AES Symmetric Key Secure Storage

From: Dinesh (Dinesh_at_discussions.microsoft.com)
Date: 07/22/05

  • Next message: mark_at_odysseyinc.com: "Re: Encrypting\Decrypting between Win2000 and WinXP" 
    Date: Fri, 22 Jul 2005 13:33:05 -0700

    Hello,

    I am doing some AES cryptographic development for my employer. Part of the
    requirements was to have a flexible solution, that can work in Windows
    NT/2000, as most of our customers have not yet upgraded to Windows 2003.

    This essentially ruled out using CryptoAPI, as there does not exist a CSP
    that uses Rijndael in WinNT/2000. So I implemented a Certified and Open
    Source version of the AES (Rijndael) in our libraries, which is working well.
    This Open Source version of the Rijndael algorithmn just takes a buffer of
    bytes for the key, to initialize it's context.

    Now, in the issue of key management. We want a secure location to store the
    symmetric key in the Windows platform. From what I've been reading, storing
    the symmetric key on file or in the registry is not recommended. I also
    cannot store the key in Certificate Services because (a) you need a CSP to
    generate a key in CryptoAPI, and a CSP for AES only exists in Win2003, (b) if
    I were to be able to create and store a key in a certificate store, I still
    don't have access to the raw bytes of the symmetric key from the CryptoAPI
    functions (using the HCRYPTKEY handle) for use to initialize the context for
    my Open Source AES implementation.

    Any recommendations for where to store a symmetric key on the Windows
    platform? Should I just encrypt the symmetric key with a private key and
    store the resulting encrypted buffer in the registry or on a file on disk? Or
    is there a way to access the raw bytes of a CryptoAPI key using some method?

    Thanks!

  • Next message: mark_at_odysseyinc.com: "Re: Encrypting\Decrypting between Win2000 and WinXP"

    Relevant Pages