使用CNG如何处理明文键? [英] How to deal with plaintext keys using CNG?
问题描述
我想使用CNG密钥存储提供商来安全地存储这些密钥。加密和解密必须在CNG之外进行。我只需要一个安全的地方存储和从哪里检索我的预定义明文键。
最后几天我研究了CNG函数引用,但找不到任何方式将名称标识的明文对称密钥导入/导出到CNG密钥容器中。
我知道CryptoAPI提供导入/导出会话密钥的功能。但是,这个旧的API不提供持久的(会话)密钥,也没有办法通过密钥容器中的名称来选择/标识密钥。
任何帮助都非常感谢。感谢提前。
恐怕你得到一个直接的解决方案,因为CNG密钥存储提供商目前支持非对称密钥,但不支持对称密钥只有原始提供商才支持对称密钥。
此模型面向非对称密钥,长期以来必须被保护,对称密钥仅用于一个会话然后扔掉。这些对称密钥可能来源于非对称密钥,如Diffie-Hellman或ECDH。
您说您希望密钥存储安全,但加密/解密是在CNG之外完成根据你们要防御的威胁,这可能不是正确的做法。通常,如果您将密钥存储在密钥存储提供程序中,则希望在密钥存储提供程序中完成加密操作,并且不希望密钥离开它(除了通过另一个密钥加密),因为将密钥材料暴露给一个攻击者。
但是,如果你确定这是你想要的,一个选择是在密钥存储提供者中生成一个RSA密钥,并使用它加密和解密对称密钥。您将在其他地方存储加密的对称密钥块。在文件系统中。
I have a set of predefined plaintext keys that I use for symmetric encryption/decryption. These keys are used for encrypted communication with hardware devices connected to a PC. I would like to use a CNG key storage provider to securely store these keys. Encryption and decryption must be done outside of CNG. I only need a secure place where to store and from where to retrieve my predefined plaintext keys. The last days I studied the CNG functions reference but couldn't find any way to import/export a plaintext symmetric key identified by name into a CNG key container.
I know that CryptoAPI provides functions to import/export session keys. But this old API doesn't provide persistent (session) keys and no way to select/identify keys by name within a key container.
Any help is heavily appreciated. Thanks in advance.
I'm afraid you're out of luck for getting a direct solution, as the CNG key storage providers currently support asymmetric keys but not symmetric keys. Only primitive providers support symmetric keys.
This model is geared towards asymmetric keys being the ones that have to be protected in the long term, with symmetric keys being used only for one session and then thrown away. Those symmetric keys might be derived from an asymmetric key such as Diffie-Hellman or ECDH.
You say that you want the keys stored securely, but that the encryption/decryption is done outside CNG. Depending on what threats you are trying to defend against, this may not be the right approach. Normally if you are storing keys in a key storage provider, you want the crypto operations done inside the key storage provider, and don't want the keys ever to leave it (except encrypted by another key), as that exposes the key material to an attacker.
However, if you're sure this is what you want, one option would be to generate an RSA key in your key storage provider, and use it to encrypt and decrypt the symmetric keys. You would store the encrypted symmetric key blobs elsewhere, e.g. in the filesystem.
这篇关于使用CNG如何处理明文键?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
