andrewlocatelliwoodcock

Following on from my last post on how to generate a public / private key pair in C#, this is the next post in my series on using RSA asymmetric encryption in .Net.

Now we have a public / private key pair, we can encrypt an arbitrary string using RSA encryption. To make this code more general, we are going to allow users to specify the bit length of the public key, allowing us to easily encrypt under 1024, 2048 and 4096 bit keys. To this end, I am reusing the RsaKeyLengths enumeration from the last post containing three common bit lengths: 1024, 2048 and 4096.

Performing RSA Encryption is not particularly difficult, but neither is it straightforward.

The basic steps are as follows:

1. Instantiate a new RSACryptoServiceProvider object using the bit length used to generate the public key. These bit lengths must match: you cannot provide a 1024 bit public key and then attempt to encrypt the data using 2048 bits for example.
2. Initialize the RSACryptoServiceProvider object from the public key using the FromXmlString method. Remember that the public key is serialized as XML (see my post on generating public / private key pairs if uncertain)
3. Convert the data to encrypt to a byte array
4. Work out the maximum length of data that can be encrypted per block. This requires a bit of knowledge of how the RSACryptoServiceProvider works, specifically that it uses the SHA1 hash function internally.
5. Encrypt the data block by block.
   As we allowing encryption of arbitrary strings, we may not be able to encrypt our data in a single block. We encrypt the data block by block until it is completely encrypted.
6. Reverse the array of the encrypted bytes in the block.
   <sarcasm>Microsoft have never before been known to implement an incompatible version of a standard process but there’s always a first time</sarcasm>:  the RSACryptoServiceProvider reverses the order of the encrypted bytes after encryption and again before decryption which makes our completed encrypted string look like gibberish to other implementations, so we need to undo this before we continue.
7. Concatenate the encrypted blocks and return the encrypted string

 
/// <summary>
/// Encrypt an arbitrary string of data under the supplied public key
/// </summary>
/// <param name="publicKey">The public key to encrypt under</param>
/// <param name="data">The data to encrypt</param>
/// <param name="length">The bit length or strength of the public key: 1024, 2048 or 4096 bits. This must match the 
/// value actually used to create the publicKey</param>
/// <returns></returns>
public static string Encrypt(string publicKey, string data, RsaKeyLengths length)
{
    // full array of bytes to encrypt
    byte[] bytesToEncrypt;

    // worker byte array
    byte[] block;

    // encrypted bytes
    byte[] encryptedBytes;

    // length of bytesToEncrypt
    var dataLength = 0;

    // number of bytes in key                
    var keySize = 0;

    // maximum block length to encrypt          
    var maxLength = 0;

    // how many blocks must we encrypt to encrypt entire message?
    var iterations = 0;

    // the encrypted data
    var encryptedData = new StringBuilder();

    // instantiate the crypto provider with the correct key length
    var rsaCryptoServiceProvider = new RSACryptoServiceProvider((int) length);

    // initialize the RSA object from the given public key
    rsaCryptoServiceProvider.FromXmlString(publicKey);

    // convert data to byte array
    bytesToEncrypt = Encoding.Unicode.GetBytes(data);

    // get length of byte array
    dataLength = bytesToEncrypt.Length;

    // convert length of key from bits to bytes
    keySize = (int)length / 8;

    // .NET RSACryptoServiceProvider uses SHA1 Hash function
    // use this to work out the maximum length to encrypt per block
    maxLength  = ((keySize - 2) - (2 * SHA1.Create().ComputeHash(bytesToEncrypt).Length));

    // how many blocks do we need to encrypt?
    iterations = dataLength / maxLength;

    // encrypt block by block
    for (int index = 0; index <= iterations; index++)
    {
        // is there more than one full block of data left to encrypt?
        if ((dataLength - maxLength * index) > maxLength)
        {
            block = new byte[maxLength];
        }
        else
        {
            block = new byte[dataLength - maxLength * index];
        }

        // copy the required number of bytes from the array of bytes to encrypt to our worker array
        Buffer.BlockCopy(bytesToEncrypt, maxLength * index, block, 0, block.Length);

        // encrypt the current worker array block of bytes
        encryptedBytes = rsaCryptoServiceProvider.Encrypt(block, true);

        // RSACryptoServiceProvider reverses the order of encrypted bytesToEncrypt after encryption and before decryption.
        // Undo this reversal for compatibility with other implementations
        Array.Reverse(encryptedBytes);

        // convert to base 64 string
        encryptedData.Append(Convert.ToBase64String(encryptedBytes));

    }
    return encryptedData.ToString();

}
 

The RsaKeyLengths enumeration used to request 1024, 2048 or 4096 bit encryption:

public enum RsaKeyLengths
{
    Bit1024 = 1024,
    Bit2048 = 2048,
    Bit4096 = 4096
}