From: Michael Howard [mikehow@microsoft.com] Sent: Wednesday, November 06, 2002 1:58 PM To: Jason Lavigne; secprog@securityfocus.com Subject: RE: Import/Export a plain text key in/out of CAPI Use CryptDeriveKey Here's some code from Writing Secure Code: // get the symmetric exchange key used to encrypt the key // this is a bogus stub example function - you would usually // get the key from somewhere secure, or from the user void GetExchangeKey(HCRYPTPROV hProv,HCRYPTKEY *hXKey) { HCRYPTHASH hHash; BYTE bKey[] = "176sjxmal"; if (!CryptCreateHash(hProv,CALG_SHA1,0,0,&hHash)) throw GetLastError(); if (!CryptHashData(hHash,bKey,sizeof bKey,0)) throw GetLastError(); if (!CryptDeriveKey(hProv,CALG_3DES_112,hHash,CRYPT_EXPORTABLE,hXKey)) throw GetLastError(); } void main() { HCRYPTPROV hProv = NULL; HCRYPTKEY hKey = NULL; HCRYPTKEY hExchangeKey = NULL; LPBYTE pbKey = NULL; try { if (!CryptAcquireContext(&hProv,NULL,NULL,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT )) throw GetLastError(); if (!CryptGenKey(hProv,CALG_3DES_112,CRYPT_EXPORTABLE,&hKey)) throw GetLastError(); GetExchangeKey(hProv,&hExchangeKey); DWORD dwLen = 0; if (!CryptExportKey(hKey,hExchangeKey,SYMMETRICWRAPKEYBLOB,0,NULL,&dwLen)) throw GetLastError(); pbKey = new BYTE[dwLen]; ZeroMemory(pbKey,dwLen); if (!CryptExportKey(hKey,hExchangeKey,SYMMETRICWRAPKEYBLOB,0,pbKey,&dwLen)) throw GetLastError(); cout << "Cool, " << dwLen << " byte wrapped key is exported." << endl; // write shrouded key to key.bin, overwrite if needed ofstream file("c:\\key.bin",ios_base::binary); file.write(reinterpret_cast(pbKey),dwLen); file.close(); } catch(DWORD e) { cerr << "Error " << e << hex << " " << e << endl; } // clean-up if (hExchangeKey) CryptDestroyKey(hExchangeKey); if (hKey) CryptDestroyKey(hKey); if (hProv) CryptReleaseContext(hProv,0); if (pbKey) delete [] pbKey; } Cheers, Michael Secure Windows Initiative Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp -----Original Message----- From: Jason Lavigne [mailto:jlavigne@bwlogic.com] Sent: Wednesday, November 06, 2002 8:03 AM To: secprog@securityfocus.com Subject: Import/Export a plain text key in/out of CAPI Hello all, I would like to do one of two things and was hoping that I could find the answer here. I am using Microsoft's CAPI and would like to either: a) import my own plain text key in to CAPI to be encrypted using CryptExportKey(hDesKey, hServerPubRSAKey, SIMPLEBLOB, ...) b) export a random key as plain text that was generated using CryptGenKey The reason I would like to do this is I am not using DES that comes with CAPI, instead I am using DES that is included in Crypto++ (http://www.eskimo.com/~weidai/cryptlib.html) and would like to use RSA from CAPI to encrypt the DES key using our x.509 certificate. Any ideas? TIA Jason Lavigne