Asymmetric encryption where the receiving party can decrypt - but must be completely unable to encrypt the data

Question

What I have is a client server scenario, and a payload (x).

• The server generates x and encrypts it : enc(x)
• enc(x) is sent to the client
• The client decrypts the data to get x

However, the restrictions I must enforce are that:

• The encryption and decryption keys must be different
• The client must not have the encryption key

So straight up RSA is out the window, since you need both the public and private key to decrypt, and the public key lets you encrypt it.

So the objective is twofold: for the client to be able to decrypt a piece of data, ensuring that it came from a known source - but for the client to be incapable of producing its own encrypted version of the original payload.

C# ideally, but I can accept similar language answers.

Edit: I'm informed that only the private key is required to decrypt and not both keys - however there doesn't seem to be a way to make the RSACryptoServiceProvider in .Net do this.

Answer 1

1. Use something like AES to encrypt the data
2. sign the encrypted data with RSA
3. send the encrypted + signed data to your client
4. since AES uses a shared key the client can decrypt the data
5. the client can verify the signature using the public RSA key

The drawbacks are :

1. The client can reproduced an encrypted message but it won't be signed (since only you have the private key).
2. the client can replace the public key on his end with his own key pair to sign/verify the message.

Answer 2

Just use two keypairs, one for encryption and one for signing. RSA is fine for this.