Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

RSACryptoServiceProviderEncrypt without padding is not possible

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Eugen - 15 Dec 2005 13:51 GMT
Hi,

I can't believe this, now I have to write the whole RSA library by
myself, just because someone at Mircosoft thinks, it is unsecure, to do
my own padding.

Why? Take a look at HBCI, the german standard für banking transactions.
The RDH specification requires a padding of the session key with plain
binary 0 values. I do not care if this is secure or not or whatever. It
is the standard in germany. Period.

And now, I have to sit down write my own implementation of the RSA
stuff.

Nice christmas present, thanks a lot. I thought I would be bored...
Reply to this Message
Pieter Philippaerts - 03 Jan 2006 16:16 GMT
"Eugen" <eugen1@fastfertig.net> wrote in message
> I can't believe this, now I have to write the whole RSA library by myself,
> just because someone at Mircosoft thinks, it is unsecure, to do my own
[quoted text clipped - 3 lines]
> binary 0 values. I do not care if this is secure or not or whatever. It is
> the standard in germany. Period.

Actually, starting with .NET 1.0, Microsoft decided to
support -architectually at least- the implemantation of custom padding
schemes. That's why they created the formatter/deformatter classes from
which you can inherit and implement your own padding scheme.
And yes, I know that the RSACryptoServiceProvider class doesn't support the
EncryptValue/DecryptValue methods that are necessary for your code  to work,
but that's because of historical reasons (.NET uses the CryptoAPI
underneath), not because someone at Microsoft tried to ruin your Christmas.

Anyhow, all you need to do is drop in a replacement for the
RSACryptoServiceProvider, for instance the one from the mono project. If you
are unsure on how to do this, take a look at this page:
http://lab.msdn.microsoft.com/productfeedback/viewfeedback.aspx?feedbackid=77ce5
cfe-7a78-40c2-9f82-bf2df2f1d548
The bug report contains a download project that uses the RSAManaged class
from mono.

Regards,
Pieter Philippaerts
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.