Jun 06, 2016 CryptoAuthentication Symmetric Session Key Exchange - Duration: 4:12. CryptoAuthentication 3,142 views. The RFC for TLS does not contain or define the term Session Key. It simply says: The master secret is expanded into a sequence of secure bytes, which is then split to a client write MAC key, a server write MAC key, a client write encryption key, and a server write encryption key. Each of these is generated from the byte sequence in that order. Jan 26, 2011 Rather it will simply generate a new session identifier so we lose all the information that was in the original session. So right now everything works great if you first land on an ASP.NET page to start the session, but it all falls apart if you first land on a PHP page, or more importantly at the moment if you do a login via the PHP code. Sep 13, 2012 MicroNugget: What are SSL Session Keys? Unsubscribe from CBT Nuggets? Symmetric Key and Public Key Encryption - Duration: 6:45. Itfreetraining 554,493 views. A session key is a single-use symmetric key used for encrypting all messages in one communication session.A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for encrypting messages, contrary to other uses like encrypting other keys (key encryption key (KEK) or key wrapping key).
The New-PSSession
cmdlet creates a PowerShell session (PSSession) on a local or remotecomputer. When you create a PSSession, PowerShell establishes a persistent connection to theremote computer.
Use a PSSession to run multiple commands that share data, such as a function or the value of avariable. To run commands in a PSSession, use the Invoke-Command
cmdlet. To use thePSSession to interact directly with a remote computer, use the Enter-PSSession
cmdlet. Formore information, see about_PSSessions.
You can run commands on a remote computer without creating a PSSession by using theComputerName parameters of Enter-PSSession
or Invoke-Command
. When you use theComputerName parameter, PowerShell creates a temporary connection that is used for the commandand is then closed.
Starting with PowerShell 6.0 you can use Secure Shell (SSH) to establish a connection to and createa session on a remote computer, if SSH is available on the local computer and the remote computer isconfigured with a PowerShell SSH endpoint. The benefit of an SSH based PowerShell remote session isthat it can work across multiple platforms (Windows, Linux, macOS). For SSH based sessions you usethe HostName or SSHConnection parameter set to specify the remote computer and relevantconnection information. For more information about how to set up PowerShell SSH remoting, seePowerShell Remoting Over SSH.
Note
When using WSMan remoting from a Linux or macOS client with a HTTPS endpoint where the servercertificate is not trusted (e.g., a self-signed certificate). You must provide a PSSessionOption
that includes -SkipCACheck
and -SkipCNCheck
to successfully establish the connection. Only dothis if you are in an environment where you can be certain of the server certificate and thenetwork connection to the target system.
Example 1: Create a session on the local computer
This command creates a new PSSession on the local computer and saves the PSSession in the$s
variable.
You can now use this PSSession to run commands on the local computer.
Example 2: Create a session on a remote computer
This command creates a new PSSession on the Server01 computer and saves it in the $Server01
variable.
When creating multiple PSSession objects, assign them to variables with useful names. This willhelp you manage the PSSession objects in subsequent commands.
Example 3: Create sessions on multiple computers
This command creates three PSSession objects, one on each of the computers specified by theComputerName parameter.
The command uses the assignment operator (=) to assign the new PSSession objects to variables:$s1
, $s2
, $s3
. It assigns the Server01 PSSession to $s1
, the Server02 PSSession to$s2
, and the Server03 PSSession to $s3
.
When you assign multiple objects to a series of variables, PowerShell assigns each object to avariable in the series respectively. If there are more objects than variables, all remaining objectsare assigned to the last variable. If there are more variables than objects, the remaining variablesare empty (null).
Example 4: Create a session with a specified port
This command creates a new PSSession on the Server01 computer that connects to server port 8081and uses the SSL protocol. The new PSSession uses an alternative session configuration calledE12.
Before setting the port, you must configure the WinRM listener on the remote computer to listen onport 8081. For more information, see the description of the Port parameter.
