Enhanced Provider Key BLOBs

The Base Provider, Strong Provider, and Enhanced Provider use the same key BLOBs.

Public Key BLOBs

Public key BLOBs, type PUBLICKEYBLOB, are used to store public keys outside a cryptographic service provider (CSP). Extended provider public key BLOBs have the following format.

PUBLICKEYSTRUC  publickeystruc;
RSAPUBKEY rsapubkey;
BYTE modulus[rsapubkey.bitlen/8];

The following table describes each public key component. All values are in little-endian format.

FieldDescription
modulusThe public key modulus data is located directly after the RSAPUBKEY structure. The size of this data will vary, depending on the size of the public key. The number of bytes can be determined by dividing the value of the RSAPUBKEY bitlen field by eight.
publickeystrucA PUBLICKEYSTRUC structure.
rsapubkeyA RSAPUBKEY structure. The magic member must be set to 0x31415352. This hexadecimal value is the ASCII encoding of RSA1.

 

Note  Public key BLOBs are not encrypted. They contain public keys in plaintext form.
 

Private Key BLOBs

Private key BLOBs, type PRIVATEKEYBLOB, are used to store private keys outside a CSP. Extended provider private key BLOBs have the following format.

PUBLICKEYSTRUC  publickeystruc;
RSAPUBKEY rsapubkey;
BYTE modulus[rsapubkey.bitlen/8];
BYTE prime1[rsapubkey.bitlen/16];
BYTE prime2[rsapubkey.bitlen/16];
BYTE exponent1[rsapubkey.bitlen/16];
BYTE exponent2[rsapubkey.bitlen/16];
BYTE coefficient[rsapubkey.bitlen/16];
BYTE privateExponent[rsapubkey.bitlen/8];

The following table describes the private key BLOB component.

Note  These fields correspond to the fields described in section 7.2 of Public Key Cryptography Standards (PKCS) #1 with minor differences.
 
FieldDescription
coefficientCoefficient. This has a numeric value of (inverse of q) mod p.
exponent1Exponent 1. This has a numeric value of d mod (p – 1).
exponent2Exponent 2. This has a numeric value of d mod (q – 1).
ModulusThe modulus. This has a value of Prime1×Prime2 and is often known as n.
prime1Prime number 1, often known as p.
prime2Prime number 2, often known as q.
privateExponentPrivate exponent, often known as d.
publickeystrucA PUBLICKEYSTRUC structure.
rsapubkeyA RSAPUBKEY structure. The magic member must be set to 0x32415352. This hexadecimal value is the ASCII encoding of RSA2.

 

Note  Private key BLOBs are not encrypted. They contain private keys in plaintext form.
 

When calling CryptExportKey, the developer can choose whether to encrypt the key. The PRIVATEKEYBLOB is encrypted if the hExpKey parameter contains a valid handle to a session key. Everything but the PUBLICKEYSTRUC portion of the BLOB is encrypted.

Note  The encryption algorithm and encryption key parameters are not stored along with the private key BLOB. The application must manage and store this information. If zero is passed for hExpKey, the private key will be exported without encryption.
 
Caution  It is dangerous to export private keys without encryption because they are then vulnerable to interception and use by unauthorized entities.
 

Simple Key BLOBs

Simple key BLOBs, type SIMPLEBLOB, are used to store and transport session keys outside a CSP. Extended provider simple key BLOBs are always encrypted with a key exchange public key. The pbData member of the SIMPLEBLOB is a sequence of bytes in the following format.

PUBLICKEYSTRUC  publickeystruc;
ALG_ID algid;
BYTE encryptedkey[rsapubkey.bitlen/8];

The following table describes each component of the pbData member of the SIMPLEBLOB.

FieldDescription
algidAn ALG_ID structure that specifies the encryption algorithm used to encrypt the session key data. This typically has a value of CALG_RSA_KEYX, which indicates that the session key data was encrypted with a key exchange public key using the RSA Public Key algorithm.
encryptedkeyA BYTE sequence that represents the encrypted session key data in the form of a PKCS #1, type 2 encryption block. For information about this data format, see the Public Key Cryptography Standards (PKCS) #1, published by RSA Data Security, Inc.

This data is always the same size as the modulus of the public key. For example, public keys generated by the Microsoft RSA Base Provider can be 512 bits (64 bytes) in length, so the encrypted session key data is also always 512 bits (64 bytes).

publickeystrucA PUBLICKEYSTRUC structure.

 

For information about the Base Provider and Extended Provider key BLOBs, see Base Provider Key BLOBs.

 

 

Show: