Overview of asymmetric encryption in .NET


Asymmetric encryption is based on a pair of cryptographic keys. One of the keys is public, i.e. anyone can have access to it. The other key is private which should be kept secret. The keys are complementary which means that they go hand in hand, they are not independent of each other. If a value is calculated as the public key then the private key cannot be calculated independently otherwise the encryption process will fail. Normally the public key is used to encrypt a message and the private key is there for the decryption process but they can be used in the opposite direction as well. Asymmetric algorithms are also called Public Key Cryptography.

The most important advantage of asymmetric over symmetric encryption is that we don’t need to worry about distributing the public key. The key used in symmetric encryption must be known to all parties taking part in the encryption/decryption process which increases the chances of the key landing in the wrong hands. With asymmetric encryption we only need to worry about storing the private key, the public key can be freely distributed. For a hacker it is not practical to attempt to calculate the private key based on the public key, that is close to impossible to achieve.

However, asymmetric encryption is a very complex mathematical process which is a lot slower than symmetric encryption. Also, storing the private key can still be problematic.


The most widely used asymmetric encryption algorithm is called RSA which stands for the last names of its inventors: Rivest, Shamir and Adleman. Its most frequent key sizes are 1024, 2048 and 4096 bits though both lower and higher key sizes are available as we’ll see later in the demo. The algorithm is implemented by the RSACryptoServiceProvider object in .NET. It can not only perform the encryption and decryption process but helps us create the public-private key-pair. The default key size is 1024 bits but it’s recommended to take a higher value, either 2048 or 4096 bits.

Objects for code demo

Let’s start with the objects we’ll use in the demo. The various return types of the asymmetric encryption service will will derive from from an abstract base class to hold the outcome and any exception message:

public abstract class OperationResult
	public bool Success { get; set; }
	public string ExceptionMessage { get; set; }

The first task of the asymmetric service is to generate a key pair. The keys can be exported with or without the private key as XML. The following object will hold both:

public class AsymmetricKeyPairGenerationResult : OperationResult
	public string PublicKeyXml { get; set; }
	public string PublicPrivateKeyPairXml { get; set; }

Here’s the key generation function of AsymmetricEncryptionService:

public class AsymmetricEncryptionService
		public AsymmetricKeyPairGenerationResult GenerateKeysAsXml(int keySizeBits)
			AsymmetricKeyPairGenerationResult asymmetricKeyPairGenerationResult = new AsymmetricKeyPairGenerationResult();
			RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider(keySizeBits);
				asymmetricKeyPairGenerationResult.PublicKeyXml = rsaProvider.ToXmlString(false);
				asymmetricKeyPairGenerationResult.PublicPrivateKeyPairXml = rsaProvider.ToXmlString(true);
				asymmetricKeyPairGenerationResult.Success = true;
			catch (CryptographicException cex)
				string NL = Environment.NewLine;
				StringBuilder validKeySizeBuilder = new StringBuilder();
				KeySizes[] validKeySizes = rsaProvider.LegalKeySizes;
				foreach (KeySizes keySizes in validKeySizes)
					validKeySizeBuilder.Append("Min: ")
						.Append("Max: ").Append(keySizes.MaxSize).Append(NL)
						.Append("Step: ").Append(keySizes.SkipSize);
				asymmetricKeyPairGenerationResult.ExceptionMessage =
					$"Cryptographic exception when generating a key-pair of size {keySizeBits}. Exception: {cex.Message}{NL}Make sure you provide a valid key size. Here are the valid key size boundaries:{NL}{validKeySizeBuilder.ToString()}";
			catch (Exception otherEx)
				asymmetricKeyPairGenerationResult.ExceptionMessage =
					$"Other exception caught while generating the key pair: {otherEx.Message}";
			return asymmetricKeyPairGenerationResult;

We instantiate the RSACryptoServiceProvider class with the given key size. The ToXmlString function accepts a boolean where false means we only want to export the public key. If a cryptographic exception is thrown then we provide the valid key sizes along with the exception message.

