RE: Confused by CryptoAPI
- From: lelteto <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 May 2006 09:04:02 -0700
First of all, the server should not sign the KEY itself. If it does, ANYBODY
(with the public key) would be able to decrypt it and recover the negotiated
secret session key. (I assume RSA where sign/verify is the same mod-exp
operation ans decrypt/encrypt) You should send a random salt (encrypted by
the session key) and get that signed. In that case if the signature of the
salt is OK you know that the server was able to use the session key (to
decrypt the salt).
When you generate keypair you AT_KEYEXCHANGE parameter; where you generate
the symmetric session key you use some other ALG_ID. (whetever algo you want
to use eg. AES, 3DES, RC4 etc.)
You use CryptImportKey to get a handle for the server's public key.
WARNING: You would need to re-format the key - byte swap - because normally
you get the public key from a certificate in network byte order (big endian)
while CAPI uses little endian.
You use CryptExportKey with the wrapping key the server's public key to
export the session key. Again, if the other side is not CAPI you would need
to do byte-swapping.
You use CryptEncrypt/Decrypt with the symmetric session key. In your setup
you don't "encrypt" your symmetric key to be sent to the server; you are
"wrapping" it with CryptExportKey.
Hope this helps.
Laszlo Elteto
SafeNet, Inc.
"nde_plume@xxxxxxxxxx" wrote:
I have been looking at the CryptoAPI for a while and remain a little.
confused as to how it all plugs together. Basically, what I want to do
is:
1. Client asks in clear for a public key from server, and server sends
it
2. Client generates a symmetric key on a client, encrypts it with a
public key and send this to the server.
3. The server decrypts this, and signs the key with the private key,
and sends it back to the client.
4. The client verifies the signature.
5. Now client and server communicate over the symmetric key generated
in 2 above.
This seems pretty straightforward to me, however, the CryptoAPI seems
like a maze of complicated options. The functions I need are:
Generate a public key
CryptGenKey I believe
Get a clear representation of the key that can be loaded on the client
end
Seems to be CryptExportKey but not sure
Generate a symmetric key
CryptGenKey I think, but how does this differ from generating an
asymmetric key?
Encrypt data with a public key
CryptEncrypt I think, but I am not sure if it uses the symmetric key
or the asymmetric key
Sign data with private key
CryptSignHash
Verify data with public key
CryptVerifySignature
Encrypt and decrypt with symmetric key.
Again, not sure, is this CryptEncrpyt and CryptDecrypt -- which key
does it use?
Where my confusion is, is that the API seems to put asymmetric and
symmetric keys into one function, and I am not sure what does which.
For example, when I call CryptEncrypt does it encrypt with the
symmetric key or the public key? When looking at the service provider
types, each one specifies both asymmetric crypto and symmetric. Which
does it use?
MY head hurts, any help would be much appreciated.
- Follow-Ups:
- Re: Confused by CryptoAPI
- From: Alun Jones
- Re: Confused by CryptoAPI
- References:
- Confused by CryptoAPI
- From: nde_plume
- Confused by CryptoAPI
- Prev by Date: Simple CertDllOpenStoreProv makes IE importing PFX failed without reason
- Next by Date: SSL SSPI ClientCertificate
- Previous by thread: Confused by CryptoAPI
- Next by thread: Re: Confused by CryptoAPI
- Index(es):
Relevant Pages
|
