This section discusses how you use the CryptoAPI to store a session key for later use. This is useful in those situations where you have encrypted a file and want to decrypt the file at a later time. Another possible situation is one in which you have shared the session key with another user and you want to use the key at a later time to send the other user encrypted messages.
In either case, your application will have to store the session key outside of the CSP for a certain period. Following is the procedure for storing a session key.
If the session key is to be bundled with an encrypted file only (so that you can later decrypt the file), and the key is not going to be used to encrypt any more data, then the preceding procedure provides adequate security.
If you plan to use the session key for encryption at a later time, then the key blob should be signed with your key exchange private key before the key blob is stored to disk. When you later read the key blob back from disk, you should validate the signature to make sure the key blob is intact. If these steps are omitted, then someone with access to your storage media can create a new session key, encrypt it with your key exchange public key, and substitute it for your key blob. You could then unknowingly use the substituted session key to encrypt files and messages, which the unscrupulous user could then easily decrypt. Digital signatures are discussed in detail in Hashes and Digital Signatures.