1. How Is Session Key Generated
  2. How Is A Session Key Generated Video
-->
Creates a persistent connection to a local or remote computer.

Jun 06, 2016  CryptoAuthentication Symmetric Session Key Exchange - Duration: 4:12. CryptoAuthentication 3,142 views. The RFC for TLS does not contain or define the term Session Key. It simply says: The master secret is expanded into a sequence of secure bytes, which is then split to a client write MAC key, a server write MAC key, a client write encryption key, and a server write encryption key. Each of these is generated from the byte sequence in that order. Jan 26, 2011  Rather it will simply generate a new session identifier so we lose all the information that was in the original session. So right now everything works great if you first land on an ASP.NET page to start the session, but it all falls apart if you first land on a PHP page, or more importantly at the moment if you do a login via the PHP code. Sep 13, 2012  MicroNugget: What are SSL Session Keys? Unsubscribe from CBT Nuggets? Symmetric Key and Public Key Encryption - Duration: 6:45. Itfreetraining 554,493 views. A session key is a single-use symmetric key used for encrypting all messages in one communication session.A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for encrypting messages, contrary to other uses like encrypting other keys (key encryption key (KEK) or key wrapping key).

Syntax

Description

The New-PSSession cmdlet creates a PowerShell session (PSSession) on a local or remotecomputer. When you create a PSSession, PowerShell establishes a persistent connection to theremote computer.

Use a PSSession to run multiple commands that share data, such as a function or the value of avariable. To run commands in a PSSession, use the Invoke-Command cmdlet. To use thePSSession to interact directly with a remote computer, use the Enter-PSSession cmdlet. Formore information, see about_PSSessions.

You can run commands on a remote computer without creating a PSSession by using theComputerName parameters of Enter-PSSession or Invoke-Command. When you use theComputerName parameter, PowerShell creates a temporary connection that is used for the commandand is then closed.

Starting with PowerShell 6.0 you can use Secure Shell (SSH) to establish a connection to and createa session on a remote computer, if SSH is available on the local computer and the remote computer isconfigured with a PowerShell SSH endpoint. The benefit of an SSH based PowerShell remote session isthat it can work across multiple platforms (Windows, Linux, macOS). For SSH based sessions you usethe HostName or SSHConnection parameter set to specify the remote computer and relevantconnection information. For more information about how to set up PowerShell SSH remoting, seePowerShell Remoting Over SSH.

Note

When using WSMan remoting from a Linux or macOS client with a HTTPS endpoint where the servercertificate is not trusted (e.g., a self-signed certificate). You must provide a PSSessionOptionthat includes -SkipCACheck and -SkipCNCheck to successfully establish the connection. Only dothis if you are in an environment where you can be certain of the server certificate and thenetwork connection to the target system.

Examples

Example 1: Create a session on the local computer

This command creates a new PSSession on the local computer and saves the PSSession in the$s variable.

You can now use this PSSession to run commands on the local computer.

Example 2: Create a session on a remote computer

This command creates a new PSSession on the Server01 computer and saves it in the $Server01variable.

When creating multiple PSSession objects, assign them to variables with useful names. This willhelp you manage the PSSession objects in subsequent commands.

Example 3: Create sessions on multiple computers

This command creates three PSSession objects, one on each of the computers specified by theComputerName parameter.

The command uses the assignment operator (=) to assign the new PSSession objects to variables:$s1, $s2, $s3. It assigns the Server01 PSSession to $s1, the Server02 PSSession to$s2, and the Server03 PSSession to $s3.

When you assign multiple objects to a series of variables, PowerShell assigns each object to avariable in the series respectively. If there are more objects than variables, all remaining objectsare assigned to the last variable. If there are more variables than objects, the remaining variablesare empty (null).

Example 4: Create a session with a specified port

This command creates a new PSSession on the Server01 computer that connects to server port 8081and uses the SSL protocol. The new PSSession uses an alternative session configuration calledE12.

Before setting the port, you must configure the WinRM listener on the remote computer to listen onport 8081. For more information, see the description of the Port parameter.

Example 5: Create a session based on an existing session

This command creates a PSSession with the same properties as an existing PSSession. You canuse this command format when the resources of an existing PSSession are exhausted and a newPSSession is needed to offload some of the demand.

The command uses the Session parameter of New-PSSession to specify the PSSession saved inthe $s variable. It uses the credentials of the Domain1Admin01 user to complete the command.

Example 6: Create a session with a global scope in a different domain

How Is Session Key Generated

This example shows how to create a PSSession with a global scope on a computer in a differentdomain.

By default, PSSession objects created at the command line are created with local scope andPSSession objects created in a script have script scope.

To create a PSSession with global scope, create a new PSSession and then store thePSSession in a variable that is cast to a global scope. In this case, the $s variable is castto a global scope.

The command uses the ComputerName parameter to specify the remote computer. Because the computeris in a different domain than the user account, the full name of the computer is specified togetherwith the credentials of the user.

Example 7: Create sessions for many computers

This command creates a PSSession on each of the 200 computers listed in the Servers.txt file andit stores the resulting PSSession in the $rs variable. The PSSession objects have athrottle limit of 50.

You can use this command format when the names of computers are stored in a database, spreadsheet,text file, or other text-convertible format.

Example 8: Create a session by using a URI

This command creates a PSSession on the Server01 computer and stores it in the $s variable. Ituses the URI parameter to specify the transport protocol, the remote computer, the port, and analternate session configuration. It also uses the Credential parameter to specify a user accountthat has permission to create a session on the remote computer.

Example 9: Run a background job in a set of sessions

These commands create a set of PSSession objects and then run a background job in each of thePSSession objects.

The first command creates a new PSSession on each of the computers listed in the Servers.txtfile. It uses the New-PSSession cmdlet to create the PSSession. The value of theComputerName parameter is a command that uses the Get-Content cmdlet to get the list ofcomputer names the Servers.txt file.

The command uses the Credential parameter to create the PSSession objects that have thepermission of a domain administrator, and it uses the ThrottleLimit parameter to limit thecommand to 16 concurrent connections. The command saves the PSSession objects in the $svariable.

The second command uses the AsJob parameter of the Invoke-Command cmdlet to start a backgroundjob that runs a Get-Process PowerShell command in each of the PSSession objects in $s.

For more information about PowerShell background jobs, seeabout_Jobs and about_Remote_Jobs.

Example 10: Create a session for a computer by using its URI

This command creates a PSSession objects that connects to a computer that is specified by a URIinstead of a computer name.

Example 11: Create a session option

This example shows how to create a session option object and use the SessionOption parameter.

The first command uses the New-PSSessionOption cmdlet to create a session option. It saves theresulting SessionOption object in the $so variable.

The second command uses the option in a new session. The command uses the New-PSSession cmdlet tocreate a new session. The value of the SessionOption parameter is the SessionOption object inthe $so variable.

Example 12: Create a session using SSH

This example shows how to create a new PSSession using Secure Shell (SSH). If SSH is configuredon the remote computer to prompt for passwords then you will get a password prompt. Otherwise youwill have to use SSH key based user authentication.

Example 13: Create a session using SSH and specify the port and user authentication key

This example shows how to create a PSSession using Secure Shell (SSH). It uses the Portparameter to specify the port to use and the KeyFilePath parameter to specify an RSA key used toidentify and authenticate the user on the remote computer.

Example 14: Create multiple sessions using SSH

This example shows how to create multiple sessions using Secure Shell (SSH) and theSSHConnection parameter set. The SSHConnection parameter takes an array of hash tables thatcontain connection information for each session. Note that this example requires that the targetremote computers have SSH configured to support key based user authentication.

Parameters

Indicates that this cmdlet allows redirection of this connection to an alternate Uniform ResourceIdentifier (URI).

When you use the ConnectionURI parameter, the remote destination can return an instruction toredirect to a different URI. By default, PowerShell does not redirect connections, but youcan use this parameter to enable it to redirect the connection.

You can also limit the number of times the connection is redirected by changing theMaximumConnectionRedirectionCount session option value. Use the MaximumRedirection parameterof the New-PSSessionOption cmdlet or set the MaximumConnectionRedirectionCount property of the$PSSessionOption preference variable. The default value is 5.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies the application name segment of the connection URI. Use this parameter to specify theapplication name when you are not using the ConnectionURI parameter in the command.

The default value is the value of the $PSSessionApplicationName preference variable on the localcomputer. If this preference variable is not defined, the default value is WSMAN. This value isappropriate for most uses. For more information, seeabout_Preference_Variables.

