'Re: Pass through to MS CSP using hardware-generated keys?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: Pass through to MS CSP using hardware-generated keys?
From:       "Nelson, Dan" <dan.nelson () INTEL ! COM>
Date:       1999-07-29 17:29:12
[Download RAW message or body]


Jeff,

Thanks for the prompt answer. The workaround described in the KB article is
interesting.

The problem with the asymmetric key workaround that you described is that
the keys are not protected while they are in use. One point of keeping the
keys in hardware tokens would be the fact that the hardware can offer
stronger protection than software. It would compromise this protection to
write the key pairs to the registry every time they were used and then erase
them when finished.

---------------------------------
Dan Nelson <dan.nelson@intel.com>
SW Eng.  PSD

-----Original Message-----
From: Jeff Spelman (Exchange) [mailto:jeffspel@EXCHANGE.MICROSOFT.COM]
Sent: Thursday, July 29, 1999 8:41 AM
To: CryptoAPI@DISCUSS.MICROSOFT.COM
Subject: Re: Pass through to MS CSP using hardware-generated keys?


Dan
   There is no direct way to import/export symmetric keys into the MS
providers, but there is a Knowledge Base article (Q228786) on working around
this issue.  You could work around your issue with persisted asymmetric keys
by importing the private key, using it, deleting the key container (which
deletes the persisted key).
Thanks Jeff

-----Original Message-----
From: Nelson, Dan
Sent: Wednesday, July 28, 1999 3:20 PM
To: CryptoAPI@DISCUSS.MICROSOFT.COM
Subject: Pass through to MS CSP using hardware-generated keys?


Is it possible to write a CSP that uses hardware (such as a token or smart
card) to generate and hold cryptographic keys securely, but uses the
Microsoft default CSP to carry out cryptographic operations using them?

The problem seems to be how to get the keys into the base CSP for
processing. Symmetric keys are a problem because they can't be exported for
import into the MS CSP unless they are encrypted with a public key that
belongs to a key pair held by the base CSP. Key pairs are problematic in
that once imported the, MS base CSP makes them persistent in the registry
(which would remove any advantage to storing them securely in hardware).

Any information regarding how I might be able to get around these problems
would be appreciated!

Thanks.

--------------------------------------------------------
Dan Nelson <mailto:dan.no.nelson.spam@intel.com>
(to email me directly, please remove the 'no' and 'spam'
from my email address)

----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://discuss.microsoft.com/archives/index.html

----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://discuss.microsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic