Key Blobs Explained
Key blobs provide a way to store keys outside of the CSP. The Generating Cryptographic Keys
section stated that keys are always kept inside of the provider for
safekeeping and applications are only allowed access to the key through a handle. Well,
key blobs are the one exception to this rule.
Key blobs are created by exporting an existing key out of the provider, using
function. Later, the key blob can be imported into a provider (often a
different provider on a different computer), using the CryptImportKey
function. This will create a key in the provider that is a duplicate of the
one that was exported. In this way, key blobs are used as the medium for
securely transferring keys from one provider to another.
Private keys can be neither exported nor imported
leave the safety of the CSP module. When the handle to a public/private key
pair is passed into CryptExportKey
, only the public portion is placed into the key blob.
Key blobs consist of a standard header followed by data that represents the
key itself. If the key blob contains a session key, then this data is always kept
encrypted. Applications generally do not access the internals of key blobs
but, instead, treat them as opaque objects. This opaque quality was the
inspiration for the name of "key blob."
Key blobs are personalized in that they are encrypted with the key exchange
public key of the intended recipient. This makes them fairly secure. To make them
tamperproof, keys are sometimes signed with the key exchange private key of
the originating user.
There are currently three types of key blobs defined:
- Software for developers
Software for Android Developers
- More information resources
Unix Manual Pages
- Databases for Amazon shops developers
Amazon Categories Database
Browse Nodes Database