt the actual data (‘Some Clear Text’).  This process is very fast and can be used to encrypt large amounts of data. 

The Sender has access to the Receivers PublicKey (the Asymmetric Public Key).  This is used to Encrypt the (symmetric) SharedKey. 

The (symmetrically) Encrypted data and the (asymmetrically) Encrypted Symmetric Key are both sent to the Receiver.

The Receiver (asymmetrically) Decrypts the Symmetric Key using his or her Private Key.  The Symmetric Key is then used to Decrypt the actual data and the text is then readable to the Receiver.

Note

It is often the case that Symmetric Encryption key lengths are much less than Asymmetric Key Lengths.  For example, a Symmetric AES Key would be 256, whereas an (asymmetric) RSA Key Length is 4096.  The RSA key is of course offering the strongest level of encryption, which must be broken first before the Symmetric encrypted data can be Decrypted.

 

Why Use It?

Good question.  Well, the short answer is, it’s the widely adopted approach for performing Encryption / Decryption across the internet today.  HTTPS (SSL) is probably the most utilized protocol using Hybrid Symmetric/Asymmetric Data Encryption. 

When using Hybrid Symmetric/Asymmetric Data Encryption you get the advantage of clear role separation in your applications.  Users with access to the Public Key can encrypt, where by only users with the Private Key can decrypt.  The Private Key in this case could be stored on a Smart Card, locked away in a safe or secure location and only used when decryption operations are really necessary.

The Private Key, when issued by a Certificate Authority where Key Archival is possible, can also be archived to a safe location, in the unfortunate situation that the Private Key is lost.

In Part 2 of this article we cover how use Asymmetric Encryption with the .NET framework to encrypt and decrypt data ready to be persisted to a database or other storage solution

 

Related Articles

Part 2 – A look at a sample .NET application and example of separating the encryption and decryption functions for Asymmetric Encryption

Part 3 – All into the .NET Sample Application Code

 

 

Further Reading

Symmetric Versus Asymmetric Encryption

One response to “Performing RSA (Asymmetric) Data Encryption and Decryption in C# (Part 1)”

  1. Performing RSA (Asymmetric) Data Encryption and Decryption in C# (Part 2) « SilkSpun

    […] Security ← Performing RSA (Asymmetric) Data Encryption and Decryption in C# (Part 1) […]

    Reply

Leave a reply to Performing RSA (Asymmetric) Data Encryption and Decryption in C# (Part 2) « SilkSpun Cancel reply

Hi there and …

Welcome to Silk Spun! A technical blog from an IT generalist trying to figure out what’s going on and sharing some of those learning experiences.

Recent posts