Generating Cryptographic Keys

The following table shows the functions an application can use to generate cryptographic keys.

Function
Description
CryptDeriveKey Generates a key derived from a password
CryptGenKey Generates a random key

Although applications can create unlimited session keys, these keys are not preserved by the CSP between sessions. To preserve a key, export the key out of the CSP and import it into a key BLOB in the application memory space. For more information on exporting and importing a key, see Exchanging Cryptographic Keys.

Session keys are created using either CryptGenKey or CryptDeriveKey. When a session key is generated, you must specify the algorithm to use for subsequent encoding and decoding operations. This algorithm must be a symmetric algorithm supported by the CSP.

Because public-key algorithms are slow, it is impractical to use them to encrypt a large amount of data. In practice, symmetric algorithms are used for encoding and decoding large amounts of data, while public-key algorithms are used only to encrypt session keys.

For each user, the CSP usually maintains two public and two private key pairs: the key exchange key pair and the digital signature key pair. These keys are maintained between sessions.

There are several reasons for having two separate key pairs. For example, some CSPs use one algorithm for key exchange and another for digital signatures. Data, such as a session key signed and encrypted with the same public key pair, is more vulnerable than data encrypted with two separate key pairs.

Exchange key and signature key pairs are created by calling the CryptGenKey function and specifying either AT_KEYEXCHANGE or AT_SIGNATURE. The CSP implements these keys in an application-independent manner. Applications cannot access details about the algorithm used.