AES Symmetric Key Secure Storage
From: Dinesh (Dinesh_at_discussions.microsoft.com)
Date: Fri, 22 Jul 2005 13:33:05 -0700
I am doing some AES cryptographic development for my employer. Part of the
requirements was to have a flexible solution, that can work in Windows
NT/2000, as most of our customers have not yet upgraded to Windows 2003.
This essentially ruled out using CryptoAPI, as there does not exist a CSP
that uses Rijndael in WinNT/2000. So I implemented a Certified and Open
Source version of the AES (Rijndael) in our libraries, which is working well.
This Open Source version of the Rijndael algorithmn just takes a buffer of
bytes for the key, to initialize it's context.
Now, in the issue of key management. We want a secure location to store the
symmetric key in the Windows platform. From what I've been reading, storing
the symmetric key on file or in the registry is not recommended. I also
cannot store the key in Certificate Services because (a) you need a CSP to
generate a key in CryptoAPI, and a CSP for AES only exists in Win2003, (b) if
I were to be able to create and store a key in a certificate store, I still
don't have access to the raw bytes of the symmetric key from the CryptoAPI
functions (using the HCRYPTKEY handle) for use to initialize the context for
my Open Source AES implementation.
Any recommendations for where to store a symmetric key on the Windows
platform? Should I just encrypt the symmetric key with a private key and
store the resulting encrypted buffer in the registry or on a file on disk? Or
is there a way to access the raw bytes of a CryptoAPI key using some method?