Example 5: Create a session based on an existing session
This command creates a PSSession with the same properties as an existing PSSession. You canuse this command format when the resources of an existing PSSession are exhausted and a newPSSession is needed to offload some of the demand.
The command uses the Session parameter of New-PSSession
to specify the PSSession saved inthe $s
variable. It uses the credentials of the Domain1Admin01 user to complete the command.
Example 6: Create a session with a global scope in a different domain
This example shows how to create a PSSession with a global scope on a computer in a differentdomain.
By default, PSSession objects created at the command line are created with local scope andPSSession objects created in a script have script scope.
To create a PSSession with global scope, create a new PSSession and then store thePSSession in a variable that is cast to a global scope. In this case, the $s
variable is castto a global scope.
The command uses the ComputerName parameter to specify the remote computer. Because the computeris in a different domain than the user account, the full name of the computer is specified togetherwith the credentials of the user.
Example 7: Create sessions for many computers
This command creates a PSSession on each of the 200 computers listed in the Servers.txt file andit stores the resulting PSSession in the $rs
variable. The PSSession objects have athrottle limit of 50.
You can use this command format when the names of computers are stored in a database, spreadsheet,text file, or other text-convertible format.
Example 8: Create a session by using a URI
This command creates a PSSession on the Server01 computer and stores it in the $s
variable. Ituses the URI parameter to specify the transport protocol, the remote computer, the port, and analternate session configuration. It also uses the Credential parameter to specify a user accountthat has permission to create a session on the remote computer.
Example 9: Run a background job in a set of sessions
These commands create a set of PSSession objects and then run a background job in each of thePSSession objects.
The first command creates a new PSSession on each of the computers listed in the Servers.txtfile. It uses the New-PSSession
cmdlet to create the PSSession. The value of theComputerName parameter is a command that uses the Get-Content
cmdlet to get the list ofcomputer names the Servers.txt file.
The command uses the Credential parameter to create the PSSession objects that have thepermission of a domain administrator, and it uses the ThrottleLimit parameter to limit thecommand to 16 concurrent connections. The command saves the PSSession objects in the $s
variable.
The second command uses the AsJob parameter of the Invoke-Command
cmdlet to start a backgroundjob that runs a Get-Process PowerShell
command in each of the PSSession objects in $s
.
For more information about PowerShell background jobs, seeabout_Jobs and about_Remote_Jobs.
Example 10: Create a session for a computer by using its URI
This command creates a PSSession objects that connects to a computer that is specified by a URIinstead of a computer name.
Example 11: Create a session option
This example shows how to create a session option object and use the SessionOption parameter.
The first command uses the New-PSSessionOption
cmdlet to create a session option. It saves theresulting SessionOption object in the $so
variable.
The second command uses the option in a new session. The command uses the New-PSSession
cmdlet tocreate a new session. The value of the SessionOption parameter is the SessionOption object inthe $so
variable.
Example 12: Create a session using SSH
This example shows how to create a new PSSession using Secure Shell (SSH). If SSH is configuredon the remote computer to prompt for passwords then you will get a password prompt. Otherwise youwill have to use SSH key based user authentication.
Example 13: Create a session using SSH and specify the port and user authentication key
This example shows how to create a PSSession using Secure Shell (SSH). It uses the Portparameter to specify the port to use and the KeyFilePath parameter to specify an RSA key used toidentify and authenticate the user on the remote computer.
Example 14: Create multiple sessions using SSH
This example shows how to create multiple sessions using Secure Shell (SSH) and theSSHConnection parameter set. The SSHConnection parameter takes an array of hash tables thatcontain connection information for each session. Note that this example requires that the targetremote computers have SSH configured to support key based user authentication.
Indicates that this cmdlet allows redirection of this connection to an alternate Uniform ResourceIdentifier (URI).