The WinRM service uses the application name to select a listener to service the connection request.The value of this parameter should match the value of the URLPrefix property of a listener onthe remote computer.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Specifies the mechanism that is used to authenticate the user's credentials.The acceptable values for this parameter are:

  • Default
  • Basic
  • Credssp
  • Digest
  • Kerberos
  • Negotiate
  • NegotiateWithImplicitCredential

The default value is Default.

For more information about the values of this parameter, seeAuthenticationMechanism Enumeration.

Caution

Credential Security Support Provider (CredSSP) authentication, in which the user credentials arepassed to a remote computer to be authenticated, is designed for commands that requireauthentication on more than one resource, such as accessing a remote network share. This mechanismincreases the security risk of the remote operation. If the remote computer is compromised, thecredentials that are passed to it can be used to control the network session.

Type:AuthenticationMechanism
Accepted values:Default, Basic, Negotiate, NegotiateWithImplicitCredential, Credssp, Digest, Kerberos
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies the digital public key certificate (X509) of a user account that has permission to performthis action. Enter the certificate thumbprint of the certificate.

Certificates are used in client certificate-based authentication. They can be mapped only to localuser accounts; they do not work with domain accounts.

To get a certificate, use the Get-Item or Get-ChildItem command in the PowerShell Cert:drive.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies an array of names of computers. This cmdlet creates a persistent connection(PSSession) to the specified computer. If you enter multiple computer names, New-PSSessioncreates multiple PSSession objects, one for each computer. The default is the local computer.

Type the NetBIOS name, an IP address, or a fully qualified domain name of one or more remotecomputers. To specify the local computer, type the computer name, localhost, or a dot (.). When thecomputer is in a different domain than the user, the fully qualified domain name is required. Youcan also pipe a computer name, in quotation marks, to New-PSSession.

To use an IP address in the value of the ComputerName parameter, the command must include theCredential parameter. Also, the computer must be configured for HTTPS transport or the IPaddress of the remote computer must be included in the WinRM TrustedHosts list on the localcomputer. For instructions for adding a computer name to the TrustedHosts list, see 'How to Add aComputer to the Trusted Host List' inabout_Remote_Troubleshooting.

How Is A Session Key Generated

To include the local computer in the value of the ComputerName parameter, start WindowsPowerShell by using the Run as administrator option.

Type:String[]
Aliases:Cn
Position:0
Default value:None
Accept pipeline input:True (ByPropertyName, ByValue)
Accept wildcard characters:False

Specifies the session configuration that is used for the new PSSession.

Enter a configuration name or the fully qualified resource URI for a session configuration. If youspecify only the configuration name, the following schema URI is prepended:https://schemas.microsoft.com/PowerShell.

The session configuration for a session is located on the remote computer. If the specified sessionconfiguration does not exist on the remote computer, the command fails.

The default value is the value of the $PSSessionConfigurationName preference variable on the localcomputer. If this preference variable is not set, the default is Microsoft.PowerShell. For moreinformation, see about_Preference_Variables.

Type:String
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Specifies a URI that defines the connection endpoint for the session. The URI must be fullyqualified. The format of this string is as follows:

<Transport>://<ComputerName>:<Port>/<ApplicationName>

The default value is as follows:

http://localhost:5985/WSMAN

If you do not specify a ConnectionURI, you can use the UseSSL, ComputerName, Port, andApplicationName parameters to specify the ConnectionURI values.

Valid values for the Transport segment of the URI are HTTP and HTTPS. If you specify a connectionURI with a Transport segment, but do not specify a port, the session is created with standardsports: 80 for HTTP and 443 for HTTPS. To use the default ports for PowerShell remoting, specify port5985 for HTTP or 5986 for HTTPS.

If the destination computer redirects the connection to a different URI, PowerShell prevents theredirection unless you use the AllowRedirection parameter in the command.

Type:Uri[]
Aliases:URI, CU
Position:0
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Specifies an array of IDs of containers. This cmdlet starts an interactive session with each of thespecified containers. Use the docker ps command to get a list of container IDs. For moreinformation, see the help for thedocker ps command.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Specifies a user account that has permission to do this action. The default is the current user.

