Obtain the plain text session key using CryptoAPI

Generally it's very important to obtain the value of session keys. However, the Microsoft Cryptographic Providers (Base and Enhanced) do not support this feature. CryptExportKey() and CryptImportKey() require a valid key handle to encrypt and decrypt the session key, respectively.

Download source files - 3 Kb

Introduction

Generally it's very important to obtain the value of session keys. However, the Microsoft Cryptographic Providers (Base and Enhanced) does not support this feature. CryptExportKey() and CryptImportKey() require a valid key handle to encrypt and decrypt the session key, respectively. MSDN shows a way to do this using a exponent-of-one private key. This article shows a better way to perform the same process. This way is faster and more comprehensive.

It's ready to run, but you must set the following parameters at Project -> Settings (Visual Studio 6.0 ) :

Add in C++/Preprocessor definitions: _WIN32_WINNT=0x0500, _CRYPT32_(WIN2K) or _WIN32_WINNT=0x0400, _CRYPT32_(NT4)
And Link this library crypt32.lib

Code Listing

#include <windows.h>
#include <wincrypt.h>


#define KEY_PAIR_SIZE     dwSize - 12
#define SESSION_KEY_SIZE  dwKeyMaterial

void main()
{

    HCRYPTPROV hProv = 0;
    HCRYPTKEY hExchangeKeyPair = 0;
    HCRYPTKEY hSessionKey = 0;
    BYTE *pbKeyMaterial  = NULL;
    DWORD dwKeyMaterial ;   
    BYTE *pbExportedKeyBlob = NULL;
    BYTE *pbEncryptedKey    = NULL;
    DWORD dwSize;
    unsigned int c;

    __try
    {

        if (!CryptAcquireContext( &hProv, "Container Name", 
            MS_ENHANCED_PROV , PROV_RSA_FULL, CRYPT_MACHINE_KEYSET ))
        {
            __leave;
        }

        //---------------------------------------------------
        //Creating a session key. In this sample we'll use a 
        //3DES key with 168 bits

        if (!CryptGenKey(hProv,CALG_3DES,CRYPT_EXPORTABLE,
            &hSessionKey))
        {
            __leave;
        }

        //---------------------------------------------------
        //Getting a handle to the Exchange Key pair

        if (!CryptGetUserKey( hProv, AT_KEYEXCHANGE, 
            &hExchangeKeyPair))
        {
            __leave;
        }

        //--------------------------------------------------------
        //Encrypting the session key with the public key part
        //of the keypair. The first call gets the size necessary to 
        //hold the encrypted session key and the second exports it.

        if (!CryptExportKey( hSessionKey, hExchangeKeyPair, 
            SIMPLEBLOB, 0, NULL, &dwSize))
        {
            __leave;
        }

        pbExportedKeyBlob = new BYTE[dwSize];

        if (!CryptExportKey( hSessionKey, hExchangeKeyPair, SIMPLEBLOB, 
            0, pbExportedKeyBlob,  &dwSize))
        {
            __leave;
        }

        //--------------------------------------------------------
        //Let's  remove the first 12 bytes of Blob information 

        pbEncryptedKey  =  new BYTE [KEY_PAIR_SIZE];  

        for ( c = 0 ; c < KEY_PAIR_SIZE ; c++ )
        {
            pbEncryptedKey[c] =  pbExportedKeyBlob[c+12]; 
        }

        //--------------------------------------------------------
        //Now it's time to get the value of the session key, we'll
        //use the private part of the key pair. 

        if (!CryptDecrypt( hExchangeKeyPair,0, TRUE, 0,  
            pbEncryptedKey, &dwKeyMaterial))
        {
            __leave;
        }

        //-------------------------------------------------------
        //The pbKeyMaterial is the value of the key

        pbKeyMaterial = new BYTE[ SESSION_KEY_SIZE ];

        for ( c = 0; c <  SESSION_KEY_SIZE ; c-- )
        {
            pbKeyMaterial[c] = pbEncryptedKey[c];    
        }

        //-------------------------------------------------------
        //The key is in big-endian format, because that's the way
        //the encryption block is built.

    }
    __finally
    {
        if (pbKeyMaterial ) LocalFree(pbKeyMaterial );
        if (hSessionKey) CryptDestroyKey(hSessionKey);
        if (hExchangeKeyPair) CryptDestroyKey(hExchangeKeyPair);
        if (hProv) 
        {  
            CryptReleaseContext(hProv, 0);
        }

    }

} // End Main

License

This article, along with any associated source code and files, is licensed under The Microsoft Public License (Ms-PL)

About the Author

Raphael Amorim

Software Developer (Senior)
Instituto Atlântico

Brazil

Member

Follow on Twitter

Senior Software Developer Engineer @ Instituto Atlântico

Summary:

• Has Acted as Software Architect and Technical Leader in many projects
• Good knowledge of Windows Internals
• More than 9 years of software design and development experience in Visual C/C++.
• More than 8 years of experience in Security/Cryptography software design and programming.
• Good knowledge of .NET framework and C# language, also using ASP.NET.
• Good knowledge of Lua Scripting Language
• Good knowledge of Objective C and Cocoa.
• Good knowledge of Java language.
• Good knowledge of MacOSX/Linux programming in C++
• Good knowledge of Brew Framework for CDMA cell phone software development (using C)
• Some knowledge of Carbon and Qt application development C++.

Specialist in:
Visual C++® and C, MFC, ATL, COM, STL, ActiveX, Lua, Cocoa, Carbon and Qt application development, C# and Java (J2SE and J2ME), Brew Framework for CDMA, Linux Programming in C++, PocketPC (embedded C++ and .NET Compact Framework) , Device Driver Development , SQL Server 6.5/7/2000/2005, MySQL, IBM DB2 and Access Visual C++ 6.0, Visual Studio .NET (all versions), Eclipse, NetBeans, XCode, Qt Creator and Carbide. Microsoft Windows NT to 7, Windows CE 3.0/5.0/6.0, Mac OS X and Linux.

Article Top