RsaProtectedConfigurationProvider implementation vs RSACryptoServiceProvider c#

Question

If RSACryptoServiceProvider cannot Encrypt data larger than it's KeySize, how RsaProtectedConfigurationProvider is implemented in the .Net framework?

I am working on a utility that is going to be used to encrypt/decrypt some sensitive information. My two encryption provider options are DPAPI and RSA, while DPAPI not suited for web farm kind of environment, RSA is fits because of the Export/Import options with a KeyContainer. This is a stand alone application running on a workstation.

As I am aware that Asymmetric algorithms are not designed for large data, I just tried encrypting a string of length over 400K using the code below and it works well.

        if (!section.SectionInformation.IsProtected)
        {
            section.SectionInformation.ProtectSection("RSAProtectedConfigurationProvider");
            section.SectionInformation.ForceSave = true;
            config.Save(ConfigurationSaveMode.Full);
        }

Definitely this implies that more things are happening behind the scenes apart from the export import key options in aspnet_regiis.exe.

My understanding:

1. we encrypt myapp.exe.config with RsaProtectedConfigurationProvider, provide a key container name myrsakeycontainer, and export the public and private keys to an xml file myrsakeyfile.xml.

2. If we want myapp.exe.config to be decrypted in another computer, we import they keypair from myrsakeyfile.xml with a container named myrsakeycontainer.

this works well. I can achieve the same thing in my project via RSACryptoServiceProvider. But I can't handle data that larger than the key size that new RSACryptoServiceProvider(cspParameters) generated for me.

• I want to be able to decrypt huge data (just in case) just the way RsaProtectedConfigurationProvider does.
• Yes I could use a RijndaelManaged (my favorite) for actual encryption and for the symmetric key transport (export/import) I could use the RSACryptoServiceProvider. This leaves me in a situation that If I want to export/import the symmetric key, I should first encrypt it with the public key or RSA, import it to another machine, decrypt with the private key of RSA. Which is export the RSA key pair along with the encrypted symmetric key.

• But, when I export RSA key pair used by RsaProtectedConfigurationProvider via aspnet_regiis.exe, I believe that it exports only the public/private key pair in an xml file and no other information (like the symmetric key information).

• So, with just the RSA key pair, how does RsaProtectedConfigurationProvider manage to derypt (huge - over 400K chars in my case) information that was encrypted on another computer? In cases it uses a symmetric algorithm (perhaps?!) to encrypt information, how is that symmetric key exported/imported to another computer for decryption? Is that symmetric key part of the RSA key container exported via aspnet_regiis.exe or is the symmetric key is contrived dynamic based on an algorithm?

• I could get away with a Rijndael, whose key is encrypeted with an RSA key pair and I can export/import both the RSA key pair and the Rijndael symmetric key to another computer. (which I have done in the past)

  I am interested to know what is used inside RsaProtectedConfigurationProvider.

Any theories? concepts? links? recommendations? please..

Similar Question - What algorithms are used by RSAProtectedConfigurationProvider in web.config encyrption?

Answer 1

The encrypted symmetric key is stored in the XML alongside the encrypted configuration information that the symmetric key has encrypted.

If you use Reflector to look at the code, what it does is load the XML node and use the asymmetric RSA private key to decrypt a symmetric key stored within the XML node itself.

The function that actually does this magic is here:

public virtual SymmetricAlgorithm GetDecryptionKey(EncryptedData encryptedData, string symmetricAlgorithmUri);

Declaring Type: System.Security.Cryptography.Xml.EncryptedXml Assembly: System.Security, Version=2.0.0.0

See the code around

this.m_document.SelectNodes("//enc:EncryptedKey", nsmgr);

This blog post has a nice writeup about how you pair Asymmetric and Symmetric algorithms in real-world practice: http://pages.infinit.net/ctech/20031101-0151.html