The encryption and decryption results are also stored in separate objects:

public class AsymmetricEncryptionResult : OperationResult
	public byte[] EncryptedAsBytes { get; set; }
	public string EncryptedAsBase64 { get; set; }


public class AsymmetricDecryptionResult : OperationResult
	public string DecryptedMessage { get; set; }

Here’s the function of AsymmetricEncryptionService that performs the encryption using the public key:

public AsymmetricEncryptionResult EncryptWithPublicKeyXml(string message, string publicKeyAsXml)
	AsymmetricEncryptionResult asymmetricEncryptionResult = new AsymmetricEncryptionResult();
		RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider();
		byte[] encryptedAsBytes = rsaProvider.Encrypt(Encoding.UTF8.GetBytes(message), true);
		string encryptedAsBase64 = Convert.ToBase64String(encryptedAsBytes);
		asymmetricEncryptionResult.EncryptedAsBase64 = encryptedAsBase64;
		asymmetricEncryptionResult.EncryptedAsBytes = encryptedAsBytes;
		asymmetricEncryptionResult.Success = true;
	catch (Exception ex)
		asymmetricEncryptionResult.ExceptionMessage =
			$"Exception caught while encrypting the message: {ex.Message}";
	return asymmetricEncryptionResult;

We initialise a RSACryptoServiceProvider object and let the public key XML populate its properties using the FromXmlString method. The extra boolean in the Encrypt function means that we want to use OAEP padding for extra randomness in the encryption process.

The decryption function is almost identical:

public AsymmetricDecryptionResult DecryptWithFullKeyXml(byte[] cipherBytes, string fullKeyPairXml)
	AsymmetricDecryptionResult asymmetricDecryptionResult = new AsymmetricDecryptionResult();
		RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider();
		byte[] decryptBytes = rsaProvider.Decrypt(cipherBytes, true);
		asymmetricDecryptionResult.DecryptedMessage = Encoding.UTF8.GetString(decryptBytes);
		asymmetricDecryptionResult.Success = true;
	catch (Exception ex)
		asymmetricDecryptionResult.ExceptionMessage =
			$"Exception caught while decrypting the cipher: {ex.Message}";
	return asymmetricDecryptionResult;

It’s important that we send in the full key otherwise we’ll get an exception.

Demo code

Here’s a function that uses all of the objects above:

private void TestAsymmetricEncryptDecrypt()
	string NL = Environment.NewLine;
	AsymmetricEncryptionService asymmetricEncryptionService = new AsymmetricEncryptionService();
	int keySizeBits = 2048;
	AsymmetricKeyPairGenerationResult keyPairGenerationResult = asymmetricEncryptionService.GenerateKeysAsXml(keySizeBits);
	if (keyPairGenerationResult.Success)
		XDocument publicKeyXdoc = XDocument.Parse(keyPairGenerationResult.PublicKeyXml);
		XDocument fullKeyXdoc = XDocument.Parse(keyPairGenerationResult.PublicPrivateKeyPairXml);
		Console.WriteLine($"Asymmetric key-pair generation success.{NL}Public key:{NL}{NL}{publicKeyXdoc.ToString()}{NL}{NL}Full key:{NL}{NL}{fullKeyXdoc.ToString()}{NL}{NL}");
		string originalMessage = "This is an extremely secret message.";
		AsymmetricEncryptionResult asymmetricEncryptionResult = asymmetricEncryptionService.EncryptWithPublicKeyXml(originalMessage, keyPairGenerationResult.PublicKeyXml);
		if (asymmetricEncryptionResult.Success)
			Console.WriteLine("Encryption success.");
			Console.WriteLine($"Cipher text: {NL}{asymmetricEncryptionResult.EncryptedAsBase64}{NL}");
			AsymmetricDecryptionResult asymmetricDecryptionResult = 
				(asymmetricEncryptionResult.EncryptedAsBytes, keyPairGenerationResult.PublicPrivateKeyPairXml);
			if (asymmetricDecryptionResult.Success)
				Console.WriteLine("Decryption success.");
				Console.WriteLine($"Deciphered text: {NL}{asymmetricDecryptionResult.DecryptedMessage}");
				Console.WriteLine($"Decryption failed.{NL}{asymmetricDecryptionResult.ExceptionMessage}");
			Console.WriteLine($"Encryption failed.{NL}{asymmetricEncryptionResult.ExceptionMessage}");
		Console.WriteLine($"Asymmetric key-pair generation failed.{NL}{keyPairGenerationResult.ExceptionMessage}");

