Wednesday, October 19, 2005

Where Cryptographic Service Providers store keys?

Security is all about the key, so the question is where and how Cryptographic Service Providers CSP store the keys. Each CSP store cryptographic keys persistently in his Key Database
Each key database contains one or more key containers, each of which contains all the key pairs belonging to a specific user (or CryptoAPI client). Each key container has a unique name. There are usually two key pairs in each container: a key-exchange key pair and signature key pair. One key pair is used to encrypt session keys and the other to create digital signatures.
It is interesting to notice that CSPs uses to store keys in the windows registry. In Windows NT, the Microsoft providers store their key containers in two locations of the system registry. The locations are HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys and HKEY_LOCAL_MACHINE\Software\Microsoft\Cryprography\MachineKeys. The former is usually used by a stand-alone application, and the latter by a process running on behalf of a non-interactive user, such as an IIS/ASP application.

In Windows 2000/XP, Microsoft decided to move the key containers from the system registry to file system. They can now be found under the directories '%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys' and '%SystemDrive%\\Documents and settings\\Application Data\Microsoft\Crypto\RSA\

More on managing Cryptographic Providers and Contexts on

No comments: