Partager via


Generating Cryptographic Keys (Windows Embedded CE 6.0)

1/6/2010

The following table shows the functions an application can use to generate cryptographic keys.

Function Description

CryptDeriveKey

Generates a key derived from a password.

CryptGenKey

Generates a random key.

Although applications can create unlimited session keys, these keys are not preserved by the cryptographic service provider (CSP) between sessions. To preserve a key, export the key out of the CSP and import itinto a key BLOB in the application memory space. For more information about exporting and importing a key, see Exporting Cryptographic Keys.

Session keys are created using either CryptGenKey or CryptDeriveKey. When a session key is generated, you must specify the algorithm to use for subsequent encoding and decoding operations. This algorithm must be a symmetric algorithm supported by the CSP.

Because public-key algorithms are slow, it is impractical to use them to encrypt a large amount of data. In practice, symmetric algorithms are used for encoding and decoding large amounts of data, while public-key algorithms are used only to encrypt session keys.

For each user, the CSP usually maintains two public and two private key pairs: the key exchange key pair and the digital signature key pair. These keys are maintained between sessions.

There are several reasons for having two separate key pairs. For example, some CSPs use one algorithm for key exchange and another for digital signatures. Data, such as a session key signed and encrypted with the same public key pair, is more vulnerable than data encrypted with two separate key pairs.

Exchange key and signature key pairs are created by calling the CryptGenKey function and specifying either AT_KEYEXCHANGE or AT_SIGNATURE. The CSP implements these keys in an application-independent manner. Applications cannot access details about the algorithm used.

See Also

Concepts

Using Basic Cryptography Services
Microsoft Cryptographic System

Other Resources

Cryptography
Certificates