Re: CryptImportKey getting invalid ALGID

Hi Timothy,

Sorry for letting you wait. I am sick at home yesterday.

After several discussion with other security experts, I think what you got
from your customer is a plain text session key data, which is not encrypted
at all. Your original code logic just copies this plain text session key
data into "encryptedkey" field of "Simple Key BLOBs", which is not correct.

This is because you can't just replace what is supposed to be the
"encryptedkey" value with the customer's session key. The "encryptedkey"
value will need to be decrypted with the private key to obtain the key
material. It's not just random data. Your session key must be contained in
the 'Key Material' field before encryption.

To import a plain text session key data, we should use the technology
described in the article below:
"How to export and import plain text session keys by using CryptoAPI"
http://support.microsoft.com/kb/q228786/

However, there was a limitation to this technique because it limited the
key to the key algorithm size. That is a maximum length of 32 bytes if you
use an AES 256 key algorithm. On WinXP and above we removed this limit
with the CRYPT_IPSEC_HMAC_KEY flag. With this flag the key can be any
size. In the RFC 2002 test cases, some keys are 80 bytes long which would
have been impossible with CryptoAPI on Windows 2000. CRYPT_IPSEC_HMAC_KEY
fixes that problem.

Here is a code snippet your customer can use to get an HCRYPTKEY handle
with the raw key data.
typedef struct _PLAINTEXTKEYBLOBSTRUCT {
BLOBHEADER bh;
DWORD dwKeyLen;
} PLAINTEXTKEYBLOBSTRUCT;

HCRYPTKEY ImportKey(HCRYPTPROV hProv, BYTE *key, int keylen)
{
PLAINTEXTKEYBLOBSTRUCT *KeyBlob=NULL;
HCRYPTKEY hKey = NULL;

KeyBlob =(PLAINTEXTKEYBLOBSTRUCT *)LocalAlloc(LPTR,
sizeof(PLAINTEXTKEYBLOBSTRUCT) + keylen);
if (KeyBlob == NULL) {
return NULL;
}

KeyBlob->bh.bType = PLAINTEXTKEYBLOB;
KeyBlob->bh.bVersion=CUR_BLOB_VERSION;
KeyBlob->bh.reserved=0;
KeyBlob->bh.aiKeyAlg=CALG_RC2;
KeyBlob->dwKeyLen=(DWORD)keylen;
memcpy(KeyBlob +1,key,keylen);

CryptImportKey(hProv,
(BYTE*) KeyBlob,
sizeof(PLAINTEXTKEYBLOBSTRUCT),
0,
CRYPT_IPSEC_HMAC_KEY,
&hKey) ;

LocalFree(KeyBlob);
return hKey;
}
Hope this helps!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: CryptImportKey getting invalid ALGID
    ... Your original code logic just copies this plain text session key ... } PLAINTEXTKEYBLOBSTRUCT; ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.platformsdk.security)
  • RE: Dynamic Data Entities, Foreign Key and DynamicControl - value is null
    ... and display details of that customer. ... Microsoft Online Support ... or a Microsoft Support Engineer within 2 business day is acceptable. ... Engineer by contacting Microsoft Customer Support Services at ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Validation error does not block the gui - .net 2.0
    ... In my opinion, if you doesn't want customer to edit data by dataGridView, ... The MSDN Managed Newsgroup support offering is for non-urgent issues ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: SqlDataSource
    ... customer ID from the dropdownlist). ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ... project analysis and dump analysis issues. ...
    (microsoft.public.dotnet.general)
  • RE: Interesting field problem
    ... We use the AUTOTEXTLIST field in our AddIn. ... The customer thought it was gone. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.office.developer.com.add_ins)