Type a user name, such as User01 or Domain01User01, or enter a PSCredential objectgenerated by the Get-Credential cmdlet. If you type a user name, you're prompted to enter thepassword.

Credentials are stored in a PSCredentialobject and the password is stored as a SecureString.

Note

For more information about SecureString data protection, seeHow secure is SecureString?.

Type:PSCredential
Position:Named
Default value:Current user
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Indicates that this cmdlet adds an interactive security token to loopback sessions. The interactivetoken lets you run commands in the loopback session that get data from other computers. For example,you can run a command in the session that copies XML files from a remote computer to the localcomputer.

A loopback session is a PSSession that originates and ends on the same computer. To create aloopback session, omit the ComputerName parameter or set its value to dot (.), localhost, or thename of the local computer.

By default, this cmdlet creates loopback sessions by using a network token, which might not providesufficient permission to authenticate to remote computers.

The EnableNetworkAccess parameter is effective only in loopback sessions. If you useEnableNetworkAccess when you create a session on a remote computer, the command succeeds, butthe parameter is ignored.

You can also enable remote access in a loopback session by using the CredSSP value of theAuthentication parameter, which delegates the session credentials to other computers. Site cisco.com crypto key generate rsa.

To protect the computer from malicious access, disconnected loopback sessions that have interactivetokens, which are those created by using the EnableNetworkAccess parameter, can be reconnectedonly from the computer on which the session was created. Disconnected sessions that use CredSSPauthentication can be reconnected from other computers. For more information, seeDisconnect-PSSession.

This parameter was introduced in PowerShell 3.0.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies an array of computer names for a Secure Shell (SSH) based connection. This is similar tothe ComputerName parameter except that the connection to the remote computer is made using SSHrather than Windows WinRM.

This parameter was introduced in PowerShell 6.0.

Type:String[]
Position:0
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies a key file path used by Secure Shell (SSH) to authenticate a user on a remote computer.

SSH allows user authentication to be performed via private/public keys as an alternative to basicpassword authentication. If the remote computer is configured for key authentication then thisparameter can be used to provide the key that identifies the user.

This parameter was introduced in PowerShell 6.0.

Type:String
Aliases:IdentityFilePath
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies a friendly name for the PSSession.

You can use the name to refer to the PSSession when you use other cmdlets, such asGet-PSSession and Enter-PSSession. The name is not required to be unique to the computer or thecurrent session.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies the network port on the remote computer that is used for this connection. To connect to aremote computer, the remote computer must be listening on the port that the connection uses. Thedefault ports are 5985, which is the WinRM port for HTTP, and 5986, which is the WinRM port forHTTPS.

Before using another port, you must configure the WinRM listener on the remote computer to listen atthat port. Use the following commands to configure the listener:

  1. winrm delete winrm/config/listener?Address=*+Transport=HTTP
  2. winrm create winrm/config/listener?Address=*+Transport=HTTP @{Port='<port-number>'}

Do not use the Port parameter unless you must. The port setting in the command applies to allcomputers or sessions on which the command runs. An alternate port setting might prevent the commandfrom running on all computers.

Type:Int32
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Indicates that the PSSession runs as administrator.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

This parameter takes an array of hashtables where each hashtable contains one or more connectionparameters needed to establish a Secure Shell (SSH) connection (HostName, Port, UserName,KeyFilePath).

The hashtable connection parameters are the same as defined for the HostName parameter set.

The SSHConnection parameter is useful for creating multiple sessions where each session requiresdifferent connection information.

This parameter was introduced in PowerShell 6.0.

Type:Hashtable[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Indicates that the remote connection is established using Secure Shell (SSH).

By default PowerShell uses Windows WinRM to connect to a remote computer. This switch forcesPowerShell to use the HostName parameter set for establishing an SSH based remote connection.

This parameter was introduced in PowerShell 6.0.

Type:SwitchParameter
Accepted values:true
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies an array of PSSession objects that this cmdlet uses as a model for the newPSSession. This parameter creates new PSSession objects that have the same properties as thespecified PSSession objects.

Enter a variable that contains the PSSession objects or a command that creates or gets thePSSession objects, such as a New-PSSession or Get-PSSession command.

The resulting PSSession objects have the same computer name, application name, connection URI,port, configuration name, throttle limit, and Secure Sockets Layer (SSL) value as the originals, butthey have a different display name, ID, and instance ID (GUID).

