0

We have been asked to encrypt text with following encryption method RSA/ECB/OAEPWithMD5AndMGF1Padding.

While defining the OAEP padding we are only allowed to define one hash function(MD5) and I could not find any way to define the other hash function(MGF1).

var rsa = new RSACng();
rsa.ImportParameters(parameters);
byte[] bytesToBeEncoded = Encoding.UTF8.GetBytes("Testing message");
var encryptedText = rsa.Encrypt(bytesToBeEncoded, RSAEncryptionPadding.CreateOaep(HashAlgorithmName.MD5));

Is there any way we can define the other hash function for Oaep padding (MGF1) or is it not possible within C#?

Thanks

Falansh
  • 1
  • 2
  • 2
    The Java transform `RSA/ECB/OAEPWithMD5AndMGF1Padding` uses SHA-1 as the MGF1 hash function if you use an Oracle provider, not MD5. – President James K. Polk Nov 17 '20 at 16:05
  • Thanks @PresidentJamesK.Polk for your response. Do you mean that from C# code we just need to do OAEP padding with SHA-1 and not MD5 and that will be equivalent to JAVA RSA/ECB/OAEPWithMD5AndMGF1Padding? var encryptedText = rsa.Encrypt(bytesToBeEncoded, RSAEncryptionPadding.OaepSHA1); – Falansh Nov 17 '20 at 19:35
  • No, I mean that I would expect that `RSAEncryptionPadding.CreateOaep(HashAlgorithmName.MD5)` is exactly the algorithm you want, namely the one specified in Java as `RSA/ECB/OAEPWithMD5AndMGF1Padding`. I'm sorry I cannot test that right now however. – President James K. Polk Nov 17 '20 at 20:00
  • Oh, but I'm afraid I sent the encrypted text using the method RSAEncryptionPadding.CreateOaep(HashAlgorithmName.MD5) But the other team is not able to decrypt it as they are getting the error. – Falansh Nov 17 '20 at 20:06
  • Ok, I will do some testing and see what I can figure out. – President James K. Polk Nov 17 '20 at 21:01
  • Thanks @PresidentJamesK.Polk. I have also asked the other team to verify it once more as this supposed to be the equivalent JAVA encryption method. – Falansh Nov 17 '20 at 21:34
  • 1
    C# uses the _same_ digest for both, the OAEP digest and the MGF1 digest. So with `RSAEncryptionPadding.CreateOaep(HashAlgorithmName.MD5)` MD5 is applied for the MGF1 digest, unlike Java, which uses SHA1 as MGF1 digest for `RSA/ECB/OAEPWithMD5AndMGF1Padding` and the SunJCE Provider, as already mentioned in the comment of President James K. Polk. Thus decryption fails. BouncyCastle/C# allows the separate specification of both digests and would be an alternative. [Here](https://stackoverflow.com/a/56497097/9014097) is a BouncyCastle/C# example for encryption. – Topaco Nov 17 '20 at 22:24
  • @Topaco: Thanks for the info. Is there any documentation for that fact? – President James K. Polk Nov 18 '20 at 00:16
  • 1
    @PresidentJamesK.Polk - Not to my knowledge. For a similar post, I tried to find out how to specify the two digests for OAEP separately using only C# on-board means, but found nothing really helpful in the MS documentation or the www. So I tested the C# behavior by encrypting with C# and decrypting with Java and explicitly specifying both digests for the latter. With the result that both OAEP digests are set identically. – Topaco Nov 18 '20 at 08:02
  • @Topaco: Thanks for the information. I will try to use BouncyCastle and let you know how it goes. – Falansh Nov 18 '20 at 09:32
  • @Topaco - Thanks for your help. I can confirm that I am able to achieve this encryption using BouncyCastle. – Falansh Nov 19 '20 at 19:32

1 Answers1

0

So as per the suggestion of Topaco I am able to encrypt the code using the Bouncy Castle library.

// Read in public key from file
var pemReader = new PemReader(File.OpenText(@"D:\test.pub.pem"));
var rsaPub =(Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)pemReader.ReadObject();
// create encrypter
var plainTextMessage = Encoding.UTF8.GetBytes("Testing message");
var encrypter = new OaepEncoding(new RsaEngine(), new MD5Digest(), new Sha1Digest(), null);
encrypter.Init(true, rsaPub);
var cipher = encrypter.ProcessBlock(plainTextMessage, 0, plainTextMessage.Length);
var encryptedtext = Convert.ToBase64String(cipher);
Falansh
  • 1
  • 2