3

My goal is to implement asymmetric encryption in an ASP.NET website to secure user-entered Social Security Numbers. I want to encrypt the SSNs with a public key, and only display a masked version, to the user (ie XXX-XX-1234). (A separate application running apart from the website will have access to the private key and decrypt the SSNs to transfer them to another system.)

I'm trying to use the built-in RSACryptoServiceProvider but I keep getting an error:

The system cannot find the file specified.

It runs to just fine on my own machine, because I'm an admin on my machine. But on the server (Windows 2008 R2 Standard), it errors out. The website is running as IIS APPPOOL\MyWebSiteName.

I saw on a tutorial that I would need to give IIS NTFS permission for C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA. The reason is that supposedly the RSA API writes temp files to that folder, even if you give it the keys in memory. But I've tried different combinations of users and permissions and nothing's worked.

I realize I could put the public/private key pair in a key container and use aspnet_regiis.exe to grant IIS access to the key, but that defeats the purpose of keeping the private key separate from the website. I'm also concerned that giving IIS access to this folder would also compromise the other system key containers stored there.

How do I get ASP.NET to work with RSACryptoServiceProvider? Or should I just use some other method to do RSA encryption?

John
  • 45
  • 4
  • You probably have to enable the profile on the app pool http://www.iis.net/learn/manage/configuring-security/application-pool-identities < bottom of page – Steve Jul 29 '15 at 14:57
  • I ended up just using BouncyCastle. Took much less time to figure out how to get it running, even though there's a lot less documentation. – John Jul 29 '15 at 20:01

1 Answers1

2

I personally use Cryptosys PKI to do all of my RSA cryptography within my .net apps. I find it so much simpler than the built in methods - and for the main reason that it allows testing with my previous company's well established weak test keys.

John W
  • 66
  • 4
  • Don't know why you got downvoted... I asked for either the .NET way or another way. So yours is a valid answer. I didn't downvote you... – John Jul 29 '15 at 18:43
  • Not sure - but I am a new kid on here, so perhaps I have fallen foul of something or other. My only question asked had my 'thanks' removed from the end - so I need to read up on the rules I think. I am grateful, though, for help, so am not going to complain. I should probably explain that the weak test keys I mentioned were the old Thales/RACAL HSM test keys. – John W Jul 29 '15 at 21:52
  • I gave you the accepted answer cause it's similar to what I did anyway. Like you, I ditched the MS RSA code and went with a 3rd party library (Bouncy Castle). – John Jul 30 '15 at 14:27