Re: More CryptImportKey/NTE_BAD_KEY issues
From: Cale (Cale_at_discussions.microsoft.com)
Date: Wed, 27 Jul 2005 01:35:05 -0700
Yes, you are correct on all counts, and I figured it was along these lines.
After following the link, however, let me go into a little more detail.
The situation we have involves multiple operators all on the same network
keying data, some of which needs to be encrypted. The decision was made to
generate and maintain a selection of keys to be kept within our own keystore
for encrypting this data. All operators will have universal access to this
keystore and it's being maintained on the same server that they key their
What I need to be able to do, by the company's decision, is generate a key
and store it, encrypted by a public 'master key', in the central file. Any
operator should be able to pull a key from the file and use it. Is there a
way to generate a 3DES encryption key and then export it without using a
public/private key pair as the company does not want to maintain individual
private keys for each of the operators?
If I could give all of the operators access to the same key container on the
server, this would work. Or, if I could allow the operators to import the
session key with the same public key that was used to store it in the
keystore, this would also work.
I realize that a method like this is not the standard for security, but I'm
working with what I've been given here, unfortunately.
"Valery Pryamikov" wrote:
> Sounds like you are using SIMPLEBLOB for your CryptExport/ImportKey (is it
> correct?) .
> If I'm wrong with my guess, then you can skip reading the rest of my post.
> But if my guess is right, then the problem is that your "hardcoded master"
> key is apparently a public key that correspond to private key stored on
> computer A in a key container that you are opening with CryptAcquireContext
> (I suspect you are using default container i.e. NULL in pszContainer
> Computer B has apparently different keypair in that key container and
> attempt to import SIMPLEBLOB fails.
> Check following msdn link for description of how you can exchange session
> keys with CAPI:
> (watch for line breaks)
> "Cale" <Cale@discussions.microsoft.com> wrote in message
> >I have a problem where I've created and stored a key through one machine,
> > I'm now trying to import that key on another machine. All of the code
> > works
> > fine on the first, but on the second I receive the NTE_BAD_KEY error.
> > Or at least I assume so, as GetLastError shows me a code of 80090003,
> > which
> > is supposed to be the NTE_BAD_KEY error even though the CryptImportKey
> > documentation does not show that as a possible error.
> > I am using a hardcoded master key to export a 3DES encryption key into a
> > file, which is then read to provide the encryption/decryption key for my
> > application. Again, all of this code works fine on machine A but fails on
> > machine B during the CryptImportKey routine.
> > CryptAcquireContext works just fine on machine B, and the hardcoded master
> > key imports without errors, and that machine can generate and export its
> > own
> > encryption keys with that master key, yet it still fails on the
> > CryptImportKey routine even on keys that it generated itself.
> > Further, I can take a key that was created and exported on machine B and
> > get
> > machine A to import it without problems. Both machines are running
> > Windows
> > 2000 professional and both have SP4 installed.
> > What could be causing machine B to fail on the CryptImportKey routine even
> > with keys that it generated itself?