RSACryptoServiceProvider Class
.NET Framework Class Library
RSACryptoServiceProvider Class

Performs asymmetric encryption and decryption using the implementation of the RSA algorithm provided by the cryptographic service provider (CSP). This class cannot be inherited.

Namespace:  System.Security.Cryptography
Assembly:  mscorlib (in mscorlib.dll)
 Syntax
Visual Basic 
<ComVisibleAttribute(True)> _
Public NotInheritable Class RSACryptoServiceProvider _
    Inherits RSA _
    Implements ICspAsymmetricAlgorithm
C# 
[ComVisibleAttribute(true)]
public sealed class RSACryptoServiceProvider : RSA, 
    ICspAsymmetricAlgorithm
Visual C++ 
[ComVisibleAttribute(true)]
public ref class RSACryptoServiceProvider sealed : public RSA, 
    ICspAsymmetricAlgorithm
F# 
[<SealedAttribute>]
[<ComVisibleAttribute(true)>]
type RSACryptoServiceProvider =  
    class
        inherit RSA
        interface ICspAsymmetricAlgorithm
    end
 Remarks

This is the default implementation of RSA.

The RSACryptoServiceProvider supports key lengths from 384 bits to 16384 bits in increments of 8 bits if you have the Microsoft Enhanced Cryptographic Provider installed. It supports key lengths from 384 bits to 512 bits in increments of 8 bits if you have the Microsoft Base Cryptographic Provider installed.

Interoperation with the Microsoft Cryptographic API (CAPI)

Unlike the RSA implementation in unmanaged CAPI, the RSACryptoServiceProvider class reverses the order of an encrypted array of bytes after encryption and before decryption. By default, data encrypted by the RSACryptoServiceProvider class cannot be decrypted by the CAPI CryptDecrypt function and data encrypted by the CAPI CryptEncrypt method cannot be decrypted by the RSACryptoServiceProvider class.

If you do not compensate for the reverse ordering when interoperating between APIs, the RSACryptoServiceProvider class throws a CryptographicException.

To interoperate with CAPI, you must manually reverse the order of encrypted bytes before the encrypted data interoperates with another API. You can easily reverse the order of a managed byte array by calling the Array..::.Reverse method.

TopicLocation
How to: Decrypt XML Elements with Asymmetric Keys.NET Framework: Security
How to: Decrypt XML Elements with Asymmetric Keys.NET Framework: Security
How to: Encrypt XML Elements with Asymmetric Keys.NET Framework: Security
How to: Encrypt XML Elements with Asymmetric Keys.NET Framework: Security
How to: Sign XML Documents with Digital Signatures.NET Framework: Security
How to: Sign XML Documents with Digital Signatures.NET Framework: Security
How to: Store Asymmetric Keys in a Key Container.NET Framework: Security
How to: Store Asymmetric Keys in a Key Container.NET Framework: Security
How to: Verify the Digital Signatures of XML Documents.NET Framework: Security
How to: Verify the Digital Signatures of XML Documents.NET Framework: Security
 Examples

The following code example uses the RSACryptoServiceProvider class to encrypt a string into an array of bytes and then decrypt the bytes back into a string.

Visual Basic 
Imports System
Imports System.Security.Cryptography
Imports System.Text

 _

Class RSACSPSample


    Shared Sub Main()
        Try
            'Create a UnicodeEncoder to convert between byte array and string.
            Dim ByteConverter As New UnicodeEncoding()

            'Create byte arrays to hold original, encrypted, and decrypted data.
            Dim dataToEncrypt As Byte() = ByteConverter.GetBytes("Data to Encrypt")
            Dim encryptedData() As Byte
            Dim decryptedData() As Byte

            'Create a new instance of RSACryptoServiceProvider to generate
            'public and private key data.
            Using RSA As New RSACryptoServiceProvider

                'Pass the data to ENCRYPT, the public key information 
                '(using RSACryptoServiceProvider.ExportParameters(false),
                'and a boolean flag specifying no OAEP padding.
                encryptedData = RSAEncrypt(dataToEncrypt, RSA.ExportParameters(False), False)

                'Pass the data to DECRYPT, the private key information 
                '(using RSACryptoServiceProvider.ExportParameters(true),
                'and a boolean flag specifying no OAEP padding.
                decryptedData = RSADecrypt(encryptedData, RSA.ExportParameters(True), False)

                'Display the decrypted plaintext to the console. 
                Console.WriteLine("Decrypted plaintext: {0}", ByteConverter.GetString(decryptedData))
            End Using
        Catch e As ArgumentNullException
            'Catch this exception in case the encryption did
            'not succeed.
            Console.WriteLine("Encryption failed.")
        End Try
    End Sub


