Skip to main content

X509 certificate encryption fun :-)

Recently I needed to encrypt data on a server and allow a limited number of service accounts the ability to decrypt that data so it was as safe as possible.

The approach I took to achieve this was by using a X509 certificate and it's ability to allow you to encrypt information via it's public key and decrypt that information through the private key.

The key parts of this approach are:

- Create a certificate

- Ensure the KeySpec of the certificate is set up correctly to allow for encryption e.g. "KeyExchange" or "None" if you are doing this via PowerShell

- Set the security on the private keys so only specific user accounts can access it and decrypt information encrypted via the public key.


Step 1 - Create a certificate to use

The easiest way to get a quick example going is via PowerShell to create a dummy root certificate and the one we will use for encrypting and decrypting.


$rootCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "BlogSuperRootCA" -TextExtension @("2.5.29.19={text}CA=true") -KeyUsage CertSign,CrlSign,DigitalSignature
$testCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "SignedByBlogSuperRootCA" -KeyExportPolicy Exportable -KeyLength 2048 -KeyUsage DigitalSignature,KeyEncipherment -Signer $rootCert -KeySpec "None"

Step 2 - Secure your private keys

Once you have the certificate created you can then easily secure the private key via PowerShell

$accounts = @("someDomain\userA","someDomain\userB")
$fileName = $testCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\RSA\MachineKeys\$fileName"
$acl = Get-Acl -Path $path
$acl.SetAccessRuleProtection($True, $False)
                                                                
foreach($account in  $accounts)
{
  Write-Output "Adding  $account"           
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($account,"Full","Allow")
  $acl.AddAccessRule($rule)
}

Set-Acl -Path  $path -AclObject $acl

Now we have our certificate and the permissions all set we can move onto the C# code which enables the encryption and decryption!


Step 3 - Use the certificate to encrypt and decrypt

Once you have the certificate and the permissions setup for who has access to the private key it's very straight forward to do the encryption and decryption. I've included below a simple test that should enable you to test this out yourself without much trouble.


using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;
using NUnit.Framework;

namespace Blog.Michael.Ciba.CertEncryptionTesting
{
    [TestFixture]
    public class Given_a_valid_certificate_with_a_private_key_we_can_access
    {
        private X509Certificate2 _certificate;

        [OneTimeSetUp]
        public void Using()
        {
            const string BlogCertificateSubject = "CN=SignedByBlogSuperRootCA";
            using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
            {
                store.Open(OpenFlags.ReadOnly);

                _certificate = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName,
                        BlogCertificateSubject, false)
                    .Cast()
                    .FirstOrDefault();

            }
        }

        [Test]
        public void It_will_encrypt_and_decrypt_the_text_and_not_throw_an_exception()
        {
            // Arrange
            const string TextToEncrypt = "Some random text to encrypt";

            // Act
            var encryptedText = GetEncryptedTextBasedOnCertificatePublicKey(_certificate, TextToEncrypt);
            var actualDecryptedText = GetDecryptedTextBasedOnCertPrivateKey(_certificate, encryptedText);

            // Assert
            Assert.That(encryptedText, Is.Not.EqualTo(TextToEncrypt));
            Assert.That(actualDecryptedText, Is.EqualTo(TextToEncrypt));
        }

        public static string GetEncryptedTextBasedOnCertificatePublicKey(X509Certificate2 certificate,
            string textToEncrypt)
        {
            var rsa = certificate.GetRSAPublicKey();
            var bytesToEncrypt = Encoding.UTF8.GetBytes(textToEncrypt);
            var encryptedBytes = rsa.Encrypt(bytesToEncrypt, RSAEncryptionPadding.OaepSHA512);
            var encryptedText = Convert.ToBase64String(encryptedBytes);
            return encryptedText;
        }

        public static string GetDecryptedTextBasedOnCertPrivateKey(X509Certificate2 certificate,
            string textToDecrypt)
        {
            var rsa = certificate.GetRSAPrivateKey();
            var bytesToDecrypt = Convert.FromBase64String(textToDecrypt);
            var decryptedBytes = rsa.Decrypt(bytesToDecrypt, RSAEncryptionPadding.OaepSHA512);
            var decryptedText = Encoding.UTF8.GetString(decryptedBytes);
            return decryptedText;
        }
    }
}

See that wasn't too complex was it?

Comments

Post a Comment

Popular posts from this blog

Shouldn’t validating a checkbox be easier than this?

  Well it's been a while since I have done a post but with changing jobs recently and life in general getting in the way I just couldn’t seem to find the time. However, now I have a spare five minutes I thought I would fire off a post :) So what's the post about? Validating a checkbox web control. Now I know your reading this thinking that's easy all you need is a custom validator and a event handler in your code behind and job done? Well in most cases yes I would agree with you. However, my latest project (a legacy application) uses code generation to create the vast majority of the ASP.NET pages and user controls. Therefore it’s difficult for me to include anything other than the standard set of ASP.NET validators or something which inherits off the “ BaseValidator ” and get it working correctly in the XSLT templates generating the code. Because of this I decided to create my own validator for the checkbox web control. So how do we get started? Well first off you ne...
Post a Comment
Read more

SharePoint - Search Service Application (SSA) - Attempted to perform an unauthorized operation

On my current project I needed to adjust and add some search mapping via SharePoint's Central Administration web site. This should have been very straight forward as you have the ability to add managed properties and mappings easily via the UI. However, when I went to save my changes I got the error "The settings could not be saved because of an internal error: Attempted to perform an unauthorized operation". Now this was very confusing as I am administrator on the server and added into all of the correct SharePoint groups. I also tried the same action via PowerShell and got the same error.   After a few hours of research and head scratching I managed to get to the bottom of the problem which is the way my user account had been added as an administrator to the server. In the company I work for to make it easier to manage the administrators on a server a group is created in active directory called " servername_admins ". This group is added to the local administra...
Post a Comment
Read more