Re: More CryptImportKey/NTE_BAD_KEY issues

From: Cale (Cale_at_discussions.microsoft.com)
Date: 07/27/05

  • Next message: rkollerer: "Loopback Adapter under Server 2003 SP1" 
    Date: Wed, 27 Jul 2005 01:35:05 -0700

    Yes, you are correct on all counts, and I figured it was along these lines.
    After following the link, however, let me go into a little more detail.

    The situation we have involves multiple operators all on the same network
    keying data, some of which needs to be encrypted. The decision was made to
    generate and maintain a selection of keys to be kept within our own keystore
    for encrypting this data. All operators will have universal access to this
    keystore and it's being maintained on the same server that they key their
    work from.

    What I need to be able to do, by the company's decision, is generate a key
    and store it, encrypted by a public 'master key', in the central file. Any
    operator should be able to pull a key from the file and use it. Is there a
    way to generate a 3DES encryption key and then export it without using a
    public/private key pair as the company does not want to maintain individual
    private keys for each of the operators?

    If I could give all of the operators access to the same key container on the
    server, this would work. Or, if I could allow the operators to import the
    session key with the same public key that was used to store it in the
    keystore, this would also work.

    I realize that a method like this is not the standard for security, but I'm
    working with what I've been given here, unfortunately.

    "Valery Pryamikov" wrote:

    > Hi,
    > Sounds like you are using SIMPLEBLOB for your CryptExport/ImportKey (is it
    > correct?) .
    > If I'm wrong with my guess, then you can skip reading the rest of my post.
    > But if my guess is right, then the problem is that your "hardcoded master"
    > key is apparently a public key that correspond to private key stored on
    > computer A in a key container that you are opening with CryptAcquireContext
    > (I suspect you are using default container i.e. NULL in pszContainer
    > parameter).
    > Computer B has apparently different keypair in that key container and
    > attempt to import SIMPLEBLOB fails.
    > Check following msdn link for description of how you can exchange session
    > keys with CAPI:
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/manual_session_key_exchanges.asp
    >
    > (watch for line breaks)
    > -Valery.
    > http://www.harper.no/valery
    >
    > "Cale" <Cale@discussions.microsoft.com> wrote in message
    > news:A65CACBC-9122-4BAD-B8DF-AF2253DE03BB@microsoft.com...
    > >I have a problem where I've created and stored a key through one machine,
    > >and
    > > I'm now trying to import that key on another machine. All of the code
    > > works
    > > fine on the first, but on the second I receive the NTE_BAD_KEY error.
    > >
    > > Or at least I assume so, as GetLastError shows me a code of 80090003,
    > > which
    > > is supposed to be the NTE_BAD_KEY error even though the CryptImportKey
    > > documentation does not show that as a possible error.
    > >
    > > I am using a hardcoded master key to export a 3DES encryption key into a
    > > file, which is then read to provide the encryption/decryption key for my
    > > application. Again, all of this code works fine on machine A but fails on
    > > machine B during the CryptImportKey routine.
    > >
    > > CryptAcquireContext works just fine on machine B, and the hardcoded master
    > > key imports without errors, and that machine can generate and export its
    > > own
    > > encryption keys with that master key, yet it still fails on the
    > > CryptImportKey routine even on keys that it generated itself.
    > >
    > > Further, I can take a key that was created and exported on machine B and
    > > get
    > > machine A to import it without problems. Both machines are running
    > > Windows
    > > 2000 professional and both have SP4 installed.
    > >
    > > What could be causing machine B to fail on the CryptImportKey routine even
    > > with keys that it generated itself?
    >
    >

  • Next message: rkollerer: "Loopback Adapter under Server 2003 SP1"

    Relevant Pages

    • Re: Encrypted network communication
      ... Bob) communicate over an insecure channel. ... This type of encryption uses a single shared, ... Secret-key encryption algorithms use a single secret key to encrypt and ... unauthorized users and a public key that can be made public to anyone. ...
      (microsoft.public.dotnet.languages.csharp)
    • RE: PGP scripting...
      ... cryptosystems, ... In these systems divulging your private key compromises the public ... Here is a quick over view of the public key encryption routines (the ...
      (SecProg)
    • RE: Cannot decrypt files encrypted using Crypto API on a different
      ... previous message which uses the recipien't public key.) ... KEK (key encryption key) to protect the session key. ... embedded into your client app and server code). ... but what is the point to encrypt the data if ANYBODY can decrypt it (since ...
      (microsoft.public.platformsdk.security)
    • Re: dhRichclient3 CRpcListener Authentication & Encryption Questions/Thoughts.
      ... If the clientside Encryption-property ... encryption) credentials server. ... and public key of the business server (in an encrypted ...
      (microsoft.public.vb.general.discussion)
    • Re: RSACryptoServiceProvider decrypt with public key
      ... private key which my programs could decipher using a public key I've ... But since private key encryption and public key decryption isn't ... > If Alice gives Bob her public key, ...
      (microsoft.public.dotnet.security)