21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

exportable from key objects, but the data must be encrypted with another key to prevent<br />

accidental disclosure of the raw key data.<br />

To extract the raw key data from a CryptoAPI key, you must first export the key<br />

using the CryptoAPI function CryptoExportKey( ). The key data obtained from this<br />

function will be encrypted with another key, which you can then use to decrypt the<br />

encrypted key data to obtain the raw key data that another API, such as OpenSSL,<br />

can use.<br />

Discussion<br />

To export a key using the CryptoExportKey( ) function, you must provide the function<br />

with another key that will be used to encrypt the key data that’s to be exported.<br />

Recipe 5.26 includes a function, SpcGetExportableContext( ), that obtains a handle to<br />

a CSP context object suitable for exporting keys created with it. The CSP context<br />

object uses a “container” to store public key pairs. Every public key container can<br />

have a special public key pair known as an exchange key, which is the key that we’ll<br />

use to decrypt the exported key data.<br />

The function CryptGetUserKey( ) is used to obtain the exchange key. If it doesn’t<br />

exist, SpcExportKeyData( ), listed later in this section, will create a 1,024-bit exchange<br />

key, which will be stored as the exchange key in the public key container so future<br />

attempts to get the key will succeed. The special algorithm identifier AT_KEYEXCHANGE<br />

is used to reference the exchange key.<br />

Symmetric keys are always exported via CryptExportKey( ) in “simple blob” format,<br />

specified by the SIMPLEBLOB constant passed to CryptExportKey( ). The data returned<br />

in the buffer from CryptExportKey( ) will have a BLOBHEADER structure, followed by an<br />

ALG_ID for the algorithm used to encrypt the key data. The raw key data will follow<br />

the BLOBHEADER and ALG_ID header information. For extracting the raw key data from<br />

a CryptoAPI key, the data in the BLOBHEADER structure and the ALG_ID are of no interest,<br />

but you must be aware of their existence so that you can skip over them to find<br />

the encrypted key data.<br />

Finally, the encrypted key data can be decrypted using CryptDecrypt( ) and the<br />

exchange key. The CryptDecrypt( ) function is described in more detail in Recipe 5.25.<br />

The decrypted data is the raw key data that can now be passed off to other APIs or<br />

used in protocols that already provide their own protection for the key. The return<br />

from SpcExportKeyData( ) will be a buffer allocated with LocalAlloc( ) that contains<br />

the unencrypted symmetric key if no errors occur; otherwise, NULL will be returned.<br />

#include <br />

#include <br />

BYTE *SpcExportKeyData(HCRYPTPROV hProvider, HCRYPTKEY hKey, DWORD *cbData) {<br />

BOOL bResult = FALSE;<br />

BYTE *pbData = 0, *pbKeyData;<br />

Extracting Raw Key Data from a CryptoAPI Key Object | 247<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!