    Public Shared Function RSAEncrypt(ByVal DataToEncrypt() As Byte, ByVal RSAKeyInfo As RSAParameters, ByVal DoOAEPPadding As Boolean) As Byte()
        Try
            Dim encryptedData() As Byte
            'Create a new instance of RSACryptoServiceProvider.
            Using RSA As New RSACryptoServiceProvider

                'Import the RSA Key information. This only needs
                'toinclude the public key information.
                RSA.ImportParameters(RSAKeyInfo)

                'Encrypt the passed byte array and specify OAEP padding.  
                'OAEP padding is only available on Microsoft Windows XP or
                'later.  
                encryptedData = RSA.Encrypt(DataToEncrypt, DoOAEPPadding)
            End Using
            Return encryptedData
            'Catch and display a CryptographicException  
            'to the console.
        Catch e As CryptographicException
            Console.WriteLine(e.Message)

            Return Nothing
        End Try
    End Function


    Public Shared Function RSADecrypt(ByVal DataToDecrypt() As Byte, ByVal RSAKeyInfo As RSAParameters, ByVal DoOAEPPadding As Boolean) As Byte()
        Try
            Dim decryptedData() As Byte
            'Create a new instance of RSACryptoServiceProvider.
            Using RSA As New RSACryptoServiceProvider
                'Import the RSA Key information. This needs
                'to include the private key information.
                RSA.ImportParameters(RSAKeyInfo)

                'Decrypt the passed byte array and specify OAEP padding.  
                'OAEP padding is only available on Microsoft Windows XP or
                'later.  
                decryptedData = RSA.Decrypt(DataToDecrypt, DoOAEPPadding)
                'Catch and display a CryptographicException  
                'to the console.
            End Using
            Return decryptedData
        Catch e As CryptographicException
            Console.WriteLine(e.ToString())

            Return Nothing
        End Try
    End Function
End Class
C# 
using System;
using System.Security.Cryptography;
using System.Text;

class RSACSPSample
{

    static void Main()
    {
        try
        {
            //Create a UnicodeEncoder to convert between byte array and string.
            UnicodeEncoding ByteConverter = new UnicodeEncoding();

            //Create byte arrays to hold original, encrypted, and decrypted data.
            byte[] dataToEncrypt = ByteConverter.GetBytes("Data to Encrypt");
            byte[] encryptedData;
            byte[] decryptedData;

            //Create a new instance of RSACryptoServiceProvider to generate
            //public and private key data.
            using (RSACryptoServiceProvider RSA = new RSACryptoServiceProvider())
            {

                //Pass the data to ENCRYPT, the public key information 
                //(using RSACryptoServiceProvider.ExportParameters(false),
                //and a boolean flag specifying no OAEP padding.
                encryptedData = RSAEncrypt(dataToEncrypt, RSA.ExportParameters(false), false);

                //Pass the data to DECRYPT, the private key information 
                //(using RSACryptoServiceProvider.ExportParameters(true),
                //and a boolean flag specifying no OAEP padding.
                decryptedData = RSADecrypt(encryptedData, RSA.ExportParameters(true), false);

                //Display the decrypted plaintext to the console. 
                Console.WriteLine("Decrypted plaintext: {0}", ByteConverter.GetString(decryptedData));
            }
        }
        catch (ArgumentNullException)
        {
            //Catch this exception in case the encryption did
            //not succeed.
            Console.WriteLine("Encryption failed.");

        }
    }

    static public byte[] RSAEncrypt(byte[] DataToEncrypt, RSAParameters RSAKeyInfo, bool DoOAEPPadding)
    {
        try
        {
            byte[] encryptedData;
            //Create a new instance of RSACryptoServiceProvider.
            using (RSACryptoServiceProvider RSA = new RSACryptoServiceProvider())
            {

                //Import the RSA Key information. This only needs
                //toinclude the public key information.
                RSA.ImportParameters(RSAKeyInfo);

                //Encrypt the passed byte array and specify OAEP padding.  
                //OAEP padding is only available on Microsoft Windows XP or
                //later.  
                encryptedData = RSA.Encrypt(DataToEncrypt, DoOAEPPadding);
            }
            return encryptedData;
        }
        //Catch and display a CryptographicException  
        //to the console.
        catch (CryptographicException e)
        {
            Console.WriteLine(e.Message);

            return null;
        }

    }

    static public byte[] RSADecrypt(byte[] DataToDecrypt, RSAParameters RSAKeyInfo, bool DoOAEPPadding)
    {
        try
        {
            byte[] decryptedData;
            //Create a new instance of RSACryptoServiceProvider.
            using (RSACryptoServiceProvider RSA = new RSACryptoServiceProvider())
            {
                //Import the RSA Key information. This needs
                //to include the private key information.
                RSA.ImportParameters(RSAKeyInfo);

                //Decrypt the passed byte array and specify OAEP padding.  
                //OAEP padding is only available on Microsoft Windows XP or
                //later.  
                decryptedData = RSA.Decrypt(DataToDecrypt, DoOAEPPadding);
            }
            return decryptedData;
        }
        //Catch and display a CryptographicException  
        //to the console.
        catch (CryptographicException e)
        {
            Console.WriteLine(e.ToString());

            return null;
        }

    }
}
Visual C++ 
using namespace System;
using namespace System::Security::Cryptography;
using namespace System::Text;
array<Byte>^ RSAEncrypt( array<Byte>^DataToEncrypt, RSAParameters RSAKeyInfo, bool DoOAEPPadding )
{
   try
   {

      //Create a new instance of RSACryptoServiceProvider.
      RSACryptoServiceProvider^ RSA = gcnew RSACryptoServiceProvider;

      //Import the RSA Key information. This only needs
      //toinclude the public key information.
      RSA->ImportParameters( RSAKeyInfo );

      //Encrypt the passed byte array and specify OAEP padding.  
      //OAEP padding is only available on Microsoft Windows XP or
      //later.  

      array<Byte>^encryptedData = RSA->Encrypt( DataToEncrypt, DoOAEPPadding );
      delete RSA;
      return encryptedData;
   }
   //Catch and display a CryptographicException  
   //to the console.
   catch ( CryptographicException^ e ) 
   {
      Console::WriteLine( e->Message );
      return nullptr;
   }

}

array<Byte>^ RSADecrypt( array<Byte>^DataToDecrypt, RSAParameters RSAKeyInfo, bool DoOAEPPadding )
{
   try
   {

      //Create a new instance of RSACryptoServiceProvider.
      RSACryptoServiceProvider^ RSA = gcnew RSACryptoServiceProvider;

      //Import the RSA Key information. This needs
      //to include the private key information.
      RSA->ImportParameters( RSAKeyInfo );

      //Decrypt the passed byte array and specify OAEP padding.  
      //OAEP padding is only available on Microsoft Windows XP or
      //later.  
      
      array<Byte>^decryptedData = RSA->Decrypt( DataToDecrypt, DoOAEPPadding );
      delete RSA;
      return decryptedData;
   }
   //Catch and display a CryptographicException  
   //to the console.
   catch ( CryptographicException^ e ) 
   {
      Console::WriteLine( e );
      return nullptr;
   }

}

int main()
{
   try
   {

      //Create a UnicodeEncoder to convert between byte array and string.
      UnicodeEncoding^ ByteConverter = gcnew UnicodeEncoding;

      //Create byte arrays to hold original, encrypted, and decrypted data.
      array<Byte>^dataToEncrypt = ByteConverter->GetBytes( "Data to Encrypt" );
      array<Byte>^encryptedData;
      array<Byte>^decryptedData;

      //Create a new instance of RSACryptoServiceProvider to generate
      //public and private key data.
      RSACryptoServiceProvider^ RSA = gcnew RSACryptoServiceProvider;

      //Pass the data to ENCRYPT, the public key information 
      //(using RSACryptoServiceProvider.ExportParameters(false),
      //and a boolean flag specifying no OAEP padding.
      encryptedData = RSAEncrypt( dataToEncrypt, RSA->ExportParameters( false ), false );

      //Pass the data to DECRYPT, the private key information 
      //(using RSACryptoServiceProvider.ExportParameters(true),
      //and a boolean flag specifying no OAEP padding.
      decryptedData = RSADecrypt( encryptedData, RSA->ExportParameters( true ), false );

      //Display the decrypted plaintext to the console. 
      Console::WriteLine( "Decrypted plaintext: {0}", ByteConverter->GetString( decryptedData ) );
      delete RSA;
   }
   catch ( ArgumentNullException^ ) 
   {

      //Catch this exception in case the encryption did
      //not succeed.
      Console::WriteLine( "Encryption failed." );
   }

}

The following code example exports the key information created using the RSACryptoServiceProvider into an RSAParameters object.

Visual Basic 
        Try

            'Create a new RSACryptoServiceProvider object. 
            Dim RSA As New RSACryptoServiceProvider()

            'Export the key information to an RSAParameters object.
            'Pass false to export the public key information or pass
            'true to export public and private key information.
            Dim RSAParams As RSAParameters = RSA.ExportParameters(False)


        Catch e As CryptographicException
            'Catch this exception in case the encryption did
            'not succeed.
            Console.WriteLine(e.Message)
        End Try
C# 
        try
        {
            //Create a new RSACryptoServiceProvider object.
            RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();


            //Export the key information to an RSAParameters object.
            //Pass false to export the public key information or pass
            //true to export public and private key information.
            RSAParameters RSAParams = RSA.ExportParameters(false);


