Decrypting using a imported key from one server doesn't work on another server

Question

I have two servers Windows 2008 R2, Server 1 & Server 2. I generated the RSA keypair on Server 1 under windows account 1 using:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pc "MyKeys" -exp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -px "MyKeys" keys.xml -pri

I copied keys.xml to Server 2. On server 2 under windows account 2 I ran:

    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pi "MyKeys" keys.xml

I use the following c# code to encrypt and decrypt:

private static RSACryptoServiceProvider CreateRsaCypher(string containerName)
{
  // Create the CspParameters object and set the key container 
  // name used to store the RSA key pair.
  CspParameters cp = new CspParameters();
  cp.KeyContainerName = containerName;

  // Create a new instance of RSACryptoServiceProvider that accesses
  // the key container MyKeyContainerName.
  return new RSACryptoServiceProvider(cp);
}

public static string AsymmetricEncrypt(byte[] data, string containerName)
{
  RSACryptoServiceProvider cipher = CreateRsaCypher(containerName);
  byte[] cipherText = cipher.Encrypt(data, false);
  return Convert.ToBase64String(cipherText);
}

public static string AsymmetricEncrypt(string str, string containerName )
{
  return AsymmetricEncrypt(Encoding.UTF8.GetBytes(str), containerName);
}

public static byte[] AsymmetricDecrypt(string data, string containerName)
{
  RSACryptoServiceProvider cipher = CreateRsaCypher(containerName);
  return cipher.Decrypt(Convert.FromBase64String(data), false);
}

public static string AsymmetricDecryptToString(string data, string containerName)
{
  return Encoding.UTF8.GetString(AsymmetricDecrypt(data, containerName));
}

Now when I encrypt a string on Server 1 using the same container under account 1, if I try to decrypt it on Server 2 under account 2 I get:

Unhandled Exception: System.Security.Cryptography.CryptographicException: Bad Data.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
   at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)

The application I encrypt/decrypt with is a C# console application.

I noticed that Server 1 & Server 2 don't have the same version of aspnet_regiis.exe, one is:

Microsoft (R) ASP.NET RegIIS version 4.0.30319.0

the other one is:

Microsoft (R) ASP.NET RegIIS version 4.0.30319.18408

Is my expectation that I can decrypt the text encrypted on Server 1 using the same key on Server 2 (ie keys pair that was exported on Server 1 and imported on Server 2) incorrect? Is windows altering somehow the public/private keys upon import?

Thank you in advance!

Just an update. Based on other tests, I noticed that encrypting the same string with the same RSA container under different windows accounts leads to different encryption strings, which make sense in a way. That explains the behaviour I see.

Answer 1

ok, I got it working consistently between the two accounts and the key was to set the UseMachineKeyStore flag.

private static RSACryptoServiceProvider CreateRsaCypher(string containerName = DefaultContainerName)
{
  // Create the CspParameters object and set the key container 
  // name used to store the RSA key pair.
  CspParameters cp = new CspParameters();
  cp.KeyContainerName = containerName;
  cp.Flags = CspProviderFlags.UseExistingKey | CspProviderFlags.UseMachineKeyStore;
  // Create a new instance of RSACryptoServiceProvider that accesses
  // the key container MyKeyContainerName.
  return new RSACryptoServiceProvider(cp);
}