Update: I found this via Google: http://www.example-code.com/ios/crypt_encrypt_file_to_p7m.asp which seems exactly what I want, but I didn't see it linked via the menus. Any reason it's not a good approach for the question below?
I want to use public key encryption to encrypt a large file. My automatic approach would be to aes encrypt the file and then rsa encrypt the randomly chosen symmetric key and deliver them either separately or together somehow (i want to keep the bulk output raw binary to avoid overhead so I don't mind shipping keys separately).
Something like http://www.example-code.com/objc/rsa_keyExchange.asp
But I also see some reference to combining the two in one approach such as this: http://www.chilkatsoft.com/p/p_510.asp
Do I understand correctly that if I use AddEncryptCert to add a certificate and set CryptAlgorithm to "pki" then Crypt2 will automatically encrypt the file symmetrically and rsa encrypt the key? Are there any clear docs about that? I'm using the Cocoa library and the docs don't seem to cover the intent of those methods.
The ideal output format would be .p7m, but from my reading of Crypt2.CreateP7M it will always sign but I just need an envelope with encrypted data and the shared key, not signed data. I also want it to be readable by the ChilKat library at the other end.
Any suggestions of the best approach would be appreciated!
The example is linked from this web page: http://www.example-code.com/ios/encryption.asp
Given your question, I think the best solution is to use Crypt2 w/ a digital certificate to create the .p7m. To encrypt, you would set the CryptAlgorithm to "pki", then supply the certificate via AddEncryptCert, and then call CkEncryptFile to produce a .p7m. Alos, set the Crypt2.Pkcs7CryptAlg property = "aes" prior to encrypting.
For testing purposes, you can examine the contents of the LastErrorText after calling CkEncryptFile to see if the encryption used the algorithms you desired.
The .p7m created by CkEncryptFile will have done the bulk encryption using a symmetric algorithm, such as AES, and the symmetric key is encrypted within the .p7m. To decrypt, the certificate's private key is required (which is used to decrypt the symmetric key, which is then used to decrypt the file data). When PKCS7 encrypting, only the public key is used. Therefore, for the other end to decrypt, both the cert and private key are required, and you would likely provided it in the form of a .pfx/.p12 file.
answered Nov 25 '13 at 10:42