Geek Answers Handbook

Using ncipher CSP with MSCAPI to AES Encryption

I am trying to figure out how to use MCSAPI to encrypt AES using the ncipher cryptographic service provider (CSP). What puzzles me is that the AesCryptoServiceProvider constructor AesCryptoServiceProvider not accept the CspParameters class used to specify nCipher as csp.

 CspParameters cp = new CspParameters(24, "nCipher Enhanced RSA and AES Cryptographic Provider"); RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(CspParameters) // works fine AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); // Constructor takes no parameters.

From what I see, Rijndael classes also have no way to specify other third-party CSPs. What am I missing? Is there a way to initialize my entire system to load CSP for all subsequent cryptographic calls? Do I intend to use CSP to manage the symmetric key, and then use the default AesCryptoServiceProvider for encryption / decryption? RSACryptoServiceProvider(CspParameters) works just fine. But I want to do symmetric encryption. I need to do this in the C # .NET framework.

+7
source share
2 answers

Microsoft CAPI does not support hardware keys for symmetric algorithms. This is a flaw in the API, not nCipher CSP. The only keys that can be protected by hardware are the CAPI container Signing and Exchange key pair. Any symmetric key created is generated and used in the software.

You can wrap (software) symmetric keys in container (hardware) keys for protection and persistence, but this does not make these symmetric keys protected by hardware.

If you are deploying anything in Vista, Server 2008 or later, you should consider CAPI Next Generation or CNG: it supports the creation and use of hardware-protected symmetric keys, and Thales / nCipher CNG CSP supports this. However, Thales / nCipher CNG CSP does not support persistent symmetric keys, so for this you will have to wrap them in a container key pair just like with the old school CAPI.

I work for Thales, but I don’t speak for them: contact Thales Support if you have questions and / or want to know how to get developer support.

+8
source

AES is a symmetric algorithm, so CspParameters cannot be used.

nCipher is a hardware standard (see http://technet.microsoft.com/en-us/library/dd277354 ), so maybe your token can calculate the AES algorithm, but how everyone (Alice and Bob) should know the secret key, there is no use for computing or storing a key on a hardware brand.

You can see how to use AesCryptoServiceProvider in the MSDN example , maybe you want to use AesManaged (there is also an example).

+1
source

More articles:


All Articles