# Enhanced Provider Key BLOBs

The Base Provider, Strong Provider, and Enhanced Provider use the same *key BLOBs*.

## Public Key BLOBs

*Public key BLOBs*, type **PUBLICKEYBLOB**, are used to store *public keys* outside a *cryptographic service provider* (CSP). Extended provider public key BLOBs have the following format.

PUBLICKEYSTRUC publickeystruc; RSAPUBKEY rsapubkey; BYTE modulus[rsapubkey.bitlen/8];

The following table describes each public key component. All values are in *little-endian* format.

Field | Description |
---|---|

modulus | The public key modulus data is located directly after the
RSAPUBKEY structure. The size of this data will vary, depending on the size of the public key. The number of bytes can be determined by dividing the value of the RSAPUBKEY bitlen field by eight. |

publickeystruc | A
PUBLICKEYSTRUC structure. |

rsapubkey | A
RSAPUBKEY structure. The magic member must be set to 0x31415352. This hexadecimal value is the ASCII encoding of RSA1. |

**Note**Public key BLOBs are not encrypted. They contain public keys in

*plaintext*form.

## Private Key BLOBs

*Private key BLOBs*, type **PRIVATEKEYBLOB**, are used to store *private keys* outside a CSP. Extended provider private key BLOBs have the following format.

PUBLICKEYSTRUC publickeystruc; RSAPUBKEY rsapubkey; BYTE modulus[rsapubkey.bitlen/8]; BYTE prime1[rsapubkey.bitlen/16]; BYTE prime2[rsapubkey.bitlen/16]; BYTE exponent1[rsapubkey.bitlen/16]; BYTE exponent2[rsapubkey.bitlen/16]; BYTE coefficient[rsapubkey.bitlen/16]; BYTE privateExponent[rsapubkey.bitlen/8];

The following table describes the private key BLOB component.

**Note**These fields correspond to the fields described in section 7.2 of

*Public Key Cryptography Standards*(PKCS) #1 with minor differences.

Field | Description |
---|---|

coefficient | Coefficient. This has a numeric value of (inverse of q) mod p. |

exponent1 | Exponent 1. This has a numeric value of d mod (p – 1). |

exponent2 | Exponent 2. This has a numeric value of d mod (q – 1). |

Modulus | The modulus. This has a value of Prime1×Prime2 and is often known as n. |

prime1 | Prime number 1, often known as p. |

prime2 | Prime number 2, often known as q. |

privateExponent | Private exponent, often known as d. |

publickeystruc | A
PUBLICKEYSTRUC
structure. |

rsapubkey | A
RSAPUBKEY structure. The magic member must be set to 0x32415352. This hexadecimal value is the ASCII encoding of RSA2. |

**Note**Private key BLOBs are not encrypted. They contain private keys in plaintext form.

When calling
**CryptExportKey**, the developer can choose whether to encrypt the key. The **PRIVATEKEYBLOB** is encrypted if the *hExpKey* parameter contains a valid handle to a session key. Everything but the
**PUBLICKEYSTRUC** portion of the BLOB is encrypted.

**Note**The encryption algorithm and encryption key parameters are not stored along with the private key BLOB. The application must manage and store this information. If zero is passed for

*hExpKey*, the private key will be exported without encryption.

**Caution**It is dangerous to export private keys without encryption because they are then vulnerable to interception and use by unauthorized entities.

## Simple Key BLOBs

*Simple key BLOBs*, type **SIMPLEBLOB**, are used to store and transport session keys outside a CSP. Extended provider simple key BLOBs are always encrypted with a *key exchange public key*. The **pbData** member of the **SIMPLEBLOB** is a sequence of bytes in the following format.

PUBLICKEYSTRUC publickeystruc; ALG_ID algid; BYTE encryptedkey[rsapubkey.bitlen/8];

The following table describes each component of the **pbData** member of the **SIMPLEBLOB**.

Field | Description |
---|---|

algid | An ALG_ID structure that specifies the encryption algorithm used to encrypt the session key data. This typically has a value of CALG_RSA_KEYX, which indicates that the session key data was encrypted with a key exchange public key using the RSA Public Key algorithm. |

encryptedkey | A BYTE sequence that represents the encrypted session key data in the form of a PKCS #1, type 2 encryption block. For information about this data format, see the Public Key Cryptography Standards (PKCS) #1, published by RSA Data Security, Inc.
This data is always the same size as the modulus of the public key. For example, public keys generated by the Microsoft RSA Base Provider can be 512 bits (64 bytes) in length, so the encrypted session key data is also always 512 bits (64 bytes). |

publickeystruc | A
PUBLICKEYSTRUC structure. |

For information about the Base Provider and Extended Provider key BLOBs, see Base Provider Key BLOBs.