Important: |
---|
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
A key binary large object (key BLOB) provides a way to store a key outside of the cryptographic service provider (CSP). A key BLOB is used as the medium that adds a layer of security when transferring a key from one provider to another. A key BLOB is more secure because it is encrypted with the key exchange public key of the intended recipient. To enhance security, a key is sometimes signed with the key exchange private key of the originating user.
A key BLOB consists of a standard header followed by data that represents the key itself. Key BLOBs exist in three forms: simple, public, and private.
A simple key BLOB, known as a SIMPLEBLOB, is a session key that has been encoded with the public key exchange key of the destination user. Key exchange keys are used to encode session keys so they can be stored with an additional layer of safety and exchanged with other users. This type of key BLOB is used when storing a session key or transmitting a session key to another user. For more information about key exchange, see Exporting Cryptographic Keys.
A public key BLOB, known as PUBLICKEYBLOB, contains the public key portion of a public/private key pair. Unlike simple key BLOBs, these are not encrypted.
A private key BLOB, known as PRIVATEKEYBLOB, contains one complete public/private key pair. Administrative applications use key BLOBs to distribute and transport public/private key pairs. For example, a private key BLOB transports key pairs between a network administrator's computer and a user's computer, or between a user's desktop computer and a laptop computer. These key BLOBs can also be used by advanced applications to store key pairs, rather than relying on the CSP's storage mechanism.
Base and Extended Provider Key BLOBs
The Base Provider and Extended Provider use the same key BLOBs, as follow:
- Public-key BLOBs
Public-key BLOBs, type PUBLICKEYBLOB, are used to store public keys outside a CSP. Extended provider public-key BLOBs have the following format.
Copy Code PUBLICKEYSTRUC publickeystruc; RSAPUBKEY rsapubkey; BYTE modulus[rsapubkey.bitlen/8];
Field Description publickeystruc
A PUBLICKEYSTRUCstructure.
rsapubkey
A RSAPUBKEYstructure. The magic member must be set to 0x31415352. This hex value is the ASCII encoding of RSA1.
modulus
The public-key modulus data is located directly after the RSAPUBKEYstructure. The size of this data will vary, depending on the size of the public key. The number of bytes can be determined by dividing the value of the RSAPUBKEY bitlenmember by eight.
Note: Public-key BLOBs are not encrypted. They contain public keys in plaintext form. - Private-key BLOBs
Private-key BLOBs, type PRIVATEKEYBLOB, are used to store private keys outside a CSP. Extended provider private-key BLOBs have the following format.
Copy Code PUBLICKEYSTRUC publickeystruc; RSAPUBKEY rsapubkey; BYTE modulus[rsapubkey.bitlen/8]; BYTE prime1[rsapubkey.bitlen/16]; BYTE prime2[rsapubkey.bitlen/16]; BYTE exponent1[rsapubkey.bitlen/16]; BYTE exponent2[rsapubkey.bitlen/16]; BYTE coefficient[rsapubkey.bitlen/16]; BYTE privateExponent[rsapubkey.bitlen/8];
Field Description publickeystruc
A PUBLICKEYSTRUC.
rsapubkey
A RSAPUBKEYstructure. The magic member must be set to 0x32415352. This hex value is the ASCII encoding of RSA2.
Modulus
The modulus. This has a value of prime1 * prime2 and is often known as n.
prime1
Prime number 1, often known as p.
prime2
Prime number 2, often known as q.
exponent1
Exponent 1. This has a numeric value of d mod (p - 1).
exponent2
Exponent 2. This has a numeric value of d mod (q - 1).
coefficient
Coefficient. This has a numeric value of (inverse of q mod p).
privateExponent
Private exponent, often known as d.
Note: These fields correspond to the fields described in section 7.2 of Public-Key Cryptography Standards (PKCS #1 with minor differences).
When calling CryptExportKeythe developer can choose whether or not to encrypt the key. The PRIVATEKEYBLOB is encrypted if the hExpKeyparameter contains a valid handle to a session key. Everything but the PUBLICKEYSTRUCportion of the BLOB is encrypted. The encryption algorithm and encryption key parameters are not stored along with the private-key BLOB. The application must manage and store this information. If zero is passed for hExpKey, the private key will be exported without encryption.
Note: It is dangerous to export private keys without encryption because they are then vulnerable to interception and use by unauthorized entities. - Simple-key BLOBs
Simple key BLOBs, type SIMPLEBLOB, are used to store and transport session keys outside a CSP. Extended provider simple-key BLOBs are always encrypted with a key exchange public key. The pbDatamember of the SIMPLEBLOB is a sequence of bytes in the following format.
Copy Code PUBLICKEYSTRUC publickeystruc ; ALG_ID algid; BYTE encryptedkey[rsapubkey.bitlen/8];
The encrypted session key data is in the form of a PKCS #1, type 2 encryption block. For details on this data format, see the Public-Key Cryptography Standards (PKCS) published by RSA Data Security, Inc.
This data is always the same size as the public key's modulus. For example, public keys generated by the Microsoft RSA Base Provider can be 512 bits (64 bytes in length, so, in that case, the encrypted session key data is also 512 bits, or 64 bytes).
See Also
Reference
PUBLICKEYSTRUCConcepts
Using Basic Cryptography ServicesMicrosoft Cryptographic System
Other Resources
CryptographyCertificates