How to deal with plaintext keys using CNG?
I have a set of predefined plaintext keys that I use for symmetric encryption / decryption. These keys are used for encrypted communication with hardware devices connected to the PC. I would like to use a CNG keystore provider to securely store these keys. Encryption and decryption must be performed outside of the CNG. I only need a safe place to store and from where the predefined plaintext keys can be obtained. In recent days I have looked into the link for CNG functions, but have not been able to find a way to import / export a symmetric cleartext key, identified by name, into a CNG key container.
I know that CryptoAPI provides functions to import / export session keys. But this old API does not provide persistent (session) keys, nor does it allow you to select / identify keys by name in the key container.
Any help is greatly appreciated. Thanks in advance.
source to share
I'm afraid you are out of luck to get a straightforward solution as CNG keystore vendors currently support asymmetric keys, but not symmetric keys. Only primitive providers support symmetric keys.
This model focuses on asymmetric keys that need to be protected in the long term, with the symmetric keys being used for only one session and then discarded. These symmetric keys can be derived from an asymmetric key such as Diffie-Hellman or ECDH.
You say you want the keys to be stored securely, but that encryption / decryption is done outside of the CNG. Depending on what threats you are trying to protect, this may not be the right approach. Typically, if you store keys in a key store, you want the cryptographic operations to be done inside the key store provider, and do not want the keys to ever leave it (other than encrypted with a different key) as this provides key material for the attacker.
However, if you are sure that this is what you want, one option would be to create an RSA key in your keystore and use it to encrypt and decrypt symmetric keys. You store encrypted symmetric key droplets elsewhere, for example. in the file system.
source to share