When you use the ConnectionURI parameter, the remote destination can return an instruction toredirect to a different URI. By default, PowerShell does not redirect connections, but youcan use this parameter to enable it to redirect the connection.
You can also limit the number of times the connection is redirected by changing theMaximumConnectionRedirectionCount session option value. Use the MaximumRedirection parameterof the New-PSSessionOption
cmdlet or set the MaximumConnectionRedirectionCount property of the$PSSessionOption preference variable. The default value is 5.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the application name segment of the connection URI. Use this parameter to specify theapplication name when you are not using the ConnectionURI parameter in the command.
The default value is the value of the $PSSessionApplicationName
preference variable on the localcomputer. If this preference variable is not defined, the default value is WSMAN. This value isappropriate for most uses. For more information, seeabout_Preference_Variables.
The WinRM service uses the application name to select a listener to service the connection request.The value of this parameter should match the value of the URLPrefix property of a listener onthe remote computer.
Type: | String |
Position: | Named |
Default value: | None |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
Specifies the mechanism that is used to authenticate the user's credentials.The acceptable values for this parameter are:
The default value is Default.
For more information about the values of this parameter, seeAuthenticationMechanism Enumeration.
Caution
Credential Security Support Provider (CredSSP) authentication, in which the user credentials arepassed to a remote computer to be authenticated, is designed for commands that requireauthentication on more than one resource, such as accessing a remote network share. This mechanismincreases the security risk of the remote operation. If the remote computer is compromised, thecredentials that are passed to it can be used to control the network session.
Type: | AuthenticationMechanism |
Accepted values: | Default, Basic, Negotiate, NegotiateWithImplicitCredential, Credssp, Digest, Kerberos |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the digital public key certificate (X509) of a user account that has permission to performthis action. Enter the certificate thumbprint of the certificate.
Certificates are used in client certificate-based authentication. They can be mapped only to localuser accounts; they do not work with domain accounts.
To get a certificate, use the Get-Item
or Get-ChildItem
command in the PowerShell Cert:drive.
Type: | String |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an array of names of computers. This cmdlet creates a persistent connection(PSSession) to the specified computer. If you enter multiple computer names, New-PSSession
creates multiple PSSession objects, one for each computer. The default is the local computer.
Type the NetBIOS name, an IP address, or a fully qualified domain name of one or more remotecomputers. To specify the local computer, type the computer name, localhost, or a dot (.). When thecomputer is in a different domain than the user, the fully qualified domain name is required. Youcan also pipe a computer name, in quotation marks, to New-PSSession
.
To use an IP address in the value of the ComputerName parameter, the command must include theCredential parameter. Also, the computer must be configured for HTTPS transport or the IPaddress of the remote computer must be included in the WinRM TrustedHosts list on the localcomputer. For instructions for adding a computer name to the TrustedHosts list, see 'How to Add aComputer to the Trusted Host List' inabout_Remote_Troubleshooting.
To include the local computer in the value of the ComputerName parameter, start WindowsPowerShell by using the Run as administrator option.
Type: | String[] |
Aliases: | Cn |
Position: | 0 |
Default value: | None |
Accept pipeline input: | True (ByPropertyName, ByValue) |
Accept wildcard characters: | False |
Specifies the session configuration that is used for the new PSSession.
Enter a configuration name or the fully qualified resource URI for a session configuration. If youspecify only the configuration name, the following schema URI is prepended:https://schemas.microsoft.com/PowerShell
.
The session configuration for a session is located on the remote computer. If the specified sessionconfiguration does not exist on the remote computer, the command fails.
The default value is the value of the $PSSessionConfigurationName
preference variable on the localcomputer. If this preference variable is not set, the default is Microsoft.PowerShell. For moreinformation, see about_Preference_Variables.
