Archived Forum Post

Index of archived forum posts

Question:

How to use a certifcate (.cer) for decryption?

Mar 12 '13 at 09:48

We successfully use your decryption component (Chilkat.Crypt2) to decrypt a SAML document sent to us from a client for the purposes of SSO. We’re using a shared key and initialization string that has been working just great.

We’ve been asked to create a second SSO form that will use a certificate for the decryption (.cer). Are there any examples online of using your component with a certificate to perform the decryption?


Answer

I've had difficulty in forming an answer because I don't know how to help.

I think the issue is that before you begin, you need to have some fundamental understanding of the basics of the subject matter. In other words, the difference between symmetric encryption and public-key encryption. Symmetric encryption is where a shared secret (i.e. the identical password or secret-key) is used to encrypt and decrypt, and both parties have knowledge of the key. With public-key encryption, the key is in two corresponding parts. The public key can be given out freely to anyone, and it may be used to encrypt data that can only be decrypted by the owner of the corresponding private key.

AES, Blowfish, 3DES, Twofish, RC2, etc. are symmetric encryption algorithms.

RSA is a public-key encryption algorithm.

A digital certificate is something different -- it is something that establishes authenticity -- that you are who you say you are -- and it also encapsulates a public-key that corresponds to the private key held by the certificate owner. The .cer is a digital certificate containing the public key. It does not contain the private key. A PFX file (also known as .p12 or PKCS12) is a container that can contain both certificate(s) and private keys.

I don't have an answer for you because before you even begin, you need to understand the subject matter and the architecture of what's involved. Once you do, you can have a meaningful conversation with your counter-party, and in addition, when you review the Chilkat documentation and examples, things will make more sense.


Answer

Thank you for your explanation.

We have received both his PFX and CER files and assume that he’s performing RSA encryption. I’m able to access his certificate, access the private key stored within it, and subsequently encrypt/decrypt small strings. However, when I attempt to either encrypt or decrypt strings as large as the XML packet he’s sending me the encryption fails because I’m exceeding the size limit.

It was my understanding that AES encryption was used because of its ability to encrypt/decrypt larger amounts of data (since it’s broken down into smaller groups of bytes), but to your point that’s where my understanding ends.

So I guess what I really need assistance with is using his certificates to decrypt a large string, which really means separating the data into chunks based on the key length.