Transporting encryption key with the encrypted data

Question

I'm using jCryption.NET (sessionless version) to encrypt a login form and I'm curious about something it does and if it's secure or a wrong approach.

The library uses RSA for encryption. If I'm not mistaken, it first does a handshake with the backend, gets a generated value, creates a key, and uses this key to encrypt values. Then this generated key is sent to backend with the encrypted value and backend code uses this key to decrypt.

Is this approach secure? I'm not a security expert so I'm not sure if it's a good idea to send the key along with the payload.

Answer 1

The Key which is used is actually encrypted so if you read through the source code during handShake it decrypts the Key and stores it in the session.

 var key = Convert.FromBase64String(Request.Form["key"]);
 var keyDecrypted = cryptoProvider.Decrypt(key, false);
 Session[SessionKeyStoreKey] = keyDecrypted;

Alternately when it reads the key from the Request then also the Key in the request data is encrypted and it is decrypted before use at the backend , as shown below

 byte[] keyDecrypted = Request.Form["jCryptionKey"] != null ? cryptoProvider.Decrypt(Convert.FromBase64String(Request.Form["jCryptionKey"]), false) : (byte[])Session[SessionKeyStoreKey];

Though of course this is something which you do not use in typical enterprise applications but as it mentions is typically for some use cases you do not have the option to serve pages over HTTPS and would like to put some layer of security over data then JCryption is for you.

What i would suggest is evaluate the business case and then take a decision.