Encypting on one server and decrypting on another using .NET

304 views Asked by At

I'm developing 2 applications that need to exist on two separate servers. One will encrypt data and store the encrypted data in a SQL Server instance (SQL 2012 Standard, so no TDE support). Another application will pull the encrypted data down and decrypt it to present in some report.

Should I be looking at secret key AESManaged for this using shared private/public key access?

1

There are 1 answers

3
Andy On BEST ANSWER

AES is a symmetric key cipher and thus does not use private/public key pairs. With AES, all actors must have access to the same key to encrypt and decrypt data. If you are comfortable with both systems having access to the same key, then you do not need to introduce asymmetric (public/private) encryption to this solution.

If you do not want both systems to have persistent access to a static shared key (which you probably do not), you can use a hybrid cryptosystem -- generate a random AES "session" key for each message/record which is to be encrypted on the source system, encrypt the data with the symmetric key (use an AEAD mode or add an authentication tag over the cipher text via HMAC), then encrypt the session key via the recipient's public key. You can now transmit the encrypted session key and encrypted data together, the recipient will decrypt the session key using its private key, and then decrypt the data. Compromise of any single message will not compromise any other record (well, as long as it's not the recipient private key that is compromised).

In .NET that means AesManaged or AesCryptoServiceProvider (see here for more information) and RsaCryptoServiceProvider or RsaCNG (see here).