Deriving Session Keys

Applications derive session keys from hash values by using the CryptDeriveKey function. The underlying mechanism is very simple. The first few bytes of the hash value (however many are required) are used as the session key material. If the CRYPT_CREATE_SALT flag is specified, then the next few bytes are used as the salt value. The remaining bytes of the hash value are not used.

For example, if you have an SHA hash value (160 bits) and want to create a 40-bit session key (with 88 bits of salt) from it, the first five bytes would be used as the session key material and the next 11 bytes would be used as the salt. The last 4 bytes would be unused.

Note that hash values and session keys are considered here to be blocks of data, not large integers. Byte ordering (big endian versus little endian) is thus not relevant.