Re: CryptoApi Certificate based File Encryption

From: lelteto (lelteto_at_discussions.microsoft.com)
Date: 08/02/05

• Next message: Egbert Nierop \(MVP for IIS\): "Re: What about this?"
• Previous message: John Carey: "Re: CryptoApi Certificate based File Encryption"
• In reply to: John Carey: "Re: CryptoApi Certificate based File Encryption"
• Next in thread: Michel Gallant: "Re: CryptoApi Certificate based File Encryption"
• Reply: Michel Gallant: "Re: CryptoApi Certificate based File Encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 2 Aug 2005 08:09:03 -0700

The proper use is (what you mentioned)

- get the public key from the cert (after verifying the cert chain)
- import it into CAPI
  (you would need to properly format a key blob
   take care of reversing the BYTE ORDER)
- generate a random session key (CryptGenKey)
  the algo should either be AES (if all computers are XP or Win2003) or 3DES
- export the generated session key wrapped with the public key
- encrypt your data (file) using the session key
- send the encrypted data AND the warpped session key (key blob) to the
recipient

the recipient will
- open the container containing the private key
- import the wrapped session key
  (that would decrypt the session key and make it ready to decrypt data)
- decrypt the data with the imported session key

Laszlo Elteto
SafeNet, Inc.

"John Carey" wrote:

> Narendra
>
> Thanks for the post. We will most likely be using
> a centralized private CA with Certs distributed by CD-Rom.
>
> Do you know of any sample apps that show how to encrypt
> with a public key and decrypt with a private key.
> I was told the proper way to do this is create a random session
> key and encrypt that key with the users public key.
> There is little documentation on this in MSDN.
>
> Thanks
>
> John

---

• Next message: Egbert Nierop \(MVP for IIS\): "Re: What about this?"
• Previous message: John Carey: "Re: CryptoApi Certificate based File Encryption"
• In reply to: John Carey: "Re: CryptoApi Certificate based File Encryption"
• Next in thread: Michel Gallant: "Re: CryptoApi Certificate based File Encryption"
• Reply: Michel Gallant: "Re: CryptoApi Certificate based File Encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Storage of Client Certificates ... I guess the idea of using SCT comes from how SSL works, using the cert ... > used during Key exchange to generate a private session key on both sides. ... > your cert (and the public key in that cert). ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: CryptImportKey ... Whan you "encrypt" your server-generated session key your parameter is ... AT_KEYEXCHANGE - but CAPI will use the PUBLIC key portion of that key pair ... The client and server communicating over TCP/IP. ... (microsoft.public.platformsdk.security) Re: CryptImportKey ... Whan you "encrypt" your server-generated session key your parameter is ... AT_KEYEXCHANGE - but CAPI will use the PUBLIC key portion of that key pair ... The client and server communicating over TCP/IP. ... (microsoft.public.platformsdk.security) Re: CryptImportKey ... Whan you "encrypt" your server-generated session key your parameter is AT_KEYEXCHANGE - but CAPI will use the PUBLIC key portion of that key pair for the key encryption. ... IF you insist the server to generate a new session key than encrypt that key with the client's SESSION key. ... (microsoft.public.platformsdk.security) RE: CryptExportKey() NTE_BAD_KEY (80090003) error ... What I see in your Encryption code is that you TWICE export the public key ... after you generate the random session key you should export the ... HCRYPTPROV hCryptProv = NULL; ... (microsoft.public.platformsdk.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)