2

RSACryptoServiceProvider.Encrypt has an f0AEP parameter that can be set to "true to perform direct RSA encryption using OAEP padding (only available on a computer running Windows XP or later)".

The thing is... with OAEP you have parameters like the Hash, MGF Hash and the label. How do you set those with RSACryptoServiceProvider? And when not set what do they default to? Even if they can't be set they should still default to something I assume?

RSA.Decrypt(Byte[], RSAEncryptionPadding) seems a lot more versatile and like it ought to be the preferred method but I'm just trying to understand RSACryptoServiceProvider more as I inherited some legacy code that uses it.

neubert
  • 15,947
  • 24
  • 120
  • 212

1 Answers1

3

RSACryptoServiceProvider applies the default values (from RFC8017), i.e. SHA1 for both digests and an empty label. The .NET documentation does not describe this in detail. A hint regarding SHA1 can be found in the remarks about the overload Encrypt(Byte[], RSAEncryptionPadding). Ultimately, it has to be tested because of the sparse documentation.

For other digests other implementations must be used, e.g. RSACng. Even here both digests can only be selected identically. The label cannot be set (which, however, is usually not done either).

The C# implementation of RSA/OAEP by BouncyCastle allows to set the digests independently. Likewise, the label can be set (referred to as encodingParams). Here is an example for C#/BouncyCastle.

Topaco
  • 40,594
  • 4
  • 35
  • 62
  • 1
    That's a good observation about SHA1 being the default values! I guess that also explains why OpenSSL's `RSA_private_decrypt` uses SHA1 as the default values for the hash / MGF1 hash. – neubert Jun 02 '21 at 03:20