Click here to Skip to main content
Click here to Skip to main content

PKCS Standards and .NET Framework

, 18 Mar 2007
Rate this:
Please Sign up or sign in to vote.
The article describes what is standardized in the PKCS (Public Key Cryptographic Standards) standards and their implementation in .NET 1.1 Framework.

Introduction

This article will introduce the reader to the Public Key Cryptography Standards (PKCS). The emphasis will be on what is standardized in the PKCS (Public Key Cryptographic Standards) standards and the implementation in .NET 1.1 Framework. This tutorial assumes that the reader is familiar with basic terms in cryptography such as Public Key cryptography, Secret Key cryptography and Message Digest algorithms.

PKCS Standards

The PKCS standards are specifications that were developed by RSA Security in conjunction with system developers worldwide (such as Microsoft, Apple, Sun etc.) for the purpose of accelerating the deployment of public key cryptography. The goal is to facilitate early adoption of these standards by vendors.

These standards are used everywhere in the e-security realm. Any application developer choosing to implement security into his/her application would stumble upon these standards at some point of time. Applications ranging from web browsers to secure email clients depend on the PKCS standards to interoperate with one another. PKCS is defined for both Binary and ASCII messages in an abstract manner giving complete specifications. The representation format for the encoded messages is a preferred format. (The companion documents are ASN.1 = Abstract Syntax Notation 1, BER = Basic Encoding Rules, DER = Distinguish Encoding Rule).

Standards Description
PKCS # 1 The RSA encryption standard. This standard defines mechanisms for encrypting and signing data using the RSA public key system.
PKCS # 3 The Diffie-Hellman key-agreement standard. This defines the Diffie-Hellman key agreement protocol.
PKCS # 5 The password-based encryption standard (PBE). This describes a method to generate a Secret Key based on a password.
PKCS # 6 The extended-certificate syntax standard. This is currently being phased out in favor of X509 v3.
PKCS # 7 The cryptographic message syntax standard. This defines a generic syntax for messages which have cryptography applied to it.
PKCS # 8 The private-key information syntax standard. This defines a method to store Private Key Information.
PKCS # 9 This defines selected attribute types for use in other PKCS standards.
PKCS # 10 The certification request syntax standard. This describes syntax for certification requests.
PKCS # 11 The cryptographic token interface standard. This defines a technology independent programming interface for cryptographic devices such as smartcards.
PKCS # 12 The personal information exchange syntax standard. This describes a portable format for storage and transportation of user private keys, certificates etc.
PKCS # 13 The elliptic curve cryptography (ECC) standard. This describes mechanisms to encrypt and sign data using elliptic curve cryptography.
PKCS # 14 This covers pseudo random number generation (PRNG). This is currently under active development.
PKCS # 15 The cryptographic token information format standard. This describes a standard for the format of cryptographic credentials stored on cryptographic tokens.

Note: PKCS #2 and #4 do not exist anymore because they have been incorporated into PKCS #1.

What has been standardized?

The two things that are standardized in PKCS are "Message Syntax" and "Specific Algorithms". These two can also be viewed as different levels of abstraction, which would be quite independent of each other.

Public key cryptography is typically used for the following purposes:

  • Digital Signatures: The "signer" signs a "message" such that anyone can "verify" that the message was signed only by the "signer" and thus not modified by anyone else. This can be implemented using a message digest algorithm and a public key algorithm to encrypt the message digest.

    What is standardized? (Digital Signatures)
    Specific message digest algorithms. PKCS# 1
    Specific public key algorithms. PKCS# 1, 3, 13
    Algorithm independent syntax for the digitally signed message. PKCS# 7
    Syntax for private keys. PKCS# 1, 8
    Syntax for encrypted private keys. PKCS# 8
    Method for deriving secret keys from passwords. PKCS# 5

  • Digital Envelopes: The "sender" seals the "message" such that only the "receiver" can open the sealed message. The message is encrypted with a secret key and the secret key is encrypted using the receiver's public key.

