RE: Writing a CSP

From: lelteto (
Date: 06/09/05

  • Next message: Alun Jones [MSFT]: "Re: Protecting private keys"
    Date: Thu, 9 Jun 2005 10:41:01 -0700

    It's completely up to you how you want to protect private keys (in
    containers). One possible way is to encrypt it (them) with a key derived from
    password - you would need to prompt the user to enter the password before
    each use of the key (or you can cache the password for a limited time).
    Alternatively, you can use the user's existing Windows credential (via the MS
    CSP) to store and retrieve your key encryption key. However, the latter would
    be a problem for MACHINE keysets (which should be available for anybody on
    the computer). Even than you could use the MS CSP to store / retrieve a
    machine key from the Windows store. You would not be worse off than Windows
    (ie. the MS CSP) itself.

    Laszlo Elteto
    SafeNet, Inc.

    "natush" wrote:

    > Thanks for the detailed answer!
    > I have two more questions –
    > 1. In case I implement my CSP in software, I don’t understand how I’m
    > expected to protect the stored keys. Eventually there will have to be one
    > key (user key?) that will encrypt everything else and it will be exposed. How
    > can I protect it?
    > 2. I read on the MSDN that the function CPAcquireContext returns a handle to
    > the CSP (phProv) . What is a handle to the CSP and how can I create it?
    > Natush
    > "lelteto" wrote:
    > > 1. You need to implement ALL CPxxx functions.
    > >
    > > 2. If you don't want to support something you can 'call down' to the default
    > > (or Microsoft) CSP - but YOU need to implement that. For this you should load
    > > the (eg. MS) CSP, get the CPxxx entry points and call them when you want
    > > something to be done by that CSP.
    > > Note that you would still have to create (and return) your OWN handles (for
    > > AcquiredContext, keys and hashes); you would store the context / key, hash
    > > handle in your own context / handle. (ie. you would allocate a memory area
    > > and store the relevant info into that. You can either return the address of
    > > your area or some value which would let you find your area from the handle
    > > later.)
    > >
    > > 3. It's not only the functions but also the various algos that you may want
    > > to 'pass down' if you don't want to implement all.
    > >
    > > Laszlo Elteto
    > > SafeNet, Inc.
    > >
    > > "natush" wrote:
    > >
    > > > Hello,
    > > > I'm writing a CSP and I wanted to know whether I can implement only a subset
    > > > of the required functions (since I don’t want to support all algorithms)? I
    > > > read on the MSDN that if a custom CSP does not implement some functions, it
    > > > will be use as a pass-through layer. What does it mean? Do I need to
    > > > implement an empty function? Do I need to implement a call to another
    > > > function? If so - which function should I call?
    > > >
    > > >
    > > > Thanks,
    > > > Nataly
    > > >

  • Next message: Alun Jones [MSFT]: "Re: Protecting private keys"

    Relevant Pages

    • Any recommended software for 3DES encryption?
      ... I need to store some backup files on CD ROM's, ... like to encrypt the files with 3DES before I put them on ... but I need to protect the information ...
    • RE: AES Symmetric Key Secure Storage
      ... private key - both stored in a CAPI container. ... Now if you use PER USER AES key than the best is to protect the key (ie. ... encrypt it) with a key pair stored in the user's container. ...
    • Re: encrypt data in registry
      ... because encrypting the data won't actually protect it from other ... I would like to encrypt some data in the registry. ... It's not ok for the user to have to type a password (at app startup) ...
    • Re: GC and security
      ... Just what attack are you trying to protect against, ... comes back at end to encrypt and then app is done. ... getting rid of the need for a passphrase? ... There was some questions (from MySQL pro) about how MySQL writes would ...
    • Re: How to block system copy commands at driver level
      ... Store those keys on a SmartCard ... protected with the public key used to encrypt them before they are added. ... That still won't protect against cameras or screen capture ... How can I trace following System Copy commands and block them, ...