EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to set level high to private key on windows?

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#318
Posted: 05/25/2006 15:56:22
by Ken Ivanov (EldoS Corp.)

Yes, I understood you right. Unfortunately, it's impossible to do this task programmatically due to architecture of Windows security subsystem.

When one performs a call to some CryptoAPI routine, CryptoAPI in turn calls the corresponding functions of the CSP (cryptographic service provider). CryptoAPI does not deal with cryptography -- it just forwards requests to the underlying CSPs.

As I said in one of the previous posts, CryptoAPI supports only two private key protection levels - 'enabled protection' and 'disabled protection'. When importing the private key, CryptoAPI passes the supplied protection level (either 'yes' or 'no') to the CSP corresponding to the imported key. On this stage Microsoft CSPs usually show the dialog, asking user to choose between 'medium' and 'high' protection level. Please note, that CryptoAPI does not know about this dialog. CryptoAPI does not know about 'medium' and 'high' options. It just knows that the key is imported with protection level set to 'yes'.

When the protected private key is requested by some application, the warning message dialog is shown by CSP, *not by CryptoAPI*. CryptoAPI knows nothing about this dialog window.

So, there's no possibility to solve your task programmatically. The only way to do it is to re-import the private key (we will implement this ability in one of the future build updates), setting the needed protection level in the displayed dialog box.
#319
Posted: 05/25/2006 16:08:36
by Santiago CastaƱo (Standard support level)
Joined: 04/16/2006
Posts: 155

I undestrand all except this:

Quote
So, there's no possibility to solve your task programmatically. The only way to do it is to re-import the private key (we will implement this ability in one of the future build updates), setting the needed protection level in the displayed dialog box.


As i try to understand, in the future update we will be able to change that protection level to high? (of the CSP, i didn't know that, i thought that it was cryptoapi :( ).

SBB as i understood communicate in any way with any CSP?

Also, a little question... my default CSP is: "Microsoft Strong Cryptographic Provider". Is there any other CSP better? (less annoying screens or something like that).

Thanks for your answers
#320
Posted: 05/25/2006 16:34:50
by Ken Ivanov (EldoS Corp.)

Quote
As i try to understand, in the future update we will be able to change that protection level to high?

We will implement the possibility to change protection level from 'no' to 'yes' and vice versa (so you will not need to remove and then add the certificate manually). However, you will still have to choose between 'high' and 'medium' options in the dialog box for Microsoft Cryptographic Providers.

Quote
SBB as i understood communicate in any way with any CSP?

Microsoft does not recommend to deal directly with CSPs. The advantage of CryptoAPI is that it provides unified interface to functionality provided by different cryptographic providers.

Quote
Also, a little question... my default CSP is: "Microsoft Strong Cryptographic Provider". Is there any other CSP better? (less annoying screens or something like that).

You can find information about Microsoft cryptographic providers at the following location:

http://msdn.microsoft.com/library/def...viders.asp

Actually, cryptographic providers are not interchangeable. For instance, Microsoft Strong Cryptographic Provider is responsible for RSA signing and encryption, while Microsoft RSA/Schannel provider deals with SSL algorithms.

Reply

Statistics

Topic viewed 13312 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!