Type: | String |
Position: | Named |
Default value: | None |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
Specifies a URI that defines the connection endpoint for the session. The URI must be fullyqualified. The format of this string is as follows:
<Transport>://<ComputerName>:<Port>/<ApplicationName>
The default value is as follows:
http://localhost:5985/WSMAN
If you do not specify a ConnectionURI, you can use the UseSSL, ComputerName, Port, andApplicationName parameters to specify the ConnectionURI values.
Valid values for the Transport segment of the URI are HTTP and HTTPS. If you specify a connectionURI with a Transport segment, but do not specify a port, the session is created with standardsports: 80 for HTTP and 443 for HTTPS. To use the default ports for PowerShell remoting, specify port5985 for HTTP or 5986 for HTTPS.
If the destination computer redirects the connection to a different URI, PowerShell prevents theredirection unless you use the AllowRedirection parameter in the command.
Type: | Uri[] |
Aliases: | URI, CU |
Position: | 0 |
Default value: | None |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
Specifies an array of IDs of containers. This cmdlet starts an interactive session with each of thespecified containers. Use the docker ps
command to get a list of container IDs. For moreinformation, see the help for thedocker ps command.
Type: | String[] |
Position: | Named |
Default value: | None |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
Specifies a user account that has permission to do this action. The default is the current user.
Type a user name, such as User01 or Domain01User01, or enter a PSCredential objectgenerated by the Get-Credential
cmdlet. If you type a user name, you're prompted to enter thepassword.
Credentials are stored in a PSCredentialobject and the password is stored as a SecureString.
Note
For more information about SecureString data protection, seeHow secure is SecureString?.
Type: | PSCredential |
Position: | Named |
Default value: | Current user |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
Indicates that this cmdlet adds an interactive security token to loopback sessions. The interactivetoken lets you run commands in the loopback session that get data from other computers. For example,you can run a command in the session that copies XML files from a remote computer to the localcomputer.
A loopback session is a PSSession that originates and ends on the same computer. To create aloopback session, omit the ComputerName parameter or set its value to dot (.), localhost, or thename of the local computer.
By default, this cmdlet creates loopback sessions by using a network token, which might not providesufficient permission to authenticate to remote computers.
The EnableNetworkAccess parameter is effective only in loopback sessions. If you useEnableNetworkAccess when you create a session on a remote computer, the command succeeds, butthe parameter is ignored.
You can also enable remote access in a loopback session by using the CredSSP value of theAuthentication parameter, which delegates the session credentials to other computers. Site cisco.com crypto key generate rsa.
To protect the computer from malicious access, disconnected loopback sessions that have interactivetokens, which are those created by using the EnableNetworkAccess parameter, can be reconnectedonly from the computer on which the session was created. Disconnected sessions that use CredSSPauthentication can be reconnected from other computers. For more information, seeDisconnect-PSSession
.
This parameter was introduced in PowerShell 3.0.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an array of computer names for a Secure Shell (SSH) based connection. This is similar tothe ComputerName parameter except that the connection to the remote computer is made using SSHrather than Windows WinRM.
This parameter was introduced in PowerShell 6.0.
Type: | String[] |
Position: | 0 |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a key file path used by Secure Shell (SSH) to authenticate a user on a remote computer.
SSH allows user authentication to be performed via private/public keys as an alternative to basicpassword authentication. If the remote computer is configured for key authentication then thisparameter can be used to provide the key that identifies the user.
This parameter was introduced in PowerShell 6.0.
Type: | String |
Aliases: | IdentityFilePath |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a friendly name for the PSSession.
You can use the name to refer to the PSSession when you use other cmdlets, such asGet-PSSession
and Enter-PSSession
. The name is not required to be unique to the computer or thecurrent session.
Type: | String[] |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the network port on the remote computer that is used for this connection. To connect to aremote computer, the remote computer must be listening on the port that the connection uses. Thedefault ports are 5985, which is the WinRM port for HTTP, and 5986, which is the WinRM port forHTTPS.