Type:PSSession[]
Position:0
Default value:None
Accept pipeline input:True (ByPropertyName, ByValue)
Accept wildcard characters:False

Specifies advanced options for the session. Enter a SessionOption object, such as one that youcreate by using the New-PSSessionOption cmdlet, or a hash table in which the keys are sessionoption names and the values are session option values.

The default values for the options are determined by the value of the $PSSessionOption preferencevariable, if it is set. Otherwise, the default values are established by options set in the sessionconfiguration.

The session option values take precedence over default values for sessions set in the$PSSessionOption preference variable and in the session configuration. However, they do not takeprecedence over maximum values, quotas or limits set in the session configuration.

For a description of the session options that includes the default values, seeNew-PSSessionOption. For information about the $PSSessionOption preference variable, seeabout_Preference_Variables. For more information aboutsession configurations, see about_Session_Configurations.

Type:PSSessionOption
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies the SSH subsystem used for the new PSSession.

This specifies the subsystem to use on the target as defined in sshd_config.The subsystem starts a specific version of PowerShell with predefined parameters.If the specified subsystem does not exist on the remote computer, the command fails.

How Is A Session Key Generated Video

If this parameter is not used, the default is the 'powershell' subsystem.

Type:String
Position:Named
Default value:powershell
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Specifies the maximum number of concurrent connections that can be established to run this command.If you omit this parameter or enter a value of 0 (zero), the default value, 32, is used.

The throttle limit applies only to the current command, not to the session or to the computer.

Type:Int32
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Indicates that this cmdlet uses the SSL protocol to establish a connection to the remote computer.By default, SSL is not used.

WS-Management encrypts all PowerShell content transmitted over the network. The UseSSLparameter offers an additional protection that sends the data across an HTTPS connection instead ofan HTTP connection.

If you use this parameter, but SSL is not available on the port that is used for the command, thecommand fails.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies the user name for the account used to create a session on the remote computer. Userauthentication method will depend on how Secure Shell (SSH) is configured on the remote computer.

If SSH is configured for basic password authentication then you will be prompted for the userpassword.

If SSH is configured for key based user authentication then a key file path can be provided via theKeyFilePath parameter and no password prompt will occur. Note that if the client user key file islocated in an SSH known location then the KeyFilePath parameter is not needed for key basedauthentication, and user authentication will occur automatically based on the user name. See SSHdocumentation about key based user authentication for more information.

This is not a required parameter. If no UserName parameter is specified then the current log on username is used for the connection.

This parameter was introduced in PowerShell 6.0.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Specifies an array of ID of virtual machines. This cmdlet starts an interactive session with each ofthe specified virtual machines. To see the virtual machines that are available to you, use thefollowing command:

Get-VM Select-Object -Property Name, ID

Type:Guid[]
Aliases:VMGuid
Position:0
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Specifies an array of names of virtual machines. This cmdlet starts an interactive session with eachof the specified virtual machines. To see the virtual machines that are available to you, use theGet-VM cmdlet.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Inputs

System.String, System.URI, System.Management.Automation.Runspaces.PSSession

You can pipe a string, URI, or session object to this cmdlet.

Outputs

Notes

  • This cmdlet uses the PowerShell remoting infrastructure. To use this cmdlet, the localcomputer and any remote computers must be configured for PowerShell remoting. For moreinformation, see about_Remote_Requirements.
  • To create a PSSession on the local computer, start PowerShell with the Run as administratoroption.
  • When you are finished with the PSSession, use the Remove-PSSession cmdlet to delete thePSSession and release its resources.
  • The HostName and SSHConnection parameter sets were included starting with PowerShell 6.0.They were added to provide PowerShell remoting based on Secure Shell (SSH). Both SSH andPowerShell are supported on multiple platforms (Windows, Linux, macOS) and PowerShell remotingwill work over these platforms where PowerShell and SSH are installed and configured. This isseparate from the previous Windows only remoting that is based on WinRM and much of the WinRMspecific features and limitations do not apply. For example WinRM based quotas, session options,custom endpoint configuration, and disconnect/reconnect features are currently not supported. Formore information about how to set up PowerShell SSH remoting, seePowerShell Remoting Over SSH.

