dotnet security: Is RSA a good encryption method? Also I'm having a problem pulling the
string out of the database and decrypting it. Please Help

Code is below:


Private Function EncryptPassword(ByVal a_Password As String) As
String
Dim ByteConverter As New ASCIIEncoding
Dim dataToEncrypt As Byte() =
ByteConverter.GetBytes(a_Password)
Dim encryptedData() As Byte

'Create a new instance of the RSACryptoServiceProvider class
' and automatically create a new key-pair.
Dim RSAalg As New RSACryptoServiceProvider
Try
'Encrypt the byte array and specify no OAEP padding.
'OAEP padding is only available on Microsoft Windows XP or
'later.
encryptedData = RSAalg.Encrypt(dataToEncrypt, False)
'Saving this string to the database 'Should I do that?
Return ByteConverter.GetString(encryptedData)
Catch e As CryptographicException
'Catch this exception in case the encryption did
'not succeed.
' Console.WriteLine(e.Message)
End Try

End Function


Private Function DecryptPassword(ByVal strEncryptedPassword As String)
As String
'I'm passing the string that I stored in the database
Dim ByteConverter As New ASCIIEncoding
Dim decryptedData() As Byte
Dim encryptedPassword As Byte()
'Create a new instance of the RSACryptoServiceProvider class
' and automatically create a new key-pair.
Dim RSAalg As New RSACryptoServiceProvider
Try
encryptedPassword =
ByteConverter.GetBytes(strEncryptedPassword)
'Pass the data to ENCRYPT and boolean flag specifying
'no OAEP padding.
decryptedData = RSAalg.Decrypt(encryptedPassword, True)

Return ByteConverter.GetString(decryptedData)

Catch ex As CryptographicException
'Catch this exception in case the encryption did
'not succeed.
Throw ex
End Try

Generally, you only use RSA for encrypting very short pieces of data like
another encryption key you use for bulk encryption.

There is a very good encryption sample from an MS employee here:

http://www.dotnetthis.com/Articles/Crypto.htm

Joe K.

[quoted text, click to view]

Well, let me explain it this way -

There are many kinds of ciphers (encryption algorithms), but the two major
ones in use are
1) secret key encryption (also known as symmetric key encryption)
2) public/private key encryption (asymmetric key encryption)

Symmetric key encryption requires one key to encrypt the data, and the same
key decrypts it. That's why you have to keep it secret. Anyone with the key
can decrypt the data. So basically, you don't want to send the key over a
public network or store it where anyone can get at it.

Asymmetric key encryption uses a key pair. One key in the pair is public,
and the other is private. You need to keep the private key secret, but you
can send out the public key to anyone you want. The RSA Crypto provider uses
the windows Crypto API, which has it's own user-specific key storage (users
on a machine can't get to each-other's key stores). As soon as you create an
instance of the RSA crypto provider, a new key pair is generated and stored
for you. You can then send out the public key to anyone you want, even over
a public network. The important thing to grasp is that anything encrypted
with the public key can only be decrypted with the private key. So other
people can encrypt data with your public key and send that data all over the
place, but only you with the private key can decrypt it. It also works in
reverse - if you encrypt data with the private key, anyone with the public
key can decrypt it. This doesn't protect your data, but it's one way to know
the data came form you - because only you have the private key. This is a
fundamental part of data signatures.

The problem with public/private key encryption algorithms (RSA being one of
them) is that they are VERY slow relatively speaking, and they can only
encrypt tiny bits of data at a time. By comparison, symmetric key ciphers
are much faster and can encrypt bulk data. Typically, who RSA is used is
this way -
You want to send data over an unsecure network (for example).
You get the other party's RSA public key.
You create a new symmetric key (for an algorithm like Triple DES or Rijndael
(AES)).
You encrypt symmetric key with the other person's RSA public key.
You send them the encrypted symmetric key.
They unencrypt the symmetric key using their RSA private key.
Now you both have the same symmetric key and you can encrypt bulk data and
send that data back and forth between each other.

Of course, really secure key exchanges are a little more complex (the
framework has a Key exchange formatter/deformatter class to help with the
details), but you get the idea. The point is that nobody wants to use RSA to
actually do the bulk data encryption.

Also, if you aren't sending the data back and forth between another party,
and you're only encrypting and decrypting data locally, there's no need for
the public/private key encryption at all. You simply need to use a symmetric
cipher like Triple DES or Rijndael.

You have a few issues with this code below, and data length will be one of
them i'm sure.
Secondly, I recommend using the System.Encoding.UTF8 or
System.Encoding.Unicode (GetBytes and GetString) methods rather than a byte
converter.
And finally, the big problem is that you are generating a whole new key pair
in your code for decryption. That won't work. You need the original key pair
to decrypt the data. A new key won't give you the correct results. The keys
are mathematically linked. But like I said before, I wouldn't use the RSA
cipher for this anyway.

-Rob Teixeira



[quoted text, click to view]