Before using another port, you must configure the WinRM listener on the remote computer to listen atthat port. Use the following commands to configure the listener:
winrm delete winrm/config/listener?Address=*+Transport=HTTP
winrm create winrm/config/listener?Address=*+Transport=HTTP @{Port='<port-number>'}
Do not use the Port parameter unless you must. The port setting in the command applies to allcomputers or sessions on which the command runs. An alternate port setting might prevent the commandfrom running on all computers.
Type: | Int32 |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Indicates that the PSSession runs as administrator.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
This parameter takes an array of hashtables where each hashtable contains one or more connectionparameters needed to establish a Secure Shell (SSH) connection (HostName, Port, UserName,KeyFilePath).
The hashtable connection parameters are the same as defined for the HostName parameter set.
The SSHConnection parameter is useful for creating multiple sessions where each session requiresdifferent connection information.
This parameter was introduced in PowerShell 6.0.
Type: | Hashtable[] |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Indicates that the remote connection is established using Secure Shell (SSH).
By default PowerShell uses Windows WinRM to connect to a remote computer. This switch forcesPowerShell to use the HostName parameter set for establishing an SSH based remote connection.
This parameter was introduced in PowerShell 6.0.
Type: | SwitchParameter |
Accepted values: | true |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an array of PSSession objects that this cmdlet uses as a model for the newPSSession. This parameter creates new PSSession objects that have the same properties as thespecified PSSession objects.
Enter a variable that contains the PSSession objects or a command that creates or gets thePSSession objects, such as a New-PSSession
or Get-PSSession
command.
The resulting PSSession objects have the same computer name, application name, connection URI,port, configuration name, throttle limit, and Secure Sockets Layer (SSL) value as the originals, butthey have a different display name, ID, and instance ID (GUID).
Type: | PSSession[] |
Position: | 0 |
Default value: | None |
Accept pipeline input: | True (ByPropertyName, ByValue) |
Accept wildcard characters: | False |
Specifies advanced options for the session. Enter a SessionOption object, such as one that youcreate by using the New-PSSessionOption
cmdlet, or a hash table in which the keys are sessionoption names and the values are session option values.
The default values for the options are determined by the value of the $PSSessionOption
preferencevariable, if it is set. Otherwise, the default values are established by options set in the sessionconfiguration.
The session option values take precedence over default values for sessions set in the$PSSessionOption
preference variable and in the session configuration. However, they do not takeprecedence over maximum values, quotas or limits set in the session configuration.
For a description of the session options that includes the default values, seeNew-PSSessionOption
. For information about the $PSSessionOption
preference variable, seeabout_Preference_Variables. For more information aboutsession configurations, see about_Session_Configurations.
Type: | PSSessionOption |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the SSH subsystem used for the new PSSession.
This specifies the subsystem to use on the target as defined in sshd_config.The subsystem starts a specific version of PowerShell with predefined parameters.If the specified subsystem does not exist on the remote computer, the command fails.
If this parameter is not used, the default is the 'powershell' subsystem.
Type: | String |
Position: | Named |
Default value: | powershell |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
Specifies the maximum number of concurrent connections that can be established to run this command.If you omit this parameter or enter a value of 0 (zero), the default value, 32, is used.
The throttle limit applies only to the current command, not to the session or to the computer.
Type: | Int32 |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Indicates that this cmdlet uses the SSL protocol to establish a connection to the remote computer.By default, SSL is not used.
WS-Management encrypts all PowerShell content transmitted over the network. The UseSSLparameter offers an additional protection that sends the data across an HTTPS connection instead ofan HTTP connection.
If you use this parameter, but SSL is not available on the port that is used for the command, thecommand fails.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the user name for the account used to create a session on the remote computer. Userauthentication method will depend on how Secure Shell (SSH) is configured on the remote computer.
If SSH is configured for basic password authentication then you will be prompted for the userpassword.
