Crossing Process Boundaries (Diffie-Hellman)

The protocol engine (schannel.dll) in Windows NT® Version 5.0, performs the handshaking and authentication in a secure process and the bulk encryption/message passing in a different application process. This means that the bulk encryption and MAC keys need to be copied from one process to another. To do this, use CryptExportKey and CryptImportKey as follows:

1. The secure process exports each key into an OPAQUEBLOB using CryptExportKey. The CRYPT_DESTROYKEY flag will typically be specified so that the CSP will destroy the original key.
2. The secure process passes the OPAQUEBLOBs to the application process in a manner that is beyond the scope of this document.
3. The application process imports each OPAQUEBLOB back into the CSP using CryptImportKey. At this point, the key is in exactly the same state as when it was exported.