none
Using CNG, is it possible to decrypt data encrypted by CAPI RRS feed

  • Question

  • When encrypt data using CAPI, I follow such sequences:
    1.
    CryptAcquireContextW using provider "Microsoft Enhanced RSA and AES Cryptographic Provider" .
    2.
    CryptCreateHash and CryptHashData for a password string
    3.
    CryptDeriveKey for generating encryption key using AES128.
    4.
    CryptSetKeyParam for CBC mode.
    5.
    CryptEncrypt data without IV.
    When decrypt data using CNG, I follow such sequences:
    1.
    BCryptOpenAlgorithmProvider using AES provider "Microsoft Primitive Provider
    2.
    BCryptCreateHash and BCryptHashData for the password string same as the one when encryption by CAPI.
    3.
    BCryptSetProperty for setting CBC mode.
    4.
    BCryptGenerateSymmetricKey to generate AES key(128bit).
    5.
    BCryptDecrypt for decrypting data without IV.

    During this process, hash string is same but the data can not be decrypted correctly.
    Anybody know if it is possible to decrypt data encrypted by CAPI using CNG?
    If yes, if there are any problem for my operation?

    Thanks.
    Rain 

    Wednesday, June 9, 2010 3:07 AM

Answers

All replies

  • Hello Rain

    You want to use the BCryptDeriveKey Function:
    http://msdn.microsoft.com/en-us/library/aa375393(VS.85).aspx
    This can be used to achieve interoperability with CAPI.

    Please note that the CAPI KDF is not exposed through the BCryptDeriveKey interface. Also, BCryptDeriveKey only works in conjunction with a secret agreement scheme such as DH or ECDH. You can’t just call BCryptDeriveKey, you need a secret handle generated by a previous BCryptSecretAgreement call.


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Saturday, June 12, 2010 1:32 AM
    Moderator
  • Hi Jialiang,

    Thanks for your reply.

     

    I have ever notices this function(BCryptDeriveKey). It seem that I need a public and private key to create secret agreement, which is asymmetrical encryption.

    My requirement is encrypting plenty of data with a password using symmetric encryption algorithm. When restore we will need this password to restore these data.  As we know asymmetrical encryption should not be used for encrypting plenty of data and CNG only exist after vista.

     So could you confirm if it is possible to decrypt data using CNG encrypted by CAPI when I use symmetric encryption algorithm?

    Thanks.
    Rain

     

    Saturday, June 12, 2010 10:53 AM
  • Hi Jialiang,

    Thanks for your reply.

    I have ever noticed this API(BCryptDeriveKey), and I have found there is a sample referring to it in CNG SDK.

    Just like you said, to use this API we need public and private keys when encryption, which should be a asymmetric encryption method.

    Because I need encrypt plenty of data, thus I need symmetric algorithm to implement it.

    Could you help me confirm if CNG is able  to achieve interoperability with  CAPI using symmetric algorithm?

     

    Regards.

    Rain

    Sunday, June 13, 2010 2:19 AM
  • Hello

    I performed more researches and found that the API BCryptDeriveKeyCapi is what you wanted. http://msdn.microsoft.com/en-us/library/dd433794(VS.85).aspx.

    BCryptDeriveKeyCapi just produces a bunch of bytes, which you can pass to BCryptGenerateSymmetricKey.  BCryptDeriveKeyCapi does not require that you use it with public/private keys only.


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Tuesday, June 15, 2010 1:27 AM
    Moderator
  • Jialiang,

    Thanks for your suggestions. It works under my demo project. 
    One more question? Is this function(API BCryptDeriveKeyCapi) can be used in kernel mode?

    Thanks.
    Rain

    Thursday, June 17, 2010 6:50 AM
  • Hello Rain

    I'm not familiar with kernel mode development, however, you may get the answer in this newsgroup:

    microsoft.public.development.device.drivers


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Thursday, June 17, 2010 8:39 AM
    Moderator
  • Thanks a tJn, Jialiang.
    Have a nice day.

    • Marked as answer by Rain Zhou Friday, June 18, 2010 3:14 AM
    • Unmarked as answer by Rain Zhou Friday, June 18, 2010 3:14 AM
    Friday, June 18, 2010 3:14 AM
  • I want to use BCryptDeriveKeyCapi to get AES-256 key from hash (SHA1(password)). I generated hash, but I have problem with BCryptDeriveKeyCapi  syntax. Could you send example of the code?

     cbDerivedKey = 32;

    //allocate the hash buffer on the heap
    pbDerivedKey = (PBYTE)HeapAlloc(GetProcessHeap(), 0, cbDerivedKey);
    if (NULL == pbDerivedKey)
    {
    wprintf(L"**** memory allocation failed\n");
    goto Cleanup;
    }


    //open an algorithm handle
    if (!NT_SUCCESS(status = BCryptOpenAlgorithmProvider(
    &targetAlg,
    BCRYPT_AES_ALGORITHM,//sha1
    NULL,
    0)))
    {
    wprintf(L"**** Error 0x%x returned by BCryptOpenAlgorithmProvider\n", status);
    goto Cleanup;
    }


    if (!NT_SUCCESS(status = BCryptDeriveKeyCapi(hHash, targetAlg, pbDerivedKey, cbDerivedKey, 0))) //hHash handle of hash algorith, generated erlier
    {
    wprintf(L"**** Error 0x%x returned by BCryptDeriveKeyCapi\n", status);
    goto Cleanup;
    }

    for (int i = 0; i < (int)cbDerivedKey; i++)
    std::cout << std::hex << +pbDerivedKey[i] << " ";
    std::cout << std::endl;

    BCryptDestroyHash(hHash);


    Monday, September 30, 2019 3:51 PM