If SSH is configured for key based user authentication then a key file path can be provided via theKeyFilePath parameter and no password prompt will occur. Note that if the client user key file islocated in an SSH known location then the KeyFilePath parameter is not needed for key basedauthentication, and user authentication will occur automatically based on the user name. See SSHdocumentation about key based user authentication for more information.
This is not a required parameter. If no UserName parameter is specified then the current log on username is used for the connection.
This parameter was introduced in PowerShell 6.0.
Type: | String |
Position: | Named |
Default value: | None |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies an array of ID of virtual machines. This cmdlet starts an interactive session with each ofthe specified virtual machines. To see the virtual machines that are available to you, use thefollowing command:
Get-VM Select-Object -Property Name, ID
Type: | Guid[] |
Aliases: | VMGuid |
Position: | 0 |
Default value: | None |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
Specifies an array of names of virtual machines. This cmdlet starts an interactive session with eachof the specified virtual machines. To see the virtual machines that are available to you, use theGet-VM
cmdlet.
Type: | String[] |
Position: | Named |
Default value: | None |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | False |
System.String, System.URI, System.Management.Automation.Runspaces.PSSession
You can pipe a string, URI, or session object to this cmdlet.
Remove-PSSession
cmdlet to delete thePSSession and release its resources.This function is the same asCryptGenKey, except that the generated session keys are derived from base data instead of being random. CryptDeriveKey can only be used to generate session keys. It cannot generate public/private key pairs.
A handle to the session key is returned in the phKey parameter. This handle can be used with any CryptoAPI function that requires a key handle.
hProv
A HCRYPTPROV handle of a CSP created by a call toCryptAcquireContext.
Algid
AnALG_ID structure that identifies the symmetric encryption algorithm for which the key is to be generated. The algorithms available will most likely be different for each CSP. For more information about which algorithm identifier is used by the different providers for the key specs AT_KEYEXCHANGE and AT_SIGNATURE, seeALG_ID.
For more information about ALG_ID values to use with the Microsoft Base Cryptographic Provider, seeBase Provider Algorithms. For more information about ALG_ID values to use with the Microsoft Strong Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, seeEnhanced Provider Algorithms.
hBaseData
A handle to a hash object that has been fed the exact base data.
To obtain this handle, an application must first create a hash object withCryptCreateHash and then add the base data to the hash object withCryptHashData. This process is described in detail inHashes and Digital Signatures.
dwFlags
Specifies the type of key generated.
The sizes of a session key can be set when the key is generated. The key size, representing the length of the key modulus in bits, is set with the upper 16 bits of this parameter. Thus, if a 128-bit RC4 session key is to be generated, the value 0x00800000 is combined with any other dwFlags predefined value with a bitwise-OR operation. Due to changing export control restrictions, the default CSP and default key length may change between operating system releases. It is important that both the encryption and decryption use the same CSP and that the key length be explicitly set using the dwFlags parameter to ensure interoperability on different operating system platforms.
The lower 16 bits of this parameter can be zero or you can specify one or more of the following flags by using the bitwise-OR operator to combine them.
Value | Meaning |
---|---|
| Typically, when a session key is made from a hash value, there are a number of leftover bits. For example, if the hash value is 128 bits and the session key is 40 bits, there will be 88 bits left over. If this flag is set, then the key is assigned a salt value based on the unused hash value bits. You can retrieve this salt value by using theCryptGetKeyParam function with the dwParam parameter set to KP_SALT. If this flag is not set, then the key is given a salt value of zero. When keys with nonzero salt values are exported (by usingCryptExportKey), the salt value must also be obtained and kept with the key BLOB. |
| If this flag is set, the session key can be transferred out of the CSP into a key BLOB through the CryptExportKey function. Because keys generally must be exportable, this flag should usually be set. If this flag is not set, then the session key is not exportable. This means the key is available only within the current session and only the application that created it is able to use it. This flag does not apply to public/private key pairs. |
| This flag specifies that a no salt value gets allocated for a 40-bit symmetric key. For more information, see Salt Value Functionality. |
| Some CSPs use session keys that are derived from multiple hash values. When this is the case, CryptDeriveKey must be called multiple times. If this flag is set, a new session key is not generated. Instead, the key specified by phKey is modified. The precise behavior of this flag is dependent on the type of key being generated and on the particular CSP being used. Microsoft cryptographic service providers ignore this flag. |
| This flag is used only with Schannel providers. If this flag is set, the key to be generated is a server-write key; otherwise, it is a client-write key. |
phKey
A pointer to a HCRYPTKEY variable to receive the address of the handle of the newly generated key. When you have finished using the key, release the handle by calling the CryptDestroyKey function.
