conceptual question about cryptography and CAPICOM
-
hello, I am trying to sign data with a CAPICOM.SignedData object. The SignedData object has got a method called Sign() which performs the operation and this method has got a parameter called Signer which (according to the CAPICOM reference) "must have access to the private key of the certificate used to sign". I had understood that a public key certificate contains the subject's public key. so, I think that "the private key of the certificate used to sign" means that the certificate does not contain the subject's private key but that is associated with it. My questions are: 1. how is this association? 2. where is stored the private key? 3. how can I obtain a signing private key? thanks in advance:-D
-
hello, I am trying to sign data with a CAPICOM.SignedData object. The SignedData object has got a method called Sign() which performs the operation and this method has got a parameter called Signer which (according to the CAPICOM reference) "must have access to the private key of the certificate used to sign". I had understood that a public key certificate contains the subject's public key. so, I think that "the private key of the certificate used to sign" means that the certificate does not contain the subject's private key but that is associated with it. My questions are: 1. how is this association? 2. where is stored the private key? 3. how can I obtain a signing private key? thanks in advance:-D
Don't use CAPICOM (an interop library). Almost all the functionality of the CryptoAPI is encapsulates in the
System.Security.Cryptographynamespace and child namespaces and is written to support .NET while using the CAPICOM requires marshalling and isn't always .NET-friendly. When you sign data, you sign with your private key. This allows the recipient(s) to verify your signature (an encrypted digest of the clear-text, typically) using your public key. RSA uses the same signature and encryption algorithms, where DSA uses different algorithms (more secure). The private key is maintained soley by the user. It should never be uploaded to a PKI server or be available for others. That would defeat the whole purpose of public key encryption. Only the public key is made public, hence the name. If you're trying to access your private key, you must provide CSP (cryptographic service provider) information to use a CSP (software-based, smart card, etc.) that contains a private key, as well as how to access that private key. If you want, see my list of articles (link to them in my sig) for the XML Digital Signatures article. That contains information about using XML signatures and theSignedXmlandSignedInfoclasses to access your private key in a software-based provider (used by the sn.exe .NET Framework utility app) using the right index into the right key provider.Microsoft MVP, Visual C# My Articles
-
Don't use CAPICOM (an interop library). Almost all the functionality of the CryptoAPI is encapsulates in the
System.Security.Cryptographynamespace and child namespaces and is written to support .NET while using the CAPICOM requires marshalling and isn't always .NET-friendly. When you sign data, you sign with your private key. This allows the recipient(s) to verify your signature (an encrypted digest of the clear-text, typically) using your public key. RSA uses the same signature and encryption algorithms, where DSA uses different algorithms (more secure). The private key is maintained soley by the user. It should never be uploaded to a PKI server or be available for others. That would defeat the whole purpose of public key encryption. Only the public key is made public, hence the name. If you're trying to access your private key, you must provide CSP (cryptographic service provider) information to use a CSP (software-based, smart card, etc.) that contains a private key, as well as how to access that private key. If you want, see my list of articles (link to them in my sig) for the XML Digital Signatures article. That contains information about using XML signatures and theSignedXmlandSignedInfoclasses to access your private key in a software-based provider (used by the sn.exe .NET Framework utility app) using the right index into the right key provider.Microsoft MVP, Visual C# My Articles
thank you, Heath. if i dont use CAPICOM, how can i create a CMS/PKCS#7 (SignedData) structure? I think there is not a PKCS#7 structure in the .NET class library. ahhh! I think that the response to my question (how is the association between a public-key certificate and the signing private key) was the PKCS#12 structure, wasn't it? thanks.
-
thank you, Heath. if i dont use CAPICOM, how can i create a CMS/PKCS#7 (SignedData) structure? I think there is not a PKCS#7 structure in the .NET class library. ahhh! I think that the response to my question (how is the association between a public-key certificate and the signing private key) was the PKCS#12 structure, wasn't it? thanks.
Yes. IIRC, the PKCS12 structure can store more information, but I really haven't worked too much with such types of storage structures. Most references to such structures I see are typically PKCS12, however.
Microsoft MVP, Visual C# My Articles