21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

exportable from key objects, but the data must be encrypted with another key to prevent<br />

accidental disclosure of the raw key data.<br />

To extract the raw key data from a CryptoAPI key, you must first export the key<br />

using the CryptoAPI function CryptoExportKey( ). The key data obtained from this<br />

function will be encrypted with another key, which you can then use to decrypt the<br />

encrypted key data to obtain the raw key data that another API, such as OpenSSL,<br />

can use.<br />

Discussion<br />

To export a key using the CryptoExportKey( ) function, you must provide the function<br />

with another key that will be used to encrypt the key data that’s to be exported.<br />

Recipe 5.26 includes a function, SpcGetExportableContext( ), that obtains a handle to<br />

a CSP context object suitable for exporting keys created with it. The CSP context<br />

object uses a “container” to store public key pairs. Every public key container can<br />

have a special public key pair known as an exchange key, which is the key that we’ll<br />

use to decrypt the exported key data.<br />

The function CryptGetUserKey( ) is used to obtain the exchange key. If it doesn’t<br />

exist, SpcExportKeyData( ), listed later in this section, will create a 1,024-bit exchange<br />

key, which will be stored as the exchange key in the public key container so future<br />

attempts to get the key will succeed. The special algorithm identifier AT_KEYEXCHANGE<br />

is used to reference the exchange key.<br />

Symmetric keys are always exported via CryptExportKey( ) in “simple blob” format,<br />

specified by the SIMPLEBLOB constant passed to CryptExportKey( ). The data returned<br />

in the buffer from CryptExportKey( ) will have a BLOBHEADER structure, followed by an<br />

ALG_ID for the algorithm used to encrypt the key data. The raw key data will follow<br />

the BLOBHEADER and ALG_ID header information. For extracting the raw key data from<br />

a CryptoAPI key, the data in the BLOBHEADER structure and the ALG_ID are of no interest,<br />

but you must be aware of their existence so that you can skip over them to find<br />

the encrypted key data.<br />

Finally, the encrypted key data can be decrypted using CryptDecrypt( ) and the<br />

exchange key. The CryptDecrypt( ) function is described in more detail in Recipe 5.25.<br />

The decrypted data is the raw key data that can now be passed off to other APIs or<br />

used in protocols that already provide their own protection for the key. The return<br />

from SpcExportKeyData( ) will be a buffer allocated with LocalAlloc( ) that contains<br />

the unencrypted symmetric key if no errors occur; otherwise, NULL will be returned.<br />

#include <br />

#include <br />

BYTE *SpcExportKeyData(HCRYPTPROV hProvider, HCRYPTKEY hKey, DWORD *cbData) {<br />

BOOL bResult = FALSE;<br />

BYTE *pbData = 0, *pbKeyData;<br />

Extracting Raw Key Data from a CryptoAPI Key Object | 247<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!