Security.Cryptography.RSACng
The RSACng class provides a wrapper for the CNG implementation of the RSA algorithm. The interface provided by RSACng is derived from the
System.Security.Cryptography.RSA base type, and not from the
System.Security.Cryptography.RSACryptoServiceProvider class. Consequently, it is not a drop in replacement for existing uses of RSACryptoServiceProvider.
RSACng uses a programming model more similar to the
System.Security.Cryptography.ECDsaCng class than RSACryptoServiceProvider. For instance, unlike RSACryptoServiceProvider which has a key directly tied into the operations of the type itself, the key used by RsaCng is managed by a separate
System.Security.Cryptography.CngKey object. Additionally, operations such as signing and verifying signatures take their parameters from a set of properties set on the RSACng object, similar to how ECDsaCng uses properties of its object to control the signing and verification operations.
RSACng uses the NCrypt layer of CNG to do its work, and requires Windows Vista and the .NET Framework 3.5.
Example usage:
// Create an RSA-SHA256 signature using the key stored in "MyKey"
byte[] dataToSign = Encoding.UTF8.GetBytes("Data to sign");
using (CngKey signingKey = CngKey.Open("MyKey");
using (RSACng rsa = new RSACng(signingKey))
{
rsa.SignatureHashAlgorithm = CngAlgorithm.Sha256;
return rsa.SignData(dataToSign);
}
APIs
.ctor()
Create an RSACng algorithm with a random 2048 bit key pair.
.ctor(int keySize)
Creates a new RSACng object that will use a randomly generated key of the specified size. Valid key sizes range from 384 to 16384 bits, in increments of 8. It's suggested that a minimum size of 2048 bits be used for all keys.
Parameters:| keySize | size of hte key to generate, in bits |
Exceptions:
Creates a new RSACng object that will use the specified key. The key's
System.Security.Cryptography.CngKey.AlgorithmGroup must be Rsa.
Parameters:| key | key to use for RSA operations |
Exceptions:
Sets the hash algorithm to use when encrypting or decrypting data using the OAEP padding method. This property is only used if data is encrypted or decrypted and the EncryptionPaddingMode is set to AsymmetricEncryptionPaddingMode.Oaep. The default value is Sha256.
Exceptions:
Sets the padding mode to use when encrypting or decrypting data. The default value is AsymmetricPaddingMode.Oaep.
Exceptions:
Gets the key that will be used by the RSA object for any cryptographic operation that it uses. This key object will be disposed if the key is reset, for instance by changing the KeySize property, using ImportParamers to create a new key, or by Disposing of the parent RSA object. Therefore, you should make sure that the key object is no longer used in these scenarios. This object will not be the same object as the CngKey passed to the RSACng constructor if that constructor was used, however it will point at the same CNG key.
Permission Requirements:
System.String KeyExchangeAlgorithm { get; }
Returns "RSA-PKCS1-KeyEx". This property should not be used.
Key storage provider being used for the algorithm
System.String SignatureAlgorithm { get; }
Returns "
http://www.w3.org/2000/09/xmldsig#rsa-sha1". This property should not be used.
Gets or sets the hash algorithm to use when signing or verifying data. The default value is Sha256.
Exceptions:
Gets or sets the padding mode to use when encrypting or decrypting data. The default value is AsymmetricPaddingMode.Pkcs1.
Exceptions:
int SignatureSaltBytes { get; set; }
Gets or sets the number of bytes of salt to use when signing data or verifying a signature using the PSS padding mode. This property is only used if data is being signed or verified and the SignaturePaddingMode is set to AsymmetricEncryptionPaddingMode.Pss. The default value is 20 bytes.
Exceptions:
Exports the key used by the RSA object into an RSAParameters object.
Parameters:Permission Requirements:
ImportParameters will replace the existing key that RSACng is working with by creating a new CngKey for the parameters structure. If the parameters structure contains only an exponent and modulus, then only a public key will be imported. If the parameters also contain P and Q values, then a full key pair will be imported.
The default KSP used by RSACng does not support importing full RSA key pairs on Windows Vista. If the ImportParameters method is called with a full key pair, the operation will fail with a CryptographicException stating that the operation was invalid. Other KSPs may have similar restrictions. To work around this, make sure to only import public keys when using the default KSP.
Parameters:Exceptions:
System.Byte[] DecryptValue(System.Byte[] rgb)
DecryptValue decrypts the input data using the padding mode specified in the EncryptionPaddingMode property. The return value is the decrypted data.
Parameters:| rgb | encrypted data to decrypt |
Exceptions:Permission Requirements:
System.Byte[] EncryptValue(System.Byte[] rgb)
EncryptValue encrypts the input data using the padding mode specified in the EncryptionPaddingMode property. The return value is the encrypted data.
Parameters:Exceptions:
System.Byte[] SignData(System.Byte[] data)
SignData signs the given data after hashing it with the SignatureHashAlgorithm algorithm.
Parameters:Exceptions:Permission Requirements:
System.Byte[] SignData(System.Byte[] data, int offset, int count)
SignData signs the given data after hashing it with the SignatureHashAlgorithm algorithm.
Parameters:| data | data to sign |
| offset | offset into the data that the signature should begin covering |
| count | number of bytes to include in the signed data |
Exceptions:Permission Requirements:
SignData signs the given data after hashing it with the SignatureHashAlgorithm algorithm.
Parameters:Exceptions:Permission Requirements:
System.Byte[] SignHash(System.Byte[] hash)
Sign data which was hashed using the SignatureHashAlgorithm; if the algorithm used to hash the data was different, use the SignHash(byte[], CngAlgorithm) overload instead.
Parameters:Exceptions:Permission Requirements:
Sign already hashed data, specifying the algorithm it was hashed with. This method does not use the SignatureHashAlgorithm property.
Parameters:| hash | hash to sign |
| hashAlgorithm | algorithm hash was signed with |
Exceptions:Permission Requirements:
bool VerifyData(System.Byte[] data, System.Byte[] signature)
VerifyData verifies that the given signature matches given data after hashing it with the SignatureHashAlgorithm algorithm.
Parameters:| data | data to verify |
| signature | signature of the data |
Exceptions:Return Value:true if the signature verifies for the data, false if it does not
bool VerifyData(System.Byte[] data, int offset, int count, System.Byte[] signature)
VerifyData verifies that the given signature matches given data after hashing it with the SignatureHashAlgorithm algorithm.
Parameters:| data | data to verify |
| offset | offset into the data that the signature should begin covering |
| count | number of bytes to include in the signed data |
| signature | signature of the data |
Exceptions:Return Value:true if the signature verifies for the data, false if it does not
bool VerifyData(System.IO.Stream data, System.Byte[] signature)
VerifyData verifies that the given signature matches given data after hashing it with the SignatureHashAlgorithm algorithm.
Parameters:| data | data to verify |
| signature | signature of the data |
Exceptions:Return Value:true if the signature verifies for the data, false if it does not
bool VerifyHash(System.Byte[] hash, System.Byte[] signature)
Verify data which was signed and already hashed with the SignatureHashAlgorithm; if a different hash algorithm was used to hash the data use the VerifyHash(byte[], byte[], CngAlgorithm) overload instead.
Parameters:| hash | hash to verify |
| signature | signature of the data |
Exceptions:Return Value:true if the signature verifies for the hash, false if it does not
Verify data which was signed and hashed with the given hash algorithm. This overload does not use the SignatureHashAlgorithm property.
Parameters:| hash | hash to verify |
| signature | signature of the data |
| hashAlgorithm | algorithm that hash was hashed with |
Exceptions:Return Value:true if the signature verifies for the hash, false if it does not