Discuss this help topic in SecureBlackbox Forum

Encrypt data with X.509 certificates

SecureBlackbox offers a simple way for encrypting data with X.509 certificates based on PKCS#7 message standard. The standard allows to encrypt the same content for an arbitrary number of recipients represented by their certificates. The content is encrypted with the recipients' public keys (taken from their certificates). Each recepient can decrypt the data using the private key corresponding to any of the public keys used for encryption.

PKCS#7 supports encryption of data of arbitrary length. This is achieved with the use of session keys. On the first stage, the data is encrypted symmetrically with a random session key. On the second stage, the session key is encrypted with the recipients' certificates and attached to the encrypted data.

Encryption is managed by the TElMessageEncryptor class:

  1. Load the recipient's certificate (or certificates) into a TElMemoryCertStorage object as described here. No private keys are needed.
  2. Create an instance of TElMessageEncryptor: TElMessageEncryptor encryptor = new TElMessageEncryptor();
  3. Assign the certificate storage to the encryptor: encryptor.CertStorage = storage;
  4. Configure encryption parameters (basically, just the encryption algorithm): encryptor.Algorithm = SBConstants.Unit.SB_ALGORITHM_CNT_AES256;
  5. Pass your data to the Encrypt() method and catch the encrypted output. Take care to use the overload which DOES NOT take the Key parameter: int res = encryptor.Encrypt(plainDataStream, encryptedDataStream); That's it. If the call succeeds, the encryptedDataStream object will contain the encrypted message. The message is fully compatible with the PKCS#7 standard and carries the content of the envelopedData subtype. Check the res value returned by Encrypt() to ensure the encryption was successful. The value of 0 indicates success, any other value reports a SecureBlackbox error code described here.

More on how to decrypt the data encrypted in the above way.

How To articles about PKCS7 signing and encryption

Discuss this help topic in SecureBlackbox Forum