| Platform SDK: Cryptography |
Opaque BLOBs, also known as OPAQUEKEYBLOBs, are used to store session keys. They contain the base key material and all current state information. This includes information such as the salt value, the initialization vector, and the key table. The format of opaque BLOBs is unpublished. Each CSP vendor determines its own BLOB format which should include encrypting the opaque BLOBs with some sort of symmetric key.
Because a key is exported into an opaque BLOB in CSP-specific format, it can only be imported into the CSP from which it was originally exported.
When two processes are involved, each process calls CryptAcquireContext independently. Each process gets a handle to a key container. It is possible for both processes to have handles to the same key container. One process creates the keys and exports them into opaque BLOBs, then passes the BLOBs to the second process. The second process imports the keys from the BLOB into its key container.
If a hardware CSP does not support exporting keys, the BLOB might only contain the index of a key register, or something similar. In this case, the rest of the procedure is ignored.
<secure process>
cbBlob = sizeof(rgbBlob);
CryptExportKey(
hKey,
0,
OPAQUEKEYBLOB,
0,
rgbBlob,
&cbBlob);
hKey = 0;
<BLOB is transferred to other process>
<user process>
CryptImportKey(
hProv,
pbBlob,
cbBlob,
0,
0,
&hKey);