Last time we talked about the composition of Microsoft CryptoAPI and the use of session keys. Next we will look at the use of public-private key pairs, hash algorithm, digital signature and other technologies.
First, public key encryption technology
Public key cryptography uses two different keys: the public key and the private key. The private key must be securely secured so that it cannot be known to outsiders, and the public key can tell anyone as long as he needs it. Usually the public key is published as a digital certificate.
Data encrypted with one key in a public-private key pair can only be decrypted with another key in the key pair. This means that data encrypted with user A's public key can only be decrypted with A's private key, and that data encrypted with A's private key can only be decrypted with a public key.
If you sign a message with the private key, you must verify the validity of the signature with the corresponding public key.
Unfortunately, the public key encryption technology is very inefficient and even only symmetric encryption of 1 per thousand, so it is not suitable for a large number of data encryption. In fact, public key cryptography is generally used to encrypt session keys, while data encryption can be encrypted using a symmetric method.
OK, let's go back to Microsoft CryptoAPI. We know that a CSP has a keystore that has one or more key containers. And what is in the key container? In general, a key container has two pairs of public private key pairs, one to encrypt the session key, and the other pair to digitally sign, the known key exchange key pair and signature key pair.
So, how do you get these key pairs?
if (Cryptgetuserkey (
Hcryptprov,//We've got the CSP handle
At_signature,//This Want signature key pair
&hkey))//Return key handle
{
printf ("A signature key is Availabl E.\n ");
}
Else//FETCH signature key pair error
{
printf ("No signature key is available.\n");
if (GetLastError () = = Nte_no_key)//key container does not exist signature key pair
{
///Create signature key pair.
printf ("The signature key does not exist.\n");
printf ("Create a signature key pair.\n");
if (CryptGenKey (
Hcryptprov,//CSP handle
At_signature,//created key pair type is SIGNATURE key pair
0,//key type, here with the default value of
&hkey)//Create a handle that successfully returns the newly created key pair
{
printf ("Created a sign Ature key pair.\n ");
}
Else
{
printf ("Error occurred creating a signature key.\n");
}
}
Else
{
PrinTF ("An error other than Nte_no_key getting signature\key.\n");
}
}//End If
Change the parameter at_signature to At_keyexchange to get key exchange key pair.