Exchanging Cryptographic Keys

This chapter discusses those situations where you must export keys from the secure environment of the cryptographic service provider (CSP) and into your application's data space. Keys that have been exported are stored in encrypted data structures known as key blobs. These are discussed in Key Blobs Explained.

There are two specific situations where it is necessary to export keys:

• You want to save a session key for later use by your application. For example, if your application has just encrypted a database file and you want your application to decrypt this file at a later time, your application is responsible for storing the encryption key. This is necessary because CSPs do not preserve symmetric keys from session to session.
• You want to send a key to someone else. This would be much easier (for your application) if the respective CSPs could communicate directly, but they cannot. This means the key has to be exported from your CSP, transmitted by your application to the destination application, and then imported into the destination CSP. If you don't trust the communication path, this can become somewhat complicated. However, this is covered in the next few sections.

Note  This chapter assumes that users (or Microsoft® CryptoAPI clients) already possess their own set of public/private key pairs. Instructions for creating these can be found in Generating Cryptographic Keys.