Destroying private/public keys

TheMSsForum.com: The Microsoft Software Forum

Hello,

If a public/private key pair is obtained from CryptGetUserKey, the
'CryptDestroyKey' function only destroys the handle but the underlying key
pair is not destroyed by this function. In my application, I'm required to
destroy the underlying key pair for the security reasons. Does any one know
how to do this.

Thank You!
Top

Re: Destroying private/public keys by gangadhar

gangadhar
Mon Apr 26 15:53:39 CDT 2004

hi,
Can you explain more about what do you mean by destroy the key-pair.
When you create a pub/pvt pair, all you get is the handle to the pair.
And when you destroy the handle, the key pair will get destroyed. A
little more explaination can help.
regards
gangadhar
Ririko Horvath wrote:
> Hello,
>
> If a public/private key pair is obtained from CryptGetUserKey, the
> 'CryptDestroyKey' function only destroys the handle but the underlying key
> pair is not destroyed by this function. In my application, I'm required to
> destroy the underlying key pair for the security reasons. Does any one know
> how to do this.
>
> Thank You!
>
>
Top

RE: Destroying private/public keys by v-garych

v-garych
Tue Apr 27 04:10:54 CDT 2004

Hi Ririko Horvath,

> If a public/private key pair is obtained from CryptGetUserKey, the
> 'CryptDestroyKey' function only destroys the handle but the underlying key
> pair is not destroyed by this function. In my application, I'm required to
> destroy the underlying key pair for the security reasons.

From my understanding, the key pair is belonged to the CSP, it isn't
controlled by the client application, the application only has the right to
visit the key pair via the corresponding handle by using Crypt API.

If the application uses "CryptDestroyKey" "CryptDestroyHash" and
"CryptReleaseContext" to release the corresponding handle to the CSP
internal key pair, the application itself will be not able to visit the key
pair again, so from then on, the application will do nothing with the CSP's
key pair.

So, to destroy the underlying key pair of CSP, I don't think it is the
proper task the client application should do.


Thanks!

Best regards,

Gary Chang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

Top

Re: Destroying private/public keys by Ririko

Ririko
Tue Apr 27 07:15:38 CDT 2004

Thanks for replying. What do you mean by associated key pairs are destroyed
when the key handle is destroyed?. I want to make sure that there are no
traces of keys in the memory or on disk that someone can maliciously access.

Thanks.
"gangadhar npk" <gangadhar_npk_@nospam.plz> wrote in message
news:#iefrUDLEHA.1312@TK2MSFTNGP12.phx.gbl...
> hi,
> Can you explain more about what do you mean by destroy the key-pair.
> When you create a pub/pvt pair, all you get is the handle to the pair.
> And when you destroy the handle, the key pair will get destroyed. A
> little more explaination can help.
> regards
> gangadhar
> Ririko Horvath wrote:
> > Hello,
> >
> > If a public/private key pair is obtained from CryptGetUserKey, the
> > 'CryptDestroyKey' function only destroys the handle but the underlying
key
> > pair is not destroyed by this function. In my application, I'm required
to
> > destroy the underlying key pair for the security reasons. Does any one
know
> > how to do this.
> >
> > Thank You!
> >
> >


Top

Re: Destroying private/public keys by Igor

Igor
Tue Apr 27 13:55:37 CDT 2004

That's the responsibility of cryptographic provider. A well written
provider ensures that the key material is completely erased. You have no
choice but to trust the provider in this. The API intentionally does not
give you direct access to memory where keys are stored, so you cannot
erase it yourself.
--
With best wishes,
Igor Tandetnik

"For every complex problem, there is a solution that is simple, neat,
and wrong." H.L. Mencken

"Ririko Horvath" <horvathr@securemethods.com> wrote in message
news:%23qOncFFLEHA.2396@TK2MSFTNGP12.phx.gbl
> Thanks for replying. What do you mean by associated key pairs are
> destroyed when the key handle is destroyed?. I want to make sure that
> there are no traces of keys in the memory or on disk that someone can
> maliciously access.
>
> Thanks.
> "gangadhar npk" <gangadhar_npk_@nospam.plz> wrote in message
> news:#iefrUDLEHA.1312@TK2MSFTNGP12.phx.gbl...
>> hi,
>> Can you explain more about what do you mean by destroy the
>> key-pair. When you create a pub/pvt pair, all you get is the handle
>> to the pair. And when you destroy the handle, the key pair will get
>> destroyed. A little more explaination can help.
>> regards
>> gangadhar
>> Ririko Horvath wrote:
>>> Hello,
>>>
>>> If a public/private key pair is obtained from CryptGetUserKey, the
>>> 'CryptDestroyKey' function only destroys the handle but the
>>> underlying key pair is not destroyed by this function. In my
>>> application, I'm required to destroy the underlying key pair for
>>> the security reasons. Does any one know how to do this.
>>>
>>> Thank You!


Top

Re: Destroying private/public keys by Ririko

Ririko
Wed Apr 28 08:10:04 CDT 2004

Does this mean that if I am using Microsoft's "MS_ENHANCED_PROV" as the
cryptographic provider, Microsoft ensures that the key material is
completely erased when the key handle is destroyed.

Thanks You!

