From: Michael Howard [mikehow@microsoft.com]
Sent: Wednesday, November 06, 2002 1:58 PM
To: Jason Lavigne; secprog@securityfocus.com
Subject: RE: Import/Export a plain text key in/out of CAPI

Use CryptDeriveKey

Here's some code from Writing Secure Code:

// get the symmetric exchange key used to encrypt the key
// this is a bogus stub example function - you would usually
// get the key from somewhere secure, or from the user
void GetExchangeKey(HCRYPTPROV hProv,HCRYPTKEY *hXKey) {
	HCRYPTHASH hHash;
	BYTE bKey[] = "176sjxmal";

	if (!CryptCreateHash(hProv,CALG_SHA1,0,0,&hHash))
		throw GetLastError();

	if (!CryptHashData(hHash,bKey,sizeof bKey,0))	
		throw GetLastError();

	if
(!CryptDeriveKey(hProv,CALG_3DES_112,hHash,CRYPT_EXPORTABLE,hXKey))
		throw GetLastError();
}

void main() {

	HCRYPTPROV hProv = NULL;
	HCRYPTKEY  hKey  = NULL;
	HCRYPTKEY  hExchangeKey  = NULL;
	LPBYTE	   pbKey = NULL;

	try {
		if
(!CryptAcquireContext(&hProv,NULL,NULL,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT
))
			throw GetLastError();

		if
(!CryptGenKey(hProv,CALG_3DES_112,CRYPT_EXPORTABLE,&hKey))
			throw GetLastError();

		GetExchangeKey(hProv,&hExchangeKey);

		DWORD dwLen = 0;
		if
(!CryptExportKey(hKey,hExchangeKey,SYMMETRICWRAPKEYBLOB,0,NULL,&dwLen))
			throw GetLastError();

		pbKey = new BYTE[dwLen];
		ZeroMemory(pbKey,dwLen);

		if
(!CryptExportKey(hKey,hExchangeKey,SYMMETRICWRAPKEYBLOB,0,pbKey,&dwLen))
			throw GetLastError();

		cout << "Cool, " << dwLen << " byte wrapped key is
exported." << endl;

		// write shrouded key to key.bin, overwrite if needed
		ofstream file("c:\\key.bin",ios_base::binary);
		file.write(reinterpret_cast<const char *>(pbKey),dwLen);
		file.close();

	} catch(DWORD e) {
		cerr << "Error " << e << hex << " " << e << endl;
	}

	// clean-up
	if (hExchangeKey)  CryptDestroyKey(hExchangeKey);
	if (hKey)  CryptDestroyKey(hKey);
	if (hProv) CryptReleaseContext(hProv,0);
	if (pbKey) delete [] pbKey;
}

Cheers, Michael
Secure Windows Initiative
Writing Secure Code 
http://www.microsoft.com/mspress/books/5612.asp


-----Original Message-----
From: Jason Lavigne [mailto:jlavigne@bwlogic.com] 
Sent: Wednesday, November 06, 2002 8:03 AM
To: secprog@securityfocus.com
Subject: Import/Export a plain text key in/out of CAPI




Hello all,



I would like to do one of two things and was hoping that I could find
the 

answer here.



I am using Microsoft's CAPI and would like to either:



a)	import my own plain text key in to CAPI to be encrypted using 

CryptExportKey(hDesKey, hServerPubRSAKey, SIMPLEBLOB, ...)

b)	export a random key as plain text that was generated using 

CryptGenKey



The reason I would like to do this is I am not using DES that comes with


CAPI, instead I am using DES that is included in Crypto++ 

(http://www.eskimo.com/~weidai/cryptlib.html) and would like to use RSA 

from CAPI to encrypt the DES key using our x.509 certificate. Any ideas?



TIA



Jason Lavigne