问题
I have a set of predefined plaintext keys that I use for symmetric encryption/decryption. These keys are used for encrypted communication with hardware devices connected to a PC. I would like to use a CNG key storage provider to securely store these keys. Encryption and decryption must be done outside of CNG. I only need a secure place where to store and from where to retrieve my predefined plaintext keys. The last days I studied the CNG functions reference but couldn't find any way to import/export a plaintext symmetric key identified by name into a CNG key container.
I know that CryptoAPI provides functions to import/export session keys. But this old API doesn't provide persistent (session) keys and no way to select/identify keys by name within a key container.
Any help is heavily appreciated. Thanks in advance.
回答1:
I'm afraid you're out of luck for getting a direct solution, as the CNG key storage providers currently support asymmetric keys but not symmetric keys. Only primitive providers support symmetric keys.
This model is geared towards asymmetric keys being the ones that have to be protected in the long term, with symmetric keys being used only for one session and then thrown away. Those symmetric keys might be derived from an asymmetric key such as Diffie-Hellman or ECDH.
You say that you want the keys stored securely, but that the encryption/decryption is done outside CNG. Depending on what threats you are trying to defend against, this may not be the right approach. Normally if you are storing keys in a key storage provider, you want the crypto operations done inside the key storage provider, and don't want the keys ever to leave it (except encrypted by another key), as that exposes the key material to an attacker.
However, if you're sure this is what you want, one option would be to generate an RSA key in your key storage provider, and use it to encrypt and decrypt the symmetric keys. You would store the encrypted symmetric key blobs elsewhere, e.g. in the filesystem.
来源:https://stackoverflow.com/questions/26739583/how-to-deal-with-plaintext-keys-using-cng