Procedure for Storing a Session Key
To store a session key
- Create a simple key BLOB by using the CryptExportKey function. This will transfer the session key from the CSP to an application's memory space. Specify that an exchange public key be used to sign the key BLOB.
- Store the signed key BLOB to disk. It is assumed that all disks are nonsecure.
- When the key is needed, read the key BLOB from disk.
- Import the key BLOB back into the CSP by using the CryptImportKey function.
This procedure provides only minimal security. If the stored session key will be used to encrypt data at a later date, the preceding procedure does not provide adequate security.
To provide greater security, sign the key BLOB with an exchange private key before it is stored to disk. When the key BLOB is later read from disk, its signature can be validated to ensure that the key BLOB is intact.
If the key BLOB is not signed, anyone with access to the disk or other media where the key is stored can create a new session key.
The new session key can be encrypted with the original user's public key exchange key, and this new key can be substituted for the original. If the user unknowingly used the substituted session key to encrypt files and messages, the individual who created the substitute key could easily decrypt them.
Digital signatures are discussed in detail in Hashes and Digital Signatures.