I used XDocument to parse the public and full keys for better formatting only.

If we provide an invalid key size, like 10 for the keySizeBits field then we’ll get the following output:

Asymmetric key-pair generation failed.
Cryptographic exception when generating a key-pair of size 10. Exception: Invalid flags specified.

Make sure you provide a valid key size. Here are the valid key size boundaries:
Min: 384
Max: 16384
Step: 8

There we have the min and max key sizes with the step size. This means that the minimum key size is 384, the next valid key size is 384 + 8 = 394 and so on.

If the key size is valid, like 2048 bits then we’ll get some RSA keys similar to the following. Here’s a possible public key:

<RSAKeyValue>     <Modulus>ovoY6npFhZiEXLZBmVbW05Cj5DWlFAW379xvouly87pv8C6zM0w/JInnvacb9U9ZlW4/mR2NEJD0PS6ZKqMiwJAduC48eFr6eecXZedFtwSC6xKxmFQami6E0wbGq7awA9wJUGfg0/4hglXv3H8f8bmeLUQ3lz+cAVXzs8AmQOpTY8xfZ51eL/J1imCOIs3R2Ml6BqLpBQ7sGzN+HdBUwSdqyjOPCYrM77Ynua0ziVHjb1B17OVKuYJd0uKdeI4wdxYPJg11G3kuRMLtuxywA80Rc2J3DM2nqzCgheoz+xWL5bCBLZHy5urfqRckO4DM8p1J+9Ib9Ytlw3jRAtaPrw==</Modulus>

…and here’s a full key:


As you can see an RSA key is not a single string or byte array but consists of many components. I won’t even pretend that I understand how these various components like D, P etc. work and developers normally don’t need to be concerned with them. The important point here is that two components are necessary for the public key: Modulus and Exponent. The others are used for building the private key.

Here’s the demo output:
Asymmetric key-pair generation success.
Public key:

–ignored, see above

Full key:

–ignored, see above

Encryption success.
Cipher text:

Decryption success.
Deciphered text:
This is an extremely secret message.

The above example showed one way to store the keys. The XML keys can be saved in a file or a database.

Another option is to store the key-pair in a key store on the computer. We’ll see how it works in an upcoming post.

You can view the list of posts on Security and Cryptography here.


About Andras Nemes
I'm a .NET/Java developer living and working in Stockholm, Sweden.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


A great WordPress.com site

iReadable { }

.NET Tips & Tricks

Robin Sedlaczek's Blog

Developer on Microsoft Technologies

HarsH ReaLiTy

A Good Blog is Hard to Find

Softwarearchitektur in der Praxis

Wissenswertes zu Webentwicklung, Domain-Driven Design und Microservices

the software architecture

thoughts, ideas, diagrams,enterprise code, design pattern , solution designs

Technology Talks

on Microsoft technologies, Web, Android and others

Software Engineering

Web development

Disparate Opinions

Various tidbits

chsakell's Blog

Anything around ASP.NET MVC,WEB API, WCF, Entity Framework & AngularJS

Cyber Matters

Bite-size insight on Cyber Security for the not too technical.

Guru N Guns's

OneSolution To dOTnET.

Johnny Zraiby

Measuring programming progress by lines of code is like measuring aircraft building progress by weight.

%d bloggers like this: