After the master key has been created (or imported), the protocol engine must inform the CSP of the type of bulk encryption and MAC keys that will be derived from the master key. The following code specifies the algorithms. The same code is used for both client and server.
typedef struct _SCHANNEL_ALG
{
DWORD dwUse;
ALG_ID Algid;
DWORD cBits;
} SCHANNEL_ALG, *PSCHANNEL_ALG;
SCHANNEL_ALG Algorithm;
// Specify encryption algorithm.
Algorithm.dwUse = SCHANNEL_ENC_KEY;
Algorithm.Algid = CALG_RC4; // or CALG_RC2, CALG_DES, etc.
Algorithm.cBits = 40; // or 64, 128, 192, etc.
CryptSetKeyParam(hMasterKey, KP_SCHANNEL_ALG, (PBYTE)&Algorithm, 0);
// Specify hash algorithm.
Algorithm.dwUse = SCHANNEL_MAC_KEY;
Algorithm.Algid = CALG_MD5; // or CALG_SHA, etc.
Algorithm.cBits = 128; // or 160...
CryptSetKeyParam(hMasterKey, KP_SCHANNEL_ALG, (PBYTE)&Algorithm, 0);
Note The protocol engine should never specify algorithms and key sizes unless they are supported by the CSP. For more information, see Enumerating the Supported Protocols (Diffie-Hellman). Where unsupported algorithms or key sizes are specified, the CSP should fail and return the value NTE_BAD_DATA error code.