On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private key data. All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). One CSP, the Microsoft RSA Base Provider, is included with the operating system.
CSPs in MSDN (Not all are supported in all platforms)
Cryptographic Service Providers Windows CE CSPs
Cryptographic Service Providers
Windows (Desktop): Platform SDK
Windows CE (Window Mobile, Smartphones, Pocket PC). Platform Builder
Important concept: Key Containers
Each container has a Key Database
Each Key Database has Keys
A key container work as a smart card, however containers are designed to protect keys.
Session keys are used when encrypting and decrypting data.. These keys are kept inside the CSP for safekeeping. Unlike the key pairs, session keys are volatile. Applications can save these keys for later use or transmission to other users by exporting them from the CSP into application space in the form of an encrypted key binary large object or key blob using the CryptExportKey function. Public or Private Key Pairs
Each user generally has two public or private key pairs.
One key pair is used to encrypt session keys and the other to create digital signatures. These are known as the key AT_EXCHANGE, and AT_SIGNATURE keys.
Important Concepts: Containers and Key Storage
CSPs keep the keys and all the containers for those keys isolated from the application layer. By opening a container, application are then able to sign, encrypt, and decrypt data with a key. The container could be password protected, stored in a smartcard, or a secure media.
Two methods can be used to set keys in a CSP.
CSP Generated key (e.g. via CryptGenKey or CryptDeriveKey)
Force a session and application keys be the same (Exponent-of-One Transformation)
Digital Signature Wizard (Platform SDK or Windows Mobile SDK)
Methods of generating keys into a container
The CryptGenKey calls are used to create a new key values. The key value could be DES, 3DES, etc.
You can derive a key from a hash or a password using CryptDeriveKey also.
Sample code with Key Containers
We will see how to initialize and use a Key container
Obviously this must fail, however certain keys can
be stored as CRYPT_EXPORTABLE otherwise the private key cannot
Exchanging a Session Key
To send an encrypted session key
Create a random session key, using the CryptGenKey function.
Encode the message, using the session key.
Export the session key into a key BLOB with the CryptExportKey function. Specify that the key be encoded with the destination user's key exchange public key, which is the receiver's public key.
Send the encoded message and the encoded key BLOB to the destination user.
The receiver then imports the key BLOB into the CSP, using the CryptImportKey function. This automatically decodes the session key, provided that the destination user's key exchange private key was specified in step three.
The receiver can then decode the message, using the session k ey