## Mixing asymmetric and symmetric encryption with HMAC hash verification .NET

November 15, 2016 2 Comments

**Introduction**

In this post we looked at how to combine symmetric and asymmetric encryption in the same project to increase messaging security. Symmetric encrypt is quick but has the problem of distributing the public key. Asymmetric encryption solves the public key distribution issue but is in turn a lot slower. We can combine the two techniques where a one-time symmetric public key, also called a session key, is encrypted with the asymmetric public key so that it can be decrypted by the receiver who has access to the asymmetric private key.

The solution is OK so far, it is very difficult to find the right keys involved. Still we can do better and add some message verification. We want to be sure that the message hasn’t been tampered with on its way to us. The sender can hash the encrypted message and send it along with the other necessary properties to the receiver. The receiver can compute the hash on their side and verify whether the two are equal. We looked at a couple of hashing techniques in this post but those do not involve any cryptographic key. That means that an attacker can change the message, recalculate the hash and attach it to the message. The password-salted hash algorithm HMAC sounds like a better option. We looked at HMACs in .NET in this post and we’ll reuse what we learnt there.

The goal of this post is to build upon the mixed encryption demo solution we built previously and add HMAC hashing to the picture.