RE: Writing a CSP
From: lelteto (lelteto_at_discussions.microsoft.com)
Date: Thu, 9 Jun 2005 10:41:01 -0700
It's completely up to you how you want to protect private keys (in
containers). One possible way is to encrypt it (them) with a key derived from
password - you would need to prompt the user to enter the password before
each use of the key (or you can cache the password for a limited time).
Alternatively, you can use the user's existing Windows credential (via the MS
CSP) to store and retrieve your key encryption key. However, the latter would
be a problem for MACHINE keysets (which should be available for anybody on
the computer). Even than you could use the MS CSP to store / retrieve a
machine key from the Windows store. You would not be worse off than Windows
(ie. the MS CSP) itself.
> Thanks for the detailed answer!
> I have two more questions –
> 1. In case I implement my CSP in software, I don’t understand how I’m
> expected to protect the stored keys. Eventually there will have to be one
> key (user key?) that will encrypt everything else and it will be exposed. How
> can I protect it?
> 2. I read on the MSDN that the function CPAcquireContext returns a handle to
> the CSP (phProv) . What is a handle to the CSP and how can I create it?
> "lelteto" wrote:
> > 1. You need to implement ALL CPxxx functions.
> > 2. If you don't want to support something you can 'call down' to the default
> > (or Microsoft) CSP - but YOU need to implement that. For this you should load
> > the (eg. MS) CSP, get the CPxxx entry points and call them when you want
> > something to be done by that CSP.
> > Note that you would still have to create (and return) your OWN handles (for
> > AcquiredContext, keys and hashes); you would store the context / key, hash
> > handle in your own context / handle. (ie. you would allocate a memory area
> > and store the relevant info into that. You can either return the address of
> > your area or some value which would let you find your area from the handle
> > later.)
> > 3. It's not only the functions but also the various algos that you may want
> > to 'pass down' if you don't want to implement all.
> > Laszlo Elteto
> > SafeNet, Inc.
> > "natush" wrote:
> > > Hello,
> > > I'm writing a CSP and I wanted to know whether I can implement only a subset
> > > of the required functions (since I don’t want to support all algorithms)? I
> > > read on the MSDN that if a custom CSP does not implement some functions, it
> > > will be use as a pass-through layer. What does it mean? Do I need to
> > > implement an empty function? Do I need to implement a call to another
> > > function? If so - which function should I call?
> > >
> > >
> > > Thanks,
> > > Nataly
> > >