Exchanging Symmetric Keys

0
votes

I have a WinForms client that is sending encrypted data to a web service. The WinForms client creates a Symmetric RijndaelManaged sessionKey and also has a "hard-coded RSA asymmetric public key".

I am using the EncryptedXml class which makes it really easy to package up my data.

The Web Service has both the private and public keys "hardcoded" and can successfully decrypt the SessionKey and then use it to decrypt the actual data I am sending.

This is pretty much handled automatically by the EncryptedData class.

The problem I am having is that on the Web Service end when I want to reply, I can't seem to figure out how to get the SessionKey that was sent over.

Before I do any decrypting on the Web Service side, I can see the encrypted session key, but after I decrypt the XML, it's gone (and therefore I don't have any session keys for my reply).

Any ideas how I can get this unencrypted key?

1
encryptionencryption-asymmetricpublic-key-encryptionencryption-symmetric
We are goint to need a little more info than "It's gone". Code snippets? It's also not good practice to hard code RSA keys. Why not read the certificates from the windows key store and use those to encrypt/decrypt? - Petey B
It's almost verbatim of the code on MSDN: msdn.microsoft.com/en-us/library/ms229746.aspx In the Decrypt() Method, after calling DecryptDocument, I can see my data, but how do I get the SessionKey (that was used in the Encrypt() method) so I can reply to the sender? - Tim
Why aren't you simply using SSL? - CodesInChaos

1 Answers

0
votes

The reason that you cannot see the session key is that it is automatically decrypted and used. Normally it is considered part of the XML. If you want to get at it, just use

encryptedxml.decryptencryptedkey

And you should be alright. Note that for all the less important security warnings, the code represented here is vulnerable to both man in the middle attacks and to a lesser extend to padding oracle attacks. It should help against most eavesdropping attempts though.

Finally, reusing a session key is considered pretty bad security practice too. If you reuse it, at least consider using an IV, e.g. a counter for each followup message.