Encrypting Files with AES, Encrypting Key with RSA - Am I on the right track?

Question

Overview: I'm trying to design an application that will encrypt files to safely send through Snail Mail (LARGE sets of data). I'm planning on using AES/RijndaelManaged encryption from .Net to encrypt the files initially, using a randomly generated key using RNGCryptoServiceProvider. I'm then encrypting this random AES key with a RSA Public key. The receiver of the data is the only one with the RSA Private key to decrypt it.

My question: Is this the proper way to do something like this? If so, is it safe to send this RSA-Encrypted key with the data since it requires the private key to decrypt?

EDIT - According to the Answers, this is indeed the proper way to go.

EDIT - Thanks for the replies. Now what I really want to know:
When having the end user generate their Public/Private key pair, what is the best way to save the Private key? I do not want it to be only accessible from one machine, so I am trying to avoid using the user's key store. But MSDN says it is not safe to save the key to a file, so how else can you accomplish this?

Answer 1

As to your first part, this is absolutely the way to go about it. It's called a hybrid cryptosystem.

Answer 2

This is essentially what SSL does. RSA is used for authentication and key exchange of a symmetric session key (eg, AES), which is then used for the body of the communication.

Answer 3

Use PGP unless there's a good reason not to. PGP is an open and ubiquitous standard for hybrid crypto commonly used in email. There are many implementations of PGP. The only .NET one I know is the BouncyCastle crypto project's C# library. PGP actually provides a superset of the functionality you describe; for instance, PGP can also digitally sign messages.

Regarding private key storage. The typical solution is to symmetrically encipher the private key before writing it to disk. Only the true owner of the private key knows the cipher secret, and they don't tell anyone. That way, even if an attacker gets the private key file, they still have to compromise the secret or brute force the symmetric cipher. All the PGP implementations I know of do this.

Please don't reimplement PGP if it does what you want. PGP is pretty widely supported. Furthermore, mere mortals like myself (and presumably yourself) hardly stand a chance of getting everything right.

Answer 4

The traditional way to save a private key (used in GPG/PGP/PKCS#1/PKCS#8) is to password-protect it with a strong passphrase and stick it in a file. Most keystore-management tools have a way to export keys in PKCS#1/PKCS#8 format — you generate the key on one machine, export it with a password, and import it on another machine; the key is only outside a keystore for the purpose of transferring it between machines.