If the function succeeds, the function returns nonzero (TRUE).
If the function fails, it returns zero (FALSE). For extended error information, callGetLastError.
The error codes prefaced by 'NTE' are generated by the particular CSP being used. Some possible error codes are listed in the following table.
Return code | Description |
---|---|
| One of the parameters specifies a handle that is not valid. |
| One of the parameters contains a value that is not valid. This is most often a pointer that is not valid. |
| The Algid parameter specifies an algorithm that this CSP does not support. |
| The dwFlags parameter contains a value that is not valid. |
| The hBaseData parameter does not contain a valid handle to a hash object. |
| An attempt was made to add data to a hash object that is already marked 'finished.' |
| The hProv parameter does not contain a valid context handle. |
| The function failed in some unexpected way. |
| The provider could not perform the action because the context was acquired as silent. |
When keys are generated for symmetricblock ciphers, the key by default is set up in cipher block chaining (CBC) mode with an initialization vector of zero. This cipher mode provides a good default method for bulk-encrypting data. To change these parameters, use theCryptSetKeyParam function.
The CryptDeriveKey function completes the hash. After CryptDeriveKey has been called, no more data can be added to the hash. Additional calls toCryptHashData orCryptHashSessionKey fail. After the application is done with the hash,CryptDestroyHash must be called to destroy the hash object.
To choose an appropriate key length, the following methods are recommended.
The following table lists minimum, default, and maximum key lengths for session key by algorithm and provider.
Provider | Algorithms | Minimum key length | Default key length | Maximum key length |
---|---|---|---|---|
MS Base | RC4 and RC2 | 40 | 40 | 56 |
MS Base | DES | 56 | 56 | 56 |
MS Enhanced | RC4 and RC2 | 40 | 128 | 128 |
MS Enhanced | DES | 56 | 56 | 56 |
MS Enhanced | 3DES 112 | 112 | 112 | 112 |
MS Enhanced | 3DES | 168 | 168 | 168 |
MS Strong | RC4 and RC2 | 40 | 128 | 128 |
MS Strong | DES | 56 | 56 | 56 |
MS Strong | 3DES 112 | 112 | 112 | 112 |
MS Strong | 3DES | 168 | 168 | 168 |
DSS/DH Base | RC4 and RC2 | 40 | 40 | 56 |
DSS/DH Base | Cylink MEK | 40 | 40 | 40 |
DSS/DH Base | DES | 56 | 56 | 56 |
DSS/DH Enh | RC4 and RC2 | 40 | 128 | 128 |
DSS/DH Enh | Cylink MEK | 40 | 40 | 40 |
DSS/DH Enh | DES | 56 | 56 | 56 |
DSS/DH Enh | 3DES 112 | 112 | 112 | 112 |
DSS/DH Enh | 3DES | 168 | 168 | 168 |
For an example that uses this function, see Example C Program: Deriving a Session Key from a Password.
Minimum supported client | Windows XP [desktop apps only] |
Minimum supported server | Windows Server 2003 [desktop apps only] |
Target Platform | Windows |
Header | wincrypt.h |
Library | Advapi32.lib |
DLL | Advapi32.dll |