Skip to main content
CryptographicEngine.DecryptAndAuthenticate | decryptAndAuthenticate method

Applies to Windows and Windows Phone

Decrypts and authenticates data. For more information and a complete code sample, see EncryptedAndAuthenticatedData.


var iBuffer = Windows.Security.Cryptography.Core.CryptographicEngine.decryptAndAuthenticate(key, data, nonce, authenticationTag, authenticatedData);

public static IBuffer DecryptAndAuthenticate(
  CryptographicKey key, 
  IBuffer data, 
  IBuffer nonce, 
  IBuffer authenticationTag, 
  IBuffer authenticatedData

Public Shared Function DecryptAndAuthenticate(
  key As CryptographicKey,  
  data As IBuffer,  
  nonce As IBuffer,  
  authenticationTag As IBuffer,  
  authenticatedData As IBuffer 
) As IBuffer

static IBuffer^ DecryptAndAuthenticate(
  CryptographicKey^ key, 
  IBuffer^ data, 
  IBuffer^ nonce, 
  IBuffer^ authenticationTag, 
  IBuffer^ authenticatedData



Type: CryptographicKey

Symmetric key to use.


Type: IBuffer

Data to be decrypted and authenticated.


Type: IBuffer

Nonce to be used. This must be the same nonce used by the EncryptAndAuthenticate method.


Type: IBuffer

Authentication tag.


Type: IBuffer

Authenticated data. This can be Null.

Return value

Type: IBuffer

A buffer that contains the decrypted data.

If the method fails, authentication fails; if the method succeeds, the authentication succeeded as well.


Authenticated encryption encrypts and authenticates content in one operation. An authenticator, also called a tag, is used during encryption and the output of the process contains a tag-ciphertext pair. For more information, see the AuthenticationTag and EncryptedData properties. The decryption process verifies the ciphertext against the tag.

You can use an authenticated encryption algorithm after calling the OpenAlgorithm method on the SymmetricKeyAlgorithmProvider class and specifying the name of the algorithm to open. The following algorithm names are supported for authenticated encryption and decryption:

For a complete sample that contains the following code example, see the EncryptedAndAuthenticatedData class.


public void AuthenticatedDecryption(
    String strAlgName,
    CryptographicKey key,
    EncryptedAndAuthenticatedData objEncrypted,
    BinaryStringEncoding encoding,
    IBuffer buffNonce)
    // Declare a buffer to contain the decrypted data.
    IBuffer buffDecrypted;

    // Open a SymmetricKeyAlgorithmProvider object for the specified algorithm.
    SymmetricKeyAlgorithmProvider objAlgProv = SymmetricKeyAlgorithmProvider.OpenAlgorithm(strAlgName);

    // The input key must be securely shared between the sender of the encrypted message
    // and the recipient. The nonce must also be shared but does not need to be shared
    // in a secure manner. If the sender encodes the message string to a buffer, the
    // binary encoding method must also be shared with the recipient.
    // The recipient uses the DecryptAndAuthenticate() method as follows to decrypt the 
    // message, authenticate it, and verify that it has not been altered in transit.
    buffDecrypted = CryptographicEngine.DecryptAndAuthenticate(

    // Convert the decrypted buffer to a string (for display). If the sender created the
    // original message buffer from a string, the sender must tell the recipient what 
    // BinaryStringEncoding value was used. Here, BinaryStringEncoding.Utf8 is used to
    // convert the message to a buffer before encryption and to convert the decrypted
    // buffer back to the original plaintext.
    String strDecrypted = CryptographicBuffer.ConvertBinaryToString(encoding, buffDecrypted);



Minimum supported client

Windows 8

Minimum supported server

Windows Server 2012

Minimum supported phone

Windows Phone 8.1 [Windows Runtime apps only]


Windows::Security::Cryptography::Core [C++]



See also