Crossing Process Boundaries
The protocol engine (schannel.dll), in Windows NTŪ 5.0, performs the handshaking and authentication in a secure process and the bulk encryption/message passing in a different application process. This means that the bulk encryption and MAC keys need to be copied from one process to another. To do this, use the CryptExportKey and CryptImportKey functions as follows:
-
The secure process exports each key into an OPAQUEBLOB using CryptExportKey. The CRYPT_DESTROYKEY flag will typically be specified so that the CSP will destroy the original key.
-
The secure process passes the OPAQUEBLOBs to the application process, in a manner that is beyond the scope of this document.
-
The application process imports each OPAQUEBLOB back into the CSP using CryptImportKey. At this point, the key is in exactly the same state as when it was exported.