- 7 -
As required by the FIPS 140-2 standard, the two independent and internal actions for exporting keys in
plaintext are as follows:
1.
An operator must call on CryptExportKey API function.
2.
A valid key handle must be passed to the CryptExportKey function.
Unless these two steps are taken, keys cannot be exported in plaintext.
CryptGenKey
The CryptGenKey function generates a random cryptographic key. A handle to the key is returned in
phKey. This handle can then be used as needed with any CryptoAPI function requiring a key handle.
The calling application must specify the algorithm when calling this function. Because this algorithm
type is kept bundled with the key, the application does not need to specify the algorithm later when the
actual cryptographic operations are performed.
CryptGenRandom
The CryptGenRandom function fills a buffer with random bytes. The random number generation
algorithm is the SP800-90 AES-256 based counter mode random number generation algorithm.
During the function initialization, a seed, to which the algorithm is applied to create the output random,
is created based on the collection of all the data listed in the Miscellaneous section. CryptGenRandom
accepts caller supplied data through its in/out pbBuffer parameter. This data is mixed with the
seed.
CryptGetKeyParam
The CryptGetKeyParam function retrieves data that governs the operations of a key.
CryptGetUserKey
The CryptGetUserKey function retrieves a handle of one of a user's public/private key pairs.
CryptImportKey
The CryptImportKey function transfers a cryptographic key from a key blob into a cryptographic service
provider module (CSPM).
Private keys may be imported as blobs and the function will return a handle to the imported key.
A symmetric key encrypted with an RSA public key is imported into the CryptoImportKey function. The
function uses the RSA private key exchange key to decrypt the blob and returns a handle to the
symmetric key.
Symmetric keys wrapped with other symmetric keys (AES or Triple-DES) may also be imported using
this function. The wrapped key blob is passed in along with a handle to a symmetric key, which the
module is supposed to use to unwrap the blob. If the function is successful then a handle to the
unwrapped symmetric key is returned.