Microsoft Windows NT Server White Paper
22
Key Entry and Output
Keys can be both exported and imported out of and into RSAENH via
CryptExportKey() and CryptImportKey(). Exported private keys may be encrypted
with a symmetric key passed into the CryptExportKey function. Any of the
symmetric algorithms supported by the crypto module may be used to encrypt
private keys for export (AES, DES, 3DES, RC4 or RC2). When private keys are
generated or imported from archival, they are covered with the Microsoft Windows
CE Data Protection API (DPAPI) and then outputted to system registry in the
covered form.
Symmetric key entry and output is done by exchanging keys using the recipient's
asymmetric public key. Symmetric key entry and output may also be done by
exporting a symmetric key wrapped with another symmetric key.
In addition, specific functions require that the application hold the key material, with
the RSAENH module not holding any copy of the key material between function
invocations. The functions that operate this way are: BSafeDecPrivate,
BSafeEncPublic, BSafeMakeKeyPair, tripledes3key, tripledes, CBC, DES_ECB_LM
(non-Approved), RC2Key (non-Approved), RC2KeyEx (non-Approved), RC2 (non-
Approved), deskey (non-Approved), des (non-Approved), rc4_key (non-Approved),
rc4 (non-Approved).
See MSDN Library\Platform SDK\Windows Base Services\Security\CryptoAPI
2.0\CryptoAPI Reference\CryptoAPI Functions\Base Cryptography Functions\Key
Generation and Exchange Functions for more information.
Key Storage
RSAENH offloads the key storage operations to the Microsoft Windows CE
operating system. Keys are not stored in the cryptographic module, private keys are
protected by the Microsoft Data Protection API (DPAPI) service, and then stored in
the registry or file system. For purposes of FIPS validation, these keys are
considered plaintext. Keys are zeroized from memory after use. Only the key used
for power up self-testing is stored in the cryptographic module.
When an operator requests a keyed cryptographic operation from RSAENH his/her
keys are retrieved from the registry or file system.
RSA private and public keys are stored in named key containers. The key
containers are stored in the following registry locations:
Key containers created with the CRYPT_MACHINE_KEYSET flag:
HKEY_LOCAL_MACHINE\Comm\Security\Crypto\UserKeys\Microsoft Enhanced Cryptographic
Provider v1.0\<KeyContainerName>
Key containers created without the CRYPT_MACHINE_KEYSET flag: