I need a very basic 2 minute intro to certificates...
I have been provided with a .p12 cert file... That is password protected... Now I need to import it to registry, and export a base 64 .cer file...
Finally I use this .cer file to access a web service outside of my solution....
My question is - Does the imported .p12 and the .cer work hand in hand to authenticate the request?
I could really do with 2-3 lines of explanation as to how it all works from a technical programmers point of view...
Thanks in advance
There's a reason you rarely see a short explanation of cryptography!
Many forms of encryption are based on the use of a single Shared Key (symmetric) to encrypt and decrypt the message--both the sender and the receiver must know the key.
However, in this case you are using Public Key cryptography, which splits the key into two parts that, as you said, "work hand in hand". To borrow from http://www.globus.org/toolkit/security/public-key-cryptography.html:
These keys are numbers that are mathematically related in such a way that if either key is used to encrypt a message, the other key must be used to decrypt it. Also important is the fact that it is next to impossible (with our current knowledge of mathematics and available computing power) to obtain the second key from the first one and/or any messages encoded with the first key.
By making one of the keys available publicly (a public key) and keeping the other key private (a private key), a person can prove that he or she holds the private key simply by encrypting a message. If the message can be decrypted using the public key, the person must have used the private key to encrypt the message.
Note that it is critical that private keys be kept private! Anyone who knows the private key can easily impersonate the owner.
Apparently, what you have here in your password-protected .P12 file is both your private and public keys. After you import it into your PC, you can extract a .CER file of your public key--and that's the one you give to the web service.
After that, here's essentially what happens when you send a message to the web service:
Your computer needs to use your private key and the web service's public key to encrypt the message.
Then, only the web service which has access to your public key and their own private key can decrypt it.
For them to send a message back to you, it works quite the same, but with everything in reverse.
Now that should be as clear as mud... but at least you've got a start.
Related
I use this RSA library for swift. https://github.com/TakeScoop/SwiftyRSA
Is there any way to export public RSA key from private key ?
I would just use the internal api calls, there is plenty of sample code and it’s literally 10 lines of code to create keys, obtain them from key chain and encrypt/decrypt data.
If you look in the library read me file, it tells you how to obtain a public key and then export it into various formats....
Need some help. I am working on encryption, where I need to implement crypto_box_keypair() or decode a hex string to a byte array so that you have to get a public and private keys. I also need to call crypto_box(m,n,pk,sk) for encryption.
I have never worked on encryption, I struck with how to implement. If you have any sample code, could you please send. which will be very help full. I just need to encrypt and decrypt string in ios.
Thanks in advnce.
I have searched alot regarding my task which is like ,
i am getting data through XML which is encrypted using RSA/ECB/PKCS1Padding from backend and they have given me a file name "publickey.der". According to them this is public key and you need to use this key for decryption.
Seriously i dont have any idea about using this public key for decryption on Objective C.
Please guide me which framework or library or sdk i need to use or any one has any sample code for this. I am counting on you guys only.
Looking forward for your responses
Thank you once again
Public keys are used for encryption, private keys are used for decryption. You will have to rectify this issue first.
Also RSA/ECB/PKCS1Padding is not common, when you want to rsa encrypt a large amount of data, usually you encrypt an aes key with rsa and encrypt your data with aes instead.
Basically, to do this RSA/ECB decrypt outside of java, it will be manually, and you are going to have to break your cipher text up by your block size (key size), and then decrypt each block without padding, until the final block with padding, that's how you get the ECB.
This is not ideal, that combined with them providing you with a public key and telling you to decrypt, suggests that whoever is giving you the data needs to fix their encryption issues.
I use following class to encrypt/decrypt my texts.
http://code.google.com/p/iphonebits/source/browse/trunk/src/Encryption/NSData-AES.m?r=2
This works perfectly. But when I decrypt the encrypted text with an invalid key (any one other than encryption key) this returns some text and its not in the actual length of the decrypted text. What can be the reason (is this supposed to return nil)? Is this the better way? Does libraries supposed to return errors for invalid decryption keys? Is it a must or not?
Thank you
Well, the algorithm will not know if the key that you are providing is the right one. To know if the key is right the algorithm would have to have it's copy, which is unsafe. Although it could have the copy of it's hash, but that would still apply that the encryption and decryption algorithms would work for only one key. Your current decryption accepts the key and put's it to work in the decoding algorithm. The result should reflect the original text but if the key was wrong it will give you the text generated according to the wrong key. It's all working properly.
First off, that is not a typo, I want to decrypt using a public key. The purpose for doing this is to challenge a third party to ensure they do, in fact, have the private key that corresponds to the public key. Basically, I would send some random data, they would encrypt it with their private key, I would decrypt it using the public key and compare the decrypted value to the random data that I sent. I believe this is a pretty standard procedure in public key crypto but for some reason decrypting with a public key seems to be taboo.
I am simply using the RSACryptoServiceProvider in .NET 2.0. However, when I call Decrypt it throws a CryptographicException with message Bad Key. The key is not bad (I can Encrypt with no problem), but it appears as though it will not let me decrypt with just the public key. What gives? This must be possible to do.
I think the recognized term is signing. They sign with the private key, and you verify with the public key. I admit I don't understand the low-level math as well as I should, but my understanding is signing is really just encrypting with the private key.
Use RSACryptoServiceProvider's sign and verify family of methods. In fact, SignHash actually says, "encrypting it with the private key."
These .Net classes should be a wrapper of the crypto API.
There are two types of keys in crypto API. Crypto API is a wrapper around PKCS#11. When you generate a key pair using Microsoft cryptographic service provider, you get AT_EXCHANGE AND AT_SIGNATURE keys. Every key is generated based on some attributes defined in PKCS#11 standard..
AT_EXCHANGE keys Attributes:
wrap/unwrap = true
sign/verify = true
encrypt/decrypt = false
AT_SIGNATURE keys Attributes:
wrap/unwrap = false
sign/verify = true
encrypt/decrypt = false
So basically, when you are exchaning data, you are essentially performing a wrapping/unwrapping function. This is what Microsoft calls it as AT_EXCHANGE. This is primarily used to exchange secrete/symmetric keys and not used to echange huge amounts of data.
So you need to go back and find out which key you chose to EITHER sign / wrap your dat.
Per Raj, the key you've been provided with probably isn't marked for exchange.
Ask the party who provided the public key how they generated it. If using makecert.exe, they'll need to specify "-sky Exchange". Without this, you can only use the key for signing and authentication, not encryption/decryption which is the use case you're implementing here.