"Igor Tandetnik" <itandetnik@mvps.org> wrote in message
news:ONd17kILEHA.2736@TK2MSFTNGP11.phx.gbl...
> That's the responsibility of cryptographic provider. A well written
> provider ensures that the key material is completely erased. You have no
> choice but to trust the provider in this. The API intentionally does not
> give you direct access to memory where keys are stored, so you cannot
> erase it yourself.
> --
> With best wishes,
> Igor Tandetnik
>
> "For every complex problem, there is a solution that is simple, neat,
> and wrong." H.L. Mencken
>
> "Ririko Horvath" <horvathr@securemethods.com> wrote in message
> news:%23qOncFFLEHA.2396@TK2MSFTNGP12.phx.gbl
> > Thanks for replying. What do you mean by associated key pairs are
> > destroyed when the key handle is destroyed?. I want to make sure that
> > there are no traces of keys in the memory or on disk that someone can
> > maliciously access.
> >
> > Thanks.
> > "gangadhar npk" <gangadhar_npk_@nospam.plz> wrote in message
> > news:#iefrUDLEHA.1312@TK2MSFTNGP12.phx.gbl...
> >> hi,
> >> Can you explain more about what do you mean by destroy the
> >> key-pair. When you create a pub/pvt pair, all you get is the handle
> >> to the pair. And when you destroy the handle, the key pair will get
> >> destroyed. A little more explaination can help.
> >> regards
> >> gangadhar
> >> Ririko Horvath wrote:
> >>> Hello,
> >>>
> >>> If a public/private key pair is obtained from CryptGetUserKey, the
> >>> 'CryptDestroyKey' function only destroys the handle but the
> >>> underlying key pair is not destroyed by this function. In my
> >>> application, I'm required to destroy the underlying key pair for
> >>> the security reasons. Does any one know how to do this.
> >>>
> >>> Thank You!
>
>


Top

Re: Destroying private/public keys by Igor

Igor
Wed Apr 28 08:57:55 CDT 2004

Well, I haven't looked at the source code and I can't be positively
sure, but I would be greatly surprised if MS provider does not zero out
keys when deleted.
--
With best wishes,
Igor Tandetnik

"For every complex problem, there is a solution that is simple, neat,
and wrong." H.L. Mencken

"Ririko Horvath" <horvathr@securemethods.com> wrote in message
news:OrkIiISLEHA.3712@TK2MSFTNGP11.phx.gbl
> Does this mean that if I am using Microsoft's "MS_ENHANCED_PROV" as
> the cryptographic provider, Microsoft ensures that the key material is
> completely erased when the key handle is destroyed.
>
> Thanks You!
>
> "Igor Tandetnik" <itandetnik@mvps.org> wrote in message
> news:ONd17kILEHA.2736@TK2MSFTNGP11.phx.gbl...
>> That's the responsibility of cryptographic provider. A well written
>> provider ensures that the key material is completely erased. You
>> have no choice but to trust the provider in this. The API
>> intentionally does not give you direct access to memory where keys
>> are stored, so you cannot erase it yourself.
>> --
>> With best wishes,
>> Igor Tandetnik
>>
>> "For every complex problem, there is a solution that is simple, neat,
>> and wrong." H.L. Mencken
>>
>> "Ririko Horvath" <horvathr@securemethods.com> wrote in message
>> news:%23qOncFFLEHA.2396@TK2MSFTNGP12.phx.gbl
>>> Thanks for replying. What do you mean by associated key pairs are
>>> destroyed when the key handle is destroyed?. I want to make sure
>>> that there are no traces of keys in the memory or on disk that
>>> someone can maliciously access.
>>>
>>> Thanks.
>>> "gangadhar npk" <gangadhar_npk_@nospam.plz> wrote in message
>>> news:#iefrUDLEHA.1312@TK2MSFTNGP12.phx.gbl...
>>>> hi,
>>>> Can you explain more about what do you mean by destroy the
>>>> key-pair. When you create a pub/pvt pair, all you get is the handle
>>>> to the pair. And when you destroy the handle, the key pair will get
>>>> destroyed. A little more explaination can help.
>>>> regards
>>>> gangadhar
>>>> Ririko Horvath wrote:
>>>>> Hello,
>>>>>
>>>>> If a public/private key pair is obtained from CryptGetUserKey, the
>>>>> 'CryptDestroyKey' function only destroys the handle but the
>>>>> underlying key pair is not destroyed by this function. In my
>>>>> application, I'm required to destroy the underlying key pair for
>>>>> the security reasons. Does any one know how to do this.
>>>>>
>>>>> Thank You!


Top

Re: Destroying private/public keys by v-garych

v-garych
Thu Apr 29 21:50:26 CDT 2004

Hi Ririko,

> I want to make sure that there are no traces of keys in the memory or on
disk that someone can maliciously access.
>

Generally speaking, we does not have a solution to this.

The users must fully implement their own solution without using any
Microsoft APIs. For example, we don't make any guarantees that these keys
won't be left in the memory (or in the page file) because of their
temporary usage.

Only the *persistent* behavior of RSA private keys can be controlled in
Windows 2000 and later, when CRYPT_VERIFYCONTEXT flag is used in
CryptAcquireContext. This flag can be used to create *temporary*
public/private key pairs but they are *not persisted*.


> Does this mean that if I am using Microsoft's "MS_ENHANCED_PROV" as the
> cryptographic provider, Microsoft ensures that the key material is
> completely erased when the key handle is destroyed.

The users should only rely on the API's documented behavior:

"The CryptDestroyKey function releases the handle referenced by the hKey
parameter. After a key handle has been released, it becomes invalid and
cannot be used again.

If the handle refers to a session key, or to a public key that has been
imported into the CSP through CryptImportKey, this function destroys the
key and frees the memory that the key occupied. Many CSPs overwrite the
memory where the key was held before freeing it. However, the underlying
public/private key pair is not destroyed by this function. Only the handle
is destroyed."

That CSP must provide what the documented interface says, but anything
beyond that could be changed if the implementation changes.

The best way to completely erase the public/private key material is to
generate a new set of keys and save them into the container. This will
overwrite the old key material. Then, destroy the container.


Thanks for your understanding!

Best regards,

Gary Chang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

Top