Expand Minimize
EN
Deze inhoud is niet beschikbaar in uw taal, maar wel in het Engels.

CryptDeriveKey function

The CryptDeriveKey function generates cryptographic session keys derived from a base data value. This function guarantees that when the same cryptographic service provider (CSP) and algorithms are used, the keys generated from the same base data are identical. The base data can be a password or any other user data.

This function is the same as CryptGenKey, except that the generated session keys are derived from base data instead of being random. CryptDeriveKey can only be used to generate session keys. It cannot generate public/private key pairs.

A handle to the session key is returned in the phKey parameter. This handle can be used with any CryptoAPI function that requires a key handle.

Syntax


BOOL WINAPI CryptDeriveKey(
  _In_     HCRYPTPROV hProv,
  _In_     ALG_ID Algid,
  _In_     HCRYPTHASH hBaseData,
  _In_     DWORD dwFlags,
  _Inout_  HCRYPTKEY *phKey
);

Parameters

hProv [in]

A HCRYPTPROV handle of a CSP created by a call to CryptAcquireContext.

Algid [in]

An ALG_ID structure that identifies the symmetric encryption algorithm for which the key is to be generated. The algorithms available will most likely be different for each CSP. For more information about which algorithm identifier is used by the different providers for the key specs AT_KEYEXCHANGE and AT_SIGNATURE, see ALG_ID.

For more information about ALG_ID values to use with the Microsoft Base Cryptographic Provider, see Base Provider Algorithms. For more information about ALG_ID values to use with the Microsoft Strong Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, see Enhanced Provider Algorithms.

hBaseData [in]

A handle to a hash object that has been fed the exact base data.

To obtain this handle, an application must first create a hash object with CryptCreateHash and then add the base data to the hash object with CryptHashData. This process is described in detail in Hashes and Digital Signatures.

dwFlags [in]

Specifies the type of key generated.

The sizes of a session key can be set when the key is generated. The key size, representing the length of the key modulus in bits, is set with the upper 16 bits of this parameter. Thus, if a 128-bit RC4 session key is to be generated, the value 0x00800000 is combined with any other dwFlags predefined value with a bitwise-OR operation. Due to changing export control restrictions, the default CSP and default key length may change between operating system releases. It is important that both the encryption and decryption use the same CSP and that the key length be explicitly set using the dwFlags parameter to ensure interoperability on different operating system platforms.

The lower 16 bits of this parameter can be zero or you can specify one or more of the following flags by using the bitwise-OR operator to combine them.

ValueMeaning
CRYPT_CREATE_SALT

Typically, when a session key is made from a hash value, there are a number of leftover bits. For example, if the hash value is 128 bits and the session key is 40 bits, there will be 88 bits left over.

If this flag is set, then the key is assigned a salt value based on the unused hash value bits. You can retrieve this salt value by using the CryptGetKeyParam function with the dwParam parameter set to KP_SALT.

If this flag is not set, then the key is given a salt value of zero.

When keys with nonzero salt values are exported (by using CryptExportKey), the salt value must also be obtained and kept with the key BLOB.

CRYPT_EXPORTABLE

If this flag is set, the session key can be transferred out of the CSP into a key BLOB through the CryptExportKey function. Because keys generally must be exportable, this flag should usually be set.

If this flag is not set, then the session key is not exportable. This means the key is available only within the current session and only the application that created it is able to use it.

This flag does not apply to public/private key pairs.

CRYPT_NO_SALT

This flag specifies that a no salt value gets allocated for a 40-bit symmetric key. For more information, see Salt Value Functionality.

CRYPT_UPDATE_KEY

Some CSPs use session keys that are derived from multiple hash values. When this is the case, CryptDeriveKey must be called multiple times.

If this flag is set, a new session key is not generated. Instead, the key specified by phKey is modified. The precise behavior of this flag is dependent on the type of key being generated and on the particular CSP being used.

Microsoft cryptographic service providers ignore this flag.

CRYPT_SERVER
1024 (0x400)

This flag is used only with Schannel providers. If this flag is set, the key to be generated is a server-write key; otherwise, it is a client-write key.

 

phKey [in, out]

A pointer to a HCRYPTKEY variable to receive the address of the handle of the newly generated key. When you have finished using the key, release the handle by calling the CryptDestroyKey function.

Return value

If the function succeeds, the function returns nonzero (TRUE).

If the function fails, it returns zero (FALSE). For extended error information, call GetLastError.

The error codes prefaced by "NTE" are generated by the particular CSP being used. Some possible error codes are listed in the following table.

Return codeDescription
ERROR_INVALID_HANDLE

One of the parameters specifies a handle that is not valid.

ERROR_INVALID_PARAMETER

One of the parameters contains a value that is not valid. This is most often a pointer that is not valid.

NTE_BAD_ALGID

The Algid parameter specifies an algorithm that this CSP does not support.

NTE_BAD_FLAGS

The dwFlags parameter contains a value that is not valid.

NTE_BAD_HASH

The hBaseData parameter does not contain a valid handle to a hash object.

NTE_BAD_HASH_STATE

An attempt was made to add data to a hash object that is already marked "finished."

NTE_BAD_UID

The hProv parameter does not contain a valid context handle.

NTE_FAIL

The function failed in some unexpected way.

NTE_SILENT_CONTEXT

The provider could not perform the action because the context was acquired as silent.

 

Remarks

When keys are generated for symmetric block ciphers, the key by default is set up in cipher block chaining (CBC) mode with an initialization vector of zero. This cipher mode provides a good default method for bulk-encrypting data. To change these parameters, use the CryptSetKeyParam function.

The CryptDeriveKey function completes the hash. After CryptDeriveKey has been called, no more data can be added to the hash. Additional calls to CryptHashData or CryptHashSessionKey fail. After the application is done with the hash, CryptDestroyHash must be called to destroy the hash object.

To choose an appropriate key length, the following methods are recommended.

  • To enumerate the algorithms that the CSP supports and to get maximum and minimum key lengths for each algorithm, call CryptGetProvParam with PP_ENUMALGS_EX.
  • Use the minimum and maximum lengths to choose an appropriate key length. It is not always advisable to choose the maximum length because this can lead to performance issues.
  • After the desired key length has been chosen, use the upper 16 bits of the dwFlags parameter to specify the key length.

Let n be the required derived key length, in bytes. The derived key is the first n bytes of the hash value after the hash computation has been completed by CryptDeriveKey. If the hash is not a member of the SHA-2 family and the required key is for either 3DES or AES, the key is derived as follows:

  1. Form a 64-byte buffer by repeating the constant 0x36 64 times. Let k be the length of the hash value that is represented by the input parameter hBaseData. Set the first k bytes of the buffer to the result of an XOR operation of the first k bytes of the buffer with the hash value that is represented by the input parameter hBaseData.
  2. Form a 64-byte buffer by repeating the constant 0x5C 64 times. Set the first k bytes of the buffer to the result of an XOR operation of the first k bytes of the buffer with the hash value that is represented by the input parameter hBaseData.
  3. Hash the result of step 1 by using the same hash algorithm as that used to compute the hash value that is represented by the hBaseData parameter.
  4. Hash the result of step 2 by using the same hash algorithm as that used to compute the hash value that is represented by the hBaseData parameter.
  5. Concatenate the result of step 3 with the result of step 4.
  6. Use the first n bytes of the result of step 5 as the derived key.

The default RSA Full Cryptographic Service Provider is the Microsoft RSA Strong Cryptographic Provider. The default DSS Signature Diffie-Hellman Cryptographic Service Provider is the Microsoft Enhanced DSS Diffie-Hellman Cryptographic Provider. Each of these CSPs has a default 128-bit symmetric key length for RC2 and RC4.

The following table lists minimum, default, and maximum key lengths for session key by algorithm and provider.

ProviderAlgorithmsMinimum key lengthDefault key lengthMaximum key length
MS BaseRC4 and RC2404056
MS BaseDES565656
MS EnhancedRC4 and RC240128128
MS EnhancedDES565656
MS Enhanced3DES 112112112112
MS Enhanced3DES168168168
MS StrongRC4 and RC240128128
MS StrongDES565656
MS Strong3DES 112112112112
MS Strong3DES168168168
DSS/DH BaseRC4 and RC2404056
DSS/DH BaseCylink MEK404040
DSS/DH BaseDES565656
DSS/DH EnhRC4 and RC240128128
DSS/DH EnhCylink MEK404040
DSS/DH EnhDES565656
DSS/DH Enh3DES 112112112112
DSS/DH Enh3DES168168168

 

Examples

For an example that uses this function, see Example C Program: Deriving a Session Key from a Password.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Wincrypt.h

Library

Advapi32.lib

DLL

Advapi32.dll

See also

Key Generation and Exchange Functions
CryptAcquireContext
CryptCreateHash
CryptDestroyHash
CryptDestroyKey
CryptExportKey
CryptGenKey
CryptGetKeyParam
CryptHashData
CryptHashSessionKey
CryptSetKeyParam

 

 

Community-inhoud

Toevoegen
Weergeven:
© 2014 Microsoft