Related Links

-->
Important This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
The CryptDeriveKey function generates cryptographic session keys derived from a base data value. This function guarantees that when the same cryptographic service provider (CSP) and algorithms are used, the keys generated from the same base data are identical. The base data can be a password or any other user data.

This function is the same asCryptGenKey, except that the generated session keys are derived from base data instead of being random. CryptDeriveKey can only be used to generate session keys. It cannot generate public/private key pairs.

A handle to the session key is returned in the phKey parameter. This handle can be used with any CryptoAPI function that requires a key handle.

Syntax

Parameters

hProv

A HCRYPTPROV handle of a CSP created by a call toCryptAcquireContext.

Algid

AnALG_ID structure that identifies the symmetric encryption algorithm for which the key is to be generated. The algorithms available will most likely be different for each CSP. For more information about which algorithm identifier is used by the different providers for the key specs AT_KEYEXCHANGE and AT_SIGNATURE, seeALG_ID.

For more information about ALG_ID values to use with the Microsoft Base Cryptographic Provider, seeBase Provider Algorithms. For more information about ALG_ID values to use with the Microsoft Strong Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, seeEnhanced Provider Algorithms.

hBaseData

A handle to a hash object that has been fed the exact base data.

To obtain this handle, an application must first create a hash object withCryptCreateHash and then add the base data to the hash object withCryptHashData. This process is described in detail inHashes and Digital Signatures.

dwFlags

Specifies the type of key generated.

The sizes of a session key can be set when the key is generated. The key size, representing the length of the key modulus in bits, is set with the upper 16 bits of this parameter. Thus, if a 128-bit RC4 session key is to be generated, the value 0x00800000 is combined with any other dwFlags predefined value with a bitwise-OR operation. Due to changing export control restrictions, the default CSP and default key length may change between operating system releases. It is important that both the encryption and decryption use the same CSP and that the key length be explicitly set using the dwFlags parameter to ensure interoperability on different operating system platforms.

The lower 16 bits of this parameter can be zero or you can specify one or more of the following flags by using the bitwise-OR operator to combine them.

ValueMeaning
CRYPT_CREATE_SALT
Typically, when a session key is made from a hash value, there are a number of leftover bits. For example, if the hash value is 128 bits and the session key is 40 bits, there will be 88 bits left over.

If this flag is set, then the key is assigned a salt value based on the unused hash value bits. You can retrieve this salt value by using theCryptGetKeyParam function with the dwParam parameter set to KP_SALT.

If this flag is not set, then the key is given a salt value of zero.

When keys with nonzero salt values are exported (by usingCryptExportKey), the salt value must also be obtained and kept with the key BLOB.

CRYPT_EXPORTABLE
If this flag is set, the session key can be transferred out of the CSP into a key BLOB through the CryptExportKey function. Because keys generally must be exportable, this flag should usually be set.

If this flag is not set, then the session key is not exportable. This means the key is available only within the current session and only the application that created it is able to use it.

This flag does not apply to public/private key pairs.

CRYPT_NO_SALT
This flag specifies that a no salt value gets allocated for a 40-bit symmetric key. For more information, see Salt Value Functionality.
CRYPT_UPDATE_KEY
Some CSPs use session keys that are derived from multiple hash values. When this is the case, CryptDeriveKey must be called multiple times.

If this flag is set, a new session key is not generated. Instead, the key specified by phKey is modified. The precise behavior of this flag is dependent on the type of key being generated and on the particular CSP being used.

Microsoft cryptographic service providers ignore this flag.

CRYPT_SERVER
1024 (0x400)
This flag is used only with Schannel providers. If this flag is set, the key to be generated is a server-write key; otherwise, it is a client-write key.

phKey

A pointer to a HCRYPTKEY variable to receive the address of the handle of the newly generated key. When you have finished using the key, release the handle by calling the CryptDestroyKey function.

Return value

If the function succeeds, the function returns nonzero (TRUE).

If the function fails, it returns zero (FALSE). For extended error information, callGetLastError.

The error codes prefaced by 'NTE' are generated by the particular CSP being used. Some possible error codes are listed in the following table.

Return codeDescription
ERROR_INVALID_HANDLE
One of the parameters specifies a handle that is not valid.
ERROR_INVALID_PARAMETER
One of the parameters contains a value that is not valid. This is most often a pointer that is not valid.
NTE_BAD_ALGID
The Algid parameter specifies an algorithm that this CSP does not support.
NTE_BAD_FLAGS
The dwFlags parameter contains a value that is not valid.
NTE_BAD_HASH
The hBaseData parameter does not contain a valid handle to a hash object.
NTE_BAD_HASH_STATE
An attempt was made to add data to a hash object that is already marked 'finished.'
NTE_BAD_UID
The hProv parameter does not contain a valid context handle.
NTE_FAIL
The function failed in some unexpected way.
NTE_SILENT_CONTEXT
The provider could not perform the action because the context was acquired as silent.

Remarks

When keys are generated for symmetricblock ciphers, the key by default is set up in cipher block chaining (CBC) mode with an initialization vector of zero. This cipher mode provides a good default method for bulk-encrypting data. To change these parameters, use theCryptSetKeyParam function.

The CryptDeriveKey function completes the hash. After CryptDeriveKey has been called, no more data can be added to the hash. Additional calls toCryptHashData orCryptHashSessionKey fail. After the application is done with the hash,CryptDestroyHash must be called to destroy the hash object.

To choose an appropriate key length, the following methods are recommended.

  • To enumerate the algorithms that the CSP supports and to get maximum and minimum key lengths for each algorithm, call CryptGetProvParam with PP_ENUMALGS_EX.
  • Use the minimum and maximum lengths to choose an appropriate key length. It is not always advisable to choose the maximum length because this can lead to performance issues.
  • After the desired key length has been chosen, use the upper 16 bits of the dwFlags parameter to specify the key length.
Let n be the required derived key length, in bytes. The derived key is the first n bytes of the hash value after the hash computation has been completed by CryptDeriveKey. If the hash is not a member of the SHA-2 family and the required key is for either 3DES or AES, the key is derived as follows:
  1. Form a 64-byte buffer by repeating the constant 0x36 64 times. Let k be the length of the hash value that is represented by the input parameter hBaseData. Set the first k bytes of the buffer to the result of an XOR operation of the first k bytes of the buffer with the hash value that is represented by the input parameter hBaseData.
  2. Form a 64-byte buffer by repeating the constant 0x5C 64 times. Set the first k bytes of the buffer to the result of an XOR operation of the first k bytes of the buffer with the hash value that is represented by the input parameter hBaseData.
  3. Hash the result of step 1 by using the same hash algorithm as that used to compute the hash value that is represented by the hBaseData parameter.
  4. Hash the result of step 2 by using the same hash algorithm as that used to compute the hash value that is represented by the hBaseData parameter.
  5. Concatenate the result of step 3 with the result of step 4.
  6. Use the first n bytes of the result of step 5 as the derived key.
The default RSA Full Cryptographic Service Provider is the Microsoft RSA Strong Cryptographic Provider. The default DSS Signature Diffie-Hellman Cryptographic Service Provider is the Microsoft Enhanced DSS Diffie-Hellman Cryptographic Provider. Each of these CSPs has a default 128-bit symmetric key length for RC2 and RC4.

The following table lists minimum, default, and maximum key lengths for session key by algorithm and provider.

ProviderAlgorithmsMinimum key lengthDefault key lengthMaximum key length
MS BaseRC4 and RC2404056
MS BaseDES565656
MS EnhancedRC4 and RC240128128
MS EnhancedDES565656
MS Enhanced3DES 112112112112
MS Enhanced3DES168168168
MS StrongRC4 and RC240128128
MS StrongDES565656
MS Strong3DES 112112112112
MS Strong3DES168168168
DSS/DH BaseRC4 and RC2404056
DSS/DH BaseCylink MEK404040
DSS/DH BaseDES565656
DSS/DH EnhRC4 and RC240128128
DSS/DH EnhCylink MEK404040
DSS/DH EnhDES565656
DSS/DH Enh3DES 112112112112
DSS/DH Enh3DES168168168

Examples

For an example that uses this function, see Example C Program: Deriving a Session Key from a Password.

Requirements

Minimum supported clientWindows XP [desktop apps only]
Minimum supported serverWindows Server 2003 [desktop apps only]
Target PlatformWindows
Headerwincrypt.h
LibraryAdvapi32.lib
DLLAdvapi32.dll

See also

Coments are closed
Scroll to top