Share via


CryptEncrypt

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

This function encrypts data. The key held by the cryptographic service provider (CSP) and referenced by the hKey parameter specifies the algorithm used to encrypt the data parameter.

Syntax

BOOL CRYPTFUNC CryptEncrypt( 
  HCRYPTKEY hKey,
  HCRYPTHASH hHash, 
  BOOL Final, 
  DWORD dwFlags, 
  BYTE* pbData,
  DWORD* pdwDataLen, 
  DWORD dwBufLen
);

Parameters

  • hHash
    [in] HCRYPTHASH is a handle to a hash object. If data is hashed and encrypted simultaneously, a handle to a hash object can be passed in the hHash parameter. The hash value is updated with the plaintext passed in. This option is useful when generating signed and encrypted text.

    Before calling the CryptEncrypt function, the application must obtain a handle to the hash object by calling the CryptCreateHash function. After the encryption is complete, the hash value can be obtained through the CryptGetHashParam function or the hash can be signed using the CryptSignHash function.

    If hashing is not required, this parameter must be set to zero.

  • Final
    [in] Boolean value that specifies whether this is the last section in a series being encrypted. The value is TRUE if this is the last or only block, and FALSE if it is not. For more information, see the Remarks section.
  • dwFlags
    [in] Reserved for future use and must be set to zero.
  • pbData
    [in, out] On input, pointer to the buffer that holds the data to be encrypted. On output, after the encryption has been performed, the encrypted data is placed back in this same buffer.

    The size of this buffer is specified by dwBufLen. The number of bytes of data to be encrypted is specified by pdwDataLen.

    This parameter can be NULL if you want to determine the number of bytes required for the returned data.

  • pdwDataLen
    [in, out] On input, pointer to the data length. Before calling this function, the caller should set this parameter to the number of bytes to be encrypted. On output, this address will contain the number of bytes of encrypted data.

    If the buffer specified by pbData is not large enough to hold the data, the function returns the ERROR_MORE_DATA error code from the GetLastError function and stores the required buffer size, in bytes, in the variable pointed to by pdwDataLen.

    If pbData is NULL, then no error is returned, and the function stores the size of the data, in bytes, in the variable pointed to be pdwDataLen. This lets an application determine the correct buffer size unambiguously.

    When a block cipher is used, this data length must be a multiple of the block size, unless this is the final section of data to be encrypted and the Final flag is TRUE.

  • dwBufLen
    [in] Specifies the number of bytes in the pbData buffer.

    Depending on the algorithm used, the encrypted text can be slightly larger than the original plaintext. In this case, the pbData buffer needs to be sized accordingly.

    As a rule, if a stream cipher is used the ciphertext will be the same size as the plaintext. If a block cipher is used, the ciphertext will be up to a block length larger than the plaintext.

Return Value

TRUE indicates success. FALSE indicates failure. To get extended error information, call the GetLastError function.

The following table shows the common values for the GetLastError function. The error values prefaced by NTE are generated by the particular CSP you are using.

Value Description

ERROR_INVALID_HANDLE

One of the parameters specifies an invalid handle.

ERROR_INVALID_PARAMETER

One of the parameters contains an invalid value. This is most often an illegal pointer.

NTE_BAD_ALGID

The hKey session key specifies an algorithm that this CSP does not support.

NTE_BAD_DATA

The data to be encrypted is invalid. For example, when a block cipher is used and the Final flag is FALSE, the value specified by pdwDataLen must be a multiple of the block size.

NTE_BAD_FLAGS

The dwFlags parameter is nonzero.

NTE_BAD_HASH

The hHash parameter contains an invalid handle.

NTE_BAD_HASH_STATE

An attempt was made to add data to a hash object that is already marked as finished.

NTE_BAD_KEY

The hKey parameter does not contain a valid handle to a key.

NTE_BAD_LEN

The size of the output buffer is too small to hold the generated ciphertext.

NTE_BAD_UID

The CSP context that was specified when the key was created cannot be found.

NTE_DOUBLE_ENCRYPT

The application attempted to encrypt the same data twice.

NTE_FAIL

The function failed in some unexpected way.

NTE_NO_MEMORY

The CSP ran out of memory during the operation.

Remarks

When a large amount of data needs to be encrypted, it can be done in sections by calling the CryptEncrypt function repeatedly. The Final parameter should be set to TRUE only on the last invocation of the CryptEncrypt function, so the encryption engine can properly finish the encryption process. The following extra actions are performed when Final is TRUE:

  • If the key is a block cipher key, the data is padded to a multiple of the block size of the cipher. If the data length equals the block size of the cipher, one additional block of padding is appended to the data. To find the block size of a cipher, use CryptGetKeyParam to get the KP_BLOCKLEN value of the key.
  • If the cipher is operating in a chaining mode, the next CryptEncrypt operation resets the cipher's feedback register to the KP_IV value of the key.
  • If the cipher is a stream cipher, the next CryptEncrypt operation resets the cipher to its initial state.

Requirements

Header wincrypt.h
Library coredll.lib
Windows Embedded CE Windows CE 2.10 and later
Windows Mobile Windows Mobile Version 5.0 and later

See Also

Reference

CryptCreateHash
CryptDecrypt
CryptGenKey
CryptGetHashParam
CryptImportKey
CryptSignHash
HCRYPTHASH
HCRYPTKEY