        }
        catch(CryptographicException e)
        {
            //Catch this exception in case the encryption did
            //not succeed.
            Console.WriteLine(e.Message);

        }
Visual C++ 
try
{
   //Create a new RSACryptoServiceProvider Object*.
   RSACryptoServiceProvider^ RSA = gcnew RSACryptoServiceProvider;

   //Export the key information to an RSAParameters object.
   //Pass false to export the public key information or pass
   //true to export public and private key information.
   RSAParameters RSAParams = RSA->ExportParameters( false );
}
catch ( CryptographicException^ e ) 
{
   //Catch this exception in case the encryption did
   //not succeed.
   Console::WriteLine( e->Message );
}
 Inheritance Hierarchy
System..::.Object
  System.Security.Cryptography..::.AsymmetricAlgorithm
    System.Security.Cryptography..::.RSA
      System.Security.Cryptography..::.RSACryptoServiceProvider
 Thread Safety
Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
 Platforms

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role not supported), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
 Version Information

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0, 1.1, 1.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1
 See Also

Reference

RSACryptoServiceProvider Members
System.Security.Cryptography Namespace

Other Resources

Cryptographic Services
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Newbie Help      James Birch   |   Edit   |   Show History
A few helpful hints (based on 3.5 sp1):
This object is a wrapper for an unmanaged API so ensure you use .Clear() in a try... finally block or a Using block (VB.NET) to dispose of your object.
Creating a new instance of this class will ALWAYS create a new private key (keypair). You can then overwrite it if needed by importing your own key using ImportCSPBlob, ImportParameters or FromXMLString.
If you want to persist your private key in a container, then you must initialise your object using CSPParameters and specify the KeyContainerName. This will set the persist flag on the object on initialisation. If you do not specify any parameters when initialising the object then the key will not persist.
It is important to note that the same KeyContainerName can hold 2 keys - one for each cspParams.KeyNumber (Encryption and Signature). ImportCSPBlob may change the cspParams.KeyNumber. If the BLOB was generated by the strong name tool then you must set cspParams.KeyNumber = KeyNumber.Signature (default is Keynumber.Encryption) in order to read the correct key from the container later.
The default container location is in a user profile. You can set this to machine in the CSPParameters object. The user version does not work well with websites as user profiles are not loaded by default. You need to use the machine version or change some IIS settings (there's a post about this out there somewhere).
Use cspParams.Flags += CspProviderFlags.UseNonExportableKey to protect your key from export, if necessary.
Public keys CANNOT be stored in containers. This is not stated anywhere in the documentation. Use ToXMLString instead or figure something else out (strong name tool has a nice ability to write out a byte array in csv format - good for hardcording the public key into source code, although I imagine this is not recommended practice).
From what I can gather, RSACryptoServiceProvider is not really designed to be used with the strong name tool. The private key (keypair) can be imported as is using ImportCSPBlob (set KeyNumber.Signature as above). The public key needs to have the first 12 bytes (an extra header) stripped before doing this.

'Example: Load up public key from strong name tool csv file (hardcoded in app)
Dim key As Byte() = {0, 36, ...}
or
'Example: Load up public key from strong name tool public key file
Dim key As Byte() = File.ReadAllBytes(Me.txtPublicKeyPath.Text)
or
'Example: Load up public key from strongly named assembly
Dim key As Byte() = Assembly.GetExecutingAssembly.GetName().GetPublicKey()
' Strip first 12 bytes (from all the above as all came from strong name tool)
Dim tmpKey As Byte() = New Byte(key.Length - 13) {}
Array.Copy(key, 12, tmpKey, 0, tmpKey.Length)
'Create a new RSA signing key and import key.
Dim cspParams As CspParameters = New CspParameters()
'Use MachineKeyStore to get around some permissions problems with the user store with websites (or tweak iis setting to load user profile).
cspParams.Flags = CspProviderFlags.UseMachineKeyStore
'KeyNumber not really needed to look at public key, but is needed to persist private key from strong name tool.
cspParams.KeyNumber = KeyNumber.Signature
'Note: we don't want to persist this key, so we are not specifying KeyContainerName here.
'If you want to persist a key in a container, specify KeyContainerName.
Using rsaKey As New RSACryptoServiceProvider(cspParams)
rsaKey.ImportCspBlob(tmpKey)
' Verify the signature of the signed XML.
Dim result As Boolean = VerifyXml(xmlLicence, rsaKey)
If result = False Then
...
End If
End Using

CSPBLOB Encoding differences
http://www.vsj.co.uk/dotnet/display.asp?id=590
http://www.jensign.com/JavaScience/dotnet/JKeyNet/
Tags What's this?: Add a tag
Flag as ContentBug

Page view tracker