RE: Writing a CSP

From: lelteto (
Date: 06/09/05

  • Next message: Alun Jones [MSFT]: "Re: Protecting private keys"
    Date: Thu, 9 Jun 2005 10:41:01 -0700

    It's completely up to you how you want to protect private keys (in
    containers). One possible way is to encrypt it (them) with a key derived from
    password - you would need to prompt the user to enter the password before
    each use of the key (or you can cache the password for a limited time).
    Alternatively, you can use the user's existing Windows credential (via the MS
    CSP) to store and retrieve your key encryption key. However, the latter would
    be a problem for MACHINE keysets (which should be available for anybody on
    the computer). Even than you could use the MS CSP to store / retrieve a
    machine key from the Windows store. You would not be worse off than Windows
    (ie. the MS CSP) itself.

    Laszlo Elteto
    SafeNet, Inc.

    "natush" wrote:

    > Thanks for the detailed answer!
    > I have two more questions –
    > 1. In case I implement my CSP in software, I don’t understand how I’m
    > expected to protect the stored keys. Eventually there will have to be one
    > key (user key?) that will encrypt everything else and it will be exposed. How
    > can I protect it?
    > 2. I read on the MSDN that the function CPAcquireContext returns a handle to
    > the CSP (phProv) . What is a handle to the CSP and how can I create it?
    > Natush
    > "lelteto" wrote:
    > > 1. You need to implement ALL CPxxx functions.
    > >
    > > 2. If you don't want to support something you can 'call down' to the default
    > > (or Microsoft) CSP - but YOU need to implement that. For this you should load
    > > the (eg. MS) CSP, get the CPxxx entry points and call them when you want
    > > something to be done by that CSP.
    > > Note that you would still have to create (and return) your OWN handles (for
    > > AcquiredContext, keys and hashes); you would store the context / key, hash
    > > handle in your own context / handle. (ie. you would allocate a memory area
    > > and store the relevant info into that. You can either return the address of
    > > your area or some value which would let you find your area from the handle
    > > later.)
    > >
    > > 3. It's not only the functions but also the various algos that you may want
    > > to 'pass down' if you don't want to implement all.
    > >
    > > Laszlo Elteto
    > > SafeNet, Inc.
    > >
    > > "natush" wrote:
    > >
    > > > Hello,
    > > > I'm writing a CSP and I wanted to know whether I can implement only a subset
    > > > of the required functions (since I don’t want to support all algorithms)? I
    > > > read on the MSDN that if a custom CSP does not implement some functions, it
    > > > will be use as a pass-through layer. What does it mean? Do I need to
    > > > implement an empty function? Do I need to implement a call to another
    > > > function? If so - which function should I call?
    > > >
    > > >
    > > > Thanks,
    > > > Nataly
    > > >

  • Next message: Alun Jones [MSFT]: "Re: Protecting private keys"