HOWTO: Obtain the plain text session key using CryptoAPI


This article was contributed by Raphael Amorim.

Environment: VC6 SP5, 2000 SP1,NT4 SP3

Generally it’s very important to obtain the value of session keys. However, the Microsoft Cryptographic Providers (Base and Enhanced) do not support this feature. CryptExportKey() and CryptImportKey() require a valid key handle to encrypt and decrypt the session key, respectively. MSDN shows a way to do this using a “exponent-of-one” private key. But Microsoft’s
example in MSDN is extremely long and . This way is faster and more comprehensive.

It’s ready to run, but you must set the following parameters at Project ->
Settings (Visual Studio 6.0 ) :


1.Add in C++/PreProcessor definitions:


_WIN32_WINNT=0x0500, _CRYPT32_(WIN2K)

or _WIN32_WINNT=0x0400, _CRYPT32_(NT4)

2. And Link this library

crypt32.lib


#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>

#define KEY_PAIR_SIZE dwSize – 12
#define SESSION_KEY_SIZE dwKeyMaterial

void main()
{

HCRYPTPROV hProv = 0;
HCRYPTKEY hExchangeKeyPair = 0;
HCRYPTKEY hSessionKey = 0;
BYTE *pbKeyMaterial = NULL;
DWORD dwKeyMaterial ;
BYTE *pbExportedKeyBlob = NULL;
BYTE *pbEncryptedKey = NULL;
DWORD dwSize;
unsigned int c;

__try
{

if (!CryptAcquireContext( &hProv,
“Container Name”,
MS_ENHANCED_PROV ,
PROV_RSA_FULL,
CRYPT_MACHINE_KEYSET ))
{
__leave;
}

//—————————————————
//Creating a session key. In this sample we’ll use a
//3DES key with 168 bits

if (!CryptGenKey( hProv, CALG_3DES,
CRYPT_EXPORTABLE, &hSessionKey ))
{
__leave;
}

//—————————————————
//Getting a handle to the Exchange Key pair

if (!CryptGetUserKey( hProv, AT_KEYEXCHANGE, &hExchangeKeyPair))
{
__leave;
}

//——————————————————–
//Encrypting the session key with the public key part
//of the keypair first call gets the size necessary to
//hold the encrypted session key and the second exports it.

if (!CryptExportKey( hSessionKey,
hExchangeKeyPair,
SIMPLEBLOB,
0,
NULL,
&dwSize))
{
__leave;
}

pbExportedKeyBlob = new BYTE[dwSize];

if (!CryptExportKey( hSessionKey,
hExchangeKeyPair,
SIMPLEBLOB,
0,
pbExportedKeyBlob,
&dwSize))
{
__leave;
}

//——————————————————–
//Let’s remove the first 12 bytes of Blob information

pbEncryptedKey = new BYTE [KEY_PAIR_SIZE];

for ( c = 0 ; c < KEY_PAIR_SIZE ; c++ )
{
pbEncryptedKey[c] = pbExportedKeyBlob[c+12];
}

//——————————————————–
//Now it’s time to get the value of the session key, we’ll
//use the private part of the key pair.

if (!CryptDecrypt( hExchangeKeyPair, 0,
TRUE, 0,
pbEncryptedKey, &dwKeyMaterial))
{
__leave;
}

//——————————————————-
//The pbKeyMaterial is the value of the key

pbKeyMaterial = new BYTE[ SESSION_KEY_SIZE ];

for ( c = 0; c < SESSION_KEY_SIZE ; c++ )
{
pbKeyMaterial[c] = pbEncryptedKey[c];
}

}
__finally
{
if (pbKeyMaterial ) LocalFree(pbKeyMaterial );
if (hSessionKey) CryptDestroyKey(hSessionKey);
if (hExchangeKeyPair) CryptDestroyKey(hExchangeKeyPair);
if (hProv)
{
CryptReleaseContext(hProv, 0);
}

}

} // End Main

Downloads

Download demo project – 7 Kb

More by Author

Must Read