I. Using RSA certificates to encrypt and decrypt sensitive data
The certificate standard supports three kinds of asymmetric encryption algorithms: RSA, DSA, Diffie-hellman algorithms. The most common is the RSA algorithm. So this article is encrypted and decrypted using the generated Mytestcert certificate generated by the MakeCert tool in the previous section, which has a 1024-bit key pair for the RSA algorithm.
Figure 12. RSA encryption and decryption process
1. Generate certificates, distribute certificates
Certificates are generated using the preceding "using the MakeCert Tool for" section, or a certificate obtained from a commercial CA, of course Mytestcert.
The certificate you obtain should be a full certificate with a public and private key, typically a certificate in the form of PFX.
To receive encrypted data, you need to distribute your public key to the encrypted side of the encrypted data, which encrypts the data using your public key.
The certificate either exists as a PFX or is imported into the certificate store.
If your certificate exists in the certificate store, you can export a CER certificate that contains only the public key by using the certificate export feature provided by the certificate Management console.
If the certificate exists as a PFX certificate file, you can read the certificate through code and then export it to a CER certificate that contains only the public key.
Refer to the previous section to export a certificate named MyTestCert.cer that distributes this certificate to the encrypted party that needs to be encrypted.
2, the string plaintext into a code page corresponding to the coded byte stream
Data to be encrypted may have two forms, one is binary data, itself is a set of byte stream, such data can skip this step, directly into the encryption step. Another case is string data, where the same characters in a string use different code pages to generate different bytecode, so a conversion from string to byte stream is required to specify what encoding to use. After decryption, the conversion from a byte stream to a string will be decoded using the same code page, or garbled.
byte array for saving plaintext files
byte[] Plaintextbyte = Encoding.UTF8.GetBytes ("RSA Certificate encrypts sensitive data!");
Here, the plaintext is encoded with the UTF8 code page, and the plaintext string is converted into a byte stream.
3. Encryption operation
To load a certificate from a certificate file that contains only the public key
X509Certificate2 Myx509certificate2 = Newx509certificate2 (@ "C:/samples/partneraencryptmsg/mytestcert.cer");
Obtaining a RSACryptoServiceProvider with a public key from a CER certificate
RSACryptoServiceProvider Myrsacryptoserviceprovider = (RSACryptoServiceProvider) MyX509Certificate2.PublicKey.Key;
Use RSACryptoServiceProvider to encrypt the text stream to a ciphertext stream
byte[] cryptograph = Myrsacryptoserviceprovider.encrypt (Plaintextbyte, false);
Using 1024 for the key encryption, the raw material should be 128 bytes (1024 bits) of byte[] raw data, the encrypted data is also 128 bytes (1024 bits), if the plaintext is less than 128 bytes, The RSACryptoServiceProvider automatically complements 128 bytes with random numbers.
Dotnet's RSA implementation has a feature, it must be in the clear text to add some random numbers, so clear text can not take 128 bytes full, the actual test, clear text up to 117 bytes, leaving space to fill the random number.
So, using the same key to encrypt the same string of strings, each time you get the ciphertext is not the same.
4. Decryption operation
To load a certificate from a certificate file, if you have a private key, you need to provide the password you set when saving the certificate
X509Certificate2 Myx509certificate2 = Newx509certificate2 (@ "c:/samples/partneraencryptmsg/mytestcert.pfx", " Password ");
Obtaining a RSACryptoServiceProvider with a private key from the certificate
RSACryptoServiceProvider Myrsacryptoserviceprovider = (RSACryptoServiceProvider) Myx509certificate2.privatekey;
Use RSACryptoServiceProvider to decrypt the ciphertext stream into a text stream
byte[] Plaintextbyte = Myrsacryptoserviceprovider.decrypt (Cryptograph, false);
Decryption needs to load a PFX certificate with a private key, and a private key protection password is required.
5. Stream from encoded bytes into a string plaintext
The same code page used when encrypting utf8 the decrypted plaintext byte[] into a string
string plaintext = Encoding.UTF8.GetString (plaintextbyte);
Encryption and decryption practices using the digital certificate of the second degree (ii)--Encrypting sensitive data using RSA certificates