Encrypting and Decrypting Simultaneously

Care must be taken when encrypting or decrypting two streams of data simultaneously with the same cryptographic key. The same physical session key must not be used for both operations, because every session key contains internal state information and it will get mixed up if used for more than one operation at a time. A simple solution to this problem is to make a copy of the session key. In this way, the original key can be used for one operation and the copy used for the other.

Copying a session key is done by exporting the key with CryptExportKey and then by using CryptImportKey to import it back in. When the key is imported, the CSP will give the new key its own section of internal memory, as if it were not related at all to the original key.

The following code fragment shows how a copy of a session key can be obtained.

HCRYPTPROV hProv;    // Handle to a CSP.
HCRYPTKEY hKey;      // Handle to a session key.

HCRYPTKEY hCopyKey = 0;
HCRYPTKEY hPubKey = 0;
BYTE pbBlob[256];
DWORD dwBlobLen;

// Get a handle to the current user's key exchange public key.
CryptGetUserKey(hProv, AT_KEYEXCHANGE, &hPubKey);

// Export the session key into a key blob.
dwBlobLen = 256;
CryptExportKey(hKey, hPubKey, SIMPLEBLOB, 0, pbBlob, &dwBlobLen);

// Import the session key back into the CSP. This is stored separately
// from the original session key.
CryptImportKey(hProv, pbBlob, dwBlobLen, 0, 0, &hCopyKey);

// Use 'hKey' for one set of operations and 'hCopyKey' for the other.
...
 

Note that this technique should not be used with stream ciphers, as stream cipher keys should never be used more than once. Instead, separate transmit and receive keys should be used.