    What is standardized? (Digital Envelopes)
    Algorithm independent syntax for the digitally enveloped message. PKCS# 7
    Syntax for private keys. PKCS# 1, 8
    Syntax for encrypted private keys. PKCS# 8
    Method for deriving secret keys from passwords. PKCS# 5

  • Digital Certificates: A "Certification Authority" signs a "special message" which contains the name of a user and the user's public key in such a way that "anyone" can verify that the "special message" was signed only by the "Certification Authority" and as a result trust the user's public key. This "special message" is termed as a certificate request and it is digitally signed using a "signature algorithm".

    What is standardized? (Digital Certificates)
    Algorithm independent syntax for certification requests. PKCS# 10
    Syntax for public keys. PKCS# 1
    Specific signature algorithms. PKCS# 1

  • Key Agreement: Two "communicating parties" agree upon a secret key by exchanging messages without any prior agreements. Typically this consists of a two-phase key agreement algorithm. One party initiates the key agreement and this triggers the "first phase" of the key agreement after which both parties exchange the results of the first phase. After this, both parties initiate the "second phase" of the key agreement and as a result both parties arrive at the same secret key.

    What is standardized? (Key Agreement)
    Algorithm independent syntax for key agreement messages. PKCS# 3
    Specific key agreement algorithms. PKCS# 3

That's enough about PKCS standards. Now, let us move towards some implementations in .NET framework 1.1

PKCS Implementations in .NET Framework (1.1)

At this time, .NET 2.0 final has been released and it has better support for PKCS. In fact a class is added System.Security.Crypotgrpahy.PKCS to accomplish PKCS tasks. But what about the predecessors .NET 1.0/1.1? In .NET framework earlier to 2.0, there are some ways by which we can achieve some/all PKCS standards.

Example of PKCS # 1 in .NET

The .NET framework contains the following classes to achieve PKCS # 1 standard for key exchange and signature verification.

  1. RSAPKCS1KeyExchangeFormatter and RSAPKCS1KeyExchangeDeformatter

    These are just thin wrappers over RSA that do encryption and decryption of session keys. Key exchange allows a sender to create secret information (such as random data that can be used as a key in a symmetric encryption algorithm) and use encryption to send it to the intended recipient.

  2. RSAPKCS1SignatureFormatter and RSAPKCS1SignatureDeformatter

    Same as the above, but instead of doing encryption and decryption they sign and verify from private/public key pairs.

  3. DSASignatureFormatter and DSASignatureDeformatter

    Same as the above SignatureFormatter, but for DSA instead of RSA.

  4. Download PKCS#1 is an example of using RSAPKCS1SignatureFormatter and RSAPKCS1SignatureDeformatter in .NET 1.1. The code is pretty well commented showing what happens.

Example of PKCS # 5 in .NET

There is no such class/wrapper to achieve this. Instead we have to develop our own application which completely satisfies the PKCS # 5 standard. So please download PKCS#5 - the example at the top of this page which derives key byte material using a PKCS #5 v1.5 algorithm by consecutive hashing of salt data and password data. The utility accepts 4 parameters: a password string, a hex-encoded salt string, a hash iteration count, and the number of passes for the algorithm. It uses MD5 algorithm for hashing (generating 16 bytes per algorithm pass). (Thanks to Michel I. Gallant, Ph.D.)

Example of PKCS # 7 and PKCS # 12 in .NET

Please visit my article at X509Certificate.asp which describes how we can achieve these standards in .NET 1.1.

Conclusion

In this article, we saw why the PKCS standards were developed. We understood why certain aspects had to be standardized to let applications using cryptography inter-operate seamlessly and saw how these standards can be accomplished using some powerful technology such as Microsoft .NET framework 1.1.

All discussion on PKCS standard is the property on RSA incorporation

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Adnan Samuel
Software Developer (Senior)
Pakistan Pakistan
I am software engineer and working from last four years in the information technology field. I love to do intresting tasks. I love to see diffrent places and listening muzik.

Comments and Discussions

 
GeneralManipulate PCKS#7 add signed data to signature detached Pinmemberthecobaia20-Apr-11 10:36 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.140821.2 | Last Updated 18 Mar 2007
Article Copyright 2005 by Adnan Samuel
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid