Javascript – RSA: Encrypt password in javascript but failed to decrypt that in C#

cencryptionjavascriptrsa

I want apply the RSA encryption to my project, but encountered some troubles:

First, I have download the JavaScripts library from
http://www.ohdave.com/rsa/ ,and add reference to my project;

Second, I have define the RSA object and code to initialize that:

internal RSACryptoServiceProvider Rsa
    {
        get
        {
            if (HttpContext.Cache["Rsa"] != null)
            {
                RSACryptoServiceProvider encryptKeys = (RSACryptoServiceProvider)HttpContext.Cache["Rsa"];
                return encryptKeys;
            }
            else
            {
                return new RSACryptoServiceProvider(1024);
            }
        }
        set
        {
            HttpContext.Cache.Remove("Rsa");
            HttpContext.Cache.Insert("Rsa", value);
        }
    }
public ActionResult SignUp()
    {
        this.Rsa = Security.GetRsa();
        RSAParameters param= this.Rsa.ExportParameters(true);
        //this will bind to view
        TempData["exponent"] = Util.BytesToHexString(param.Exponent);
        TempData["key"] = Util.BytesToHexString(param.Modulus);

    UserInfo user = new UserInfo();
    user.Birthday = DateTime.Now.Date;
    return View(user);
}
private RSACryptoServiceProvider GetRsa()
    {
        RSACryptoServiceProvider Rsa = new RSACryptoServiceProvider(1024);
        return Rsa;
    }

3.then, on JavaScript side , I have code, it encrypt the password user input and the bind it control:

var hash = document.getElementById("Pwd").value;
var exponent = document.getElementById("exponent").innerHTML;
var rsa_n = document.getElementById("key").innerHTML;
setMaxDigits(131);
var key = new RSAKeyPair(exponent, "", rsa_n);
hash = encryptedString(key, "111");

document.getElementById("Pwd").value = hash;
document.getElementById("Pwd2").value = hash;

document.getElementById("error").innerHTML = "";
document.getElementById("submit").click();

4.when user click submit, my C# code get the encrypted pwd string and try to decrypt it but failed with exception: bad data:

[HttpPost]
    public ActionResult SignUp(UserInfo user)
    {
        user.UserId = user.UserId.ToLower(); //ignore case
        user.UserGUID = Guid.NewGuid();
        user.CreatedDate = DateTime.Now;
        user.IsEnabled = false;

        user.Pwd = Convert.ToBase64String(Rsa.Decrypt(Util.HexStringToBytes(user.Pwd), false));//Exception:Rsa.Decrypt throw bad data exception

who do you know how to fix it? thank you in advance.

Best Answer

I had a very similar problem in that most of the JavaScript based RSA encryption solutions wasn't "compatible" with .NET's implementation.

Almost all the implementations I found online had one or both of the following items causing the incompatibility with .NET's implementation.

The byte order encoding in JavaScript is different to the byte order that .NET used. This is a biggie as for example a string is represented with a different order of bytes in JS than it is in .NET so you'll need to convert before encrypting and after decrypting. I believe it's enough to just reverse the byte order to match .NET, but don't quote me on that.
Padding was different: .NET uses OAEP padding by default for RSA so the JS implementation of RSA should support the same padding too. I believe OAEP padding is also called PKCS#1 v2.0 padding, but don't quote me on that either.

Aside: I found an amazing JS library, called JavaScript.NET (from jocys.com) that mirrors tons of the .NET BCL functionality, including the RSA implementation, such that I could even use similar classes, properties and methods. Have a look at this. I can confirm it works with .NET RSA implementation. Give it a go - here are some links for it:

Hth

Related Solutions

C# – RSA Encrypt / Decrypt Problem in .NET

Allow me a bit of terminology. There is asymmetric encryption and there is digital signature.

Asymmetric encryption is about keeping confidentiality. Some sensitive data is transformed into something unreadable, save for the entity who knows the decryption key. The decryption key is necessarily the private key: if the decryption key is the public key, then everybody can decrypt the data (the public key is, well, public) and there is no confidentiality anymore. In asymmetric encryption, one encrypts with the public key and decrypts with the corresponding private key.
Digital signatures are meant to prove integrity. Someone computes a kind of keyed checksum over the data, in such a way that the link between the checksum and the data can be verified later. This is a "signature" only because the power to compute that checksum requires knowledge of something which is not public -- in plain words, signing uses the private key. Verification, however, should be doable by anybody, and thus use the public key.

A fair bit of confusion is implied by the fact that "the" RSA algorithm is actually a mathematical operation which can be declined into both an asymmetric encryption system, and a digital signature system. The confusion is further enhanced by the RSA standard, aka PKCS#1, which implicitly relies on how RSA digital signatures were first described, i.e. as a "reversed encryption" ("the signer encrypts the data with his private key"). Which leads to things like RSA signatures called "sha1WithRSAEncryption". This is quite unfortunate.

Therefore, you must first decide whether you want confidentiality or signatures. For confidentiality, for data sent from clients to the server, the server shall own a private key, and the clients use the server public key to encrypt the data. For signatures, each client shall have his own private key and use it to sign the data, and the server verifies the signatures. From your description I cannot tell what you are really after, thanks to the confusion I allude to above.

Also, there is something called authentication which may look like digital signatures, but is weaker. The point of signatures is than anybody can verify the signature. In particular, the signature can be shown to a judge and thus serve as legal weapon against the signer (the signature is legally binding -- at least if you do it right, and in the current state of regulations over electronic signatures, this is not easy). In most situations you only need something weaker and simpler, in which the server is convinced that it talks to the right client, but cannot afterwards convince anybody else that this client was really there. Any web site with user passwords is using such authentication.

With that being said...

RSA asymmetric encryption covers only short messages. For a 1024-bit RSA key (i.e. a key where the most important part, the "RSA modulus", is a big number with a value between 2^1023 and 2^1024, and encrypted messages will be of length 128 bytes), the maximum size of an encrypted message is 117 bytes (that's the actual source of your error message). When we want to send longer messages, we use an hybrid system, in which we only encrypt a small bunch of random bits (say 128 bits) and use that bunch as a key for a symmetric encryption system (e.g. AES) which can process much longer messages (and much faster, too).
RSA signatures, similarly, can be computed only on short messages, hence the PKCS#1 standard mandates that a signature is actually computed over a hash value. The hash value is the output of a specific hash function, which is computed over the message to sign. The hash function has a fixed-sized output (e.g. 256 bits for SHA-256) but accepts input messages of (almost) arbitrary length. Hash functions are public (there is no key in them) and, for proper security, must have some special properties. SHA-256 is, right now, not a bad choice. SHA-1 (a predecessor of SHA-256) has been proven to have some weaknesses and should be avoided. MD5 has (a kind-of uncle of SHA-1) has bigger weaknesses and shall not be used.
Proper use of asymmetric encryption, especially in an hybrid scheme, and digital signatures, is trickier than what the text above may suggest. It is awfully easy to get it wrong at some point, invisibly, i.e. the code will appear to work but will leak data useful for an attacker. The right way to use asymmetric encryption or digital signatures is to rely on existing, well-thought protocols. A protocol is an assembly of cryptographic elements into a coherent system, where leaks are taken care of. The prime example is TLS, also known as SSL. It is a protocol which ensures confidential data transmission, with integrity and authentication (possibly mutual authentication). The HTTPS protocol is a mixture of HTTP and SSL. The bright side is that HTTPS has existing implementations, notably in C#. The code which is easiest to implement and debug is the code which has already been implemented and debugged. So use HTTPS and you will live longer and happier.

Javascript – How to determine if Javascript array contains an object with an attribute that equals a given value

No need to reinvent the ~~wheel~~ loop, at least not explicitly (using arrow functions, modern browsers only):

if (vendors.filter(e => e.Name === 'Magenic').length > 0) {
  /* vendors contains the element we're looking for */
}

or, better yet, as it allows the browser to stop as soon as one element is found that matches, so it's going to be faster:

if (vendors.some(e => e.Name === 'Magenic')) {
  /* vendors contains the element we're looking for */
}

EDIT: If you need compatibility with lousy browsers then your best bet is:

if (vendors.filter(function(e) { return e.Name === 'Magenic'; }).length > 0) {
  /* vendors contains the element we're looking for */
}

Best Answer

Related Solutions

C# – RSA Encrypt / Decrypt Problem in .NET

Javascript – How to determine if Javascript array contains an object with an attribute that equals a given value

Related Topic