C# Decryption with X.509 certificate without private key

4
votes

Client encrypts the message using the X.509 certificate and sends the encrypted message to my web server. The client has provided a X.509 certificate without a private key (exported as DER encoded binary X.509 (.cer)). Now my task is to decrypt the message using the X.509 certificate that I have.

Whenever I try to decrypt the message I get “The private key does not exist” exception which is expected as the certificate does not contain the private key. Is it feasible to decrypt the message using the x.509 certificate without the private key?

Secondly, if client provides the password separately for the certificate can I create an instance of X509Certificate2 and use it to decrypt the message like :

X509Certificate2 c = new X509Certificate2("filename", "password");
1
c#encryptioncryptographyprivate-keyx509certificate2
The entire point of a two key system is that one key is for encryption and one is for decryption.Chris Haas

1 Answers

3
votes

You will need the private key to decrypt the message. For example, you can ask your client to provide you a .pfx file which contains the private key, however, this is a little backwards, as usually, with asymmetric encryption, the sender (your client) should be encrypting the message with the receiver's (your) public key, which you decrypt with the receiver's (your) private key. That way the private key is not shared out to multiple parties, which reduces the chance that it gets compromised. The whole idea of a private key is that it's private - only the owner of the key gets to use it.

Edit: As for the second question, a password is not the private key. You can generate a private key that is protected by a password. That means in order to use the private key to do the decryption, you also have to know the password that protects that private key.

Edit 2: I'm not sure if this helps, but I struggled to understand how to practically apply a lot of these concepts a while back, so I wrote a series of blog posts that might help you. I don't claim to be a security expert, but what I've written might get you started.