Alternatives to Storing Session Keys
Instead of storing a random session key blob, a
derived key can be used. Derived session keys are created from a password using the
CryptDeriveKey function. In this way, instead of storing a particular derived key, an
application can create a derived key as needed by prompting the user for the password.
Stored key blobs are dependent on the stability of the public/private key
pairs stored within the CSP. If these key pairs are somehow lost, (for example,
through a hardware or software incident), you will be unable to decrypt your key
blobs. This means that any data that has been encrypted using these keys will
also be lost. For this reason, it is recommended that you use a
backup authority when storing long-term archival data.
A backup authority is a trusted application running on a secure computer which
provides storage for the session keys of its clients. All session keys stored
there are encrypted in the form of key blobs with the backup authority's public
key. An application using a backup authority typically follows these steps:
- Encrypt the file normally.
- Export the session key used to encrypt the file into a simple key blob,
specifying that your own key exchange public key be used to encrypt the key blob.
Store this key blob with the encrypted file.
- Export the session key again, this time specifying that the backup authority's
public key be used to encrypt the key blob. Send this key blob to the backup
authority, along with the key's description, serial number, etc.
If, at a later time, you lose your key pairs, you can retrieve the session
keys from the backup authority. (You will first have to establish your identity to
the backup authority, but this procedure falls outside the scope of CryptoAPI.)
- Software for developers
-
Delphi Components
.Net Components
Software for Android Developers
- More information resources
-
MegaDetailed.Net
Unix Manual Pages
Delphi Examples
- Databases for Amazon shops developers
-
Amazon Categories Database
Browse Nodes Database
