| Platform SDK: Cryptography |
After a master key is created or imported, both RSA/Schannel and Diffie-Hellman/Schannel inform the CSP of the type of bulk encryption keys and MAC keys that will be derived from the master key. The following code specifies these algorithms. The same code is used for both client and server.
//--------------------------------------------------------------------
// Algorithms for the SCHANNEL_ALG structure
#define SCHANNEL_MAC_KEY 0x00000000
#define SCHANNEL_ENC_KEY 0x00000001
//--------------------------------------------------------------------
// dwFlags for the SCHANNEL_ALG structure
// This flag will be set when the SSL cipher suite is exportable
// outside the United States and Canada. The use of this flag notifies
// the CSP that it must perform the extra export steps when deriving
// the key.
#define INTERNATIONAL USAGE 0x00000001
typedef struct _SCHANNEL_ALG
{
DWORD dwUse;
ALG_ID Algid;
DWORD cBits;
DWORD dwFlags;
DWORD dwReserved;
} SCHANNEL_ALG, *PSCHANNEL_ALG;
SCHANNEL_ALG Algorithm;
//--------------------------------------------------------------------
// Specify the bulk encryption algorithm.
Algorithm.dwUse = SCHANNEL_ENC_KEY;
Algorithm.Algid = CALG_RC4; // or CALG_RC2, CALG_DES, etc.
Algorithm.cBits = 40; // or 64, 128, 192, etc.
CryptSetKeyParam(
hMasterKey,
KP_SCHANNEL_ALG,
(PBYTE)&Algorithm,
0);
//--------------------------------------------------------------------
// Specify hash algorithm.
Algorithm.dwUse = SCHANNEL_MAC_KEY;
Algorithm.Algid = CALG_MD5; // or CALG_SHA, etc.
Algorithm.cBits = 128; // or 160...
CryptSetKeyParam(
hMasterKey,
KP_SCHANNEL_ALG,
(PBYTE)&Algorithm,
0);
Note An Schannel protocol engine must not specify algorithms and key sizes not supported by the CSP. For more information, see Enumerating Supported Protocols. If unsupported algorithms or key sizes are specified, the CSP function must fail and return the NTE_BAD_DATA error code.