A key binary large object (key BLOB) provides a way to store a key outside of the CSP. A key BLOB is used as the medium for securely transferring a key from one provider to another. A key BLOB is secure because it is encrypted with the key exchange public key of the intended recipient. To make it tamperproof, a key is sometimes signed with the key exchange private key of the originating user.
A key BLOB consists of a standard header followed by data that represents the key itself. Key BLOBs exist in three forms: simple, public, and private. A simple key BLOB, known as a SIMPLEBLOB, is a session key that has been encoded with the public key exchange key of the destination user. Key exchange keys are used to encode session keys so they can be safely stored and exchanged with other users. This type of key BLOB is used when storing a session key or transmitting a session key to another user. For more information on key exchange, see Exchanging Cryptographic Keys.
Public key BLOBs contains the public key portion of a public and private key pair. Unlike simple key BLOBs, these are not encrypted.
A private key BLOB contains one complete public and private key pair. These key BLOBs are used by administrative applications to distribute and transport public and private key pairs. For example, a private key BLOB transports key pairs between a network administrator's computer and a user's computer, or between a user's desktop computer and a laptop computer. These key BLOBs can also be used by advanced applications to store key pairs, rather than relying on the CSP's storage mechanism.
For more information on the formats of these key BLOBs, see the Microsoft Platform SDK.