Menu
How can the Cryptographic Keys be regenerated in Cognos 10.2.2? There are several instances when the Cryptographic Keys may need to be regenerated. Beginning with Cognos 10.2.2, the traditional method to regenerate the cryptographic keys is no longer valid and the below steps would need to be followed instead. Durability: The durability of cryptographic keys is designed to equal that of the highest durability services in AWS. A single cryptographic key can encrypt large volumes of customer data accumulated over a long time period. However, data encrypted under a key becomes irretrievable if the key is lost.
Cryptographic Key Storage Options & Best Practices
Use of PKI-based solutions continues to grow – more sites than ever are moving to HTTPS, enterprises are leveraging Digital Certificates as an authentication factor for users and machines, S/MIME is proving its worth as both an email encryption option and a way to validate the source of emails to counter phishing – but the encryption and authentication underlying these applications can be completely undermined if proper key management isn’t enforced.
Every time a Digital Certificate is issued, whether from a CA or self-signed, a private/public key pair must be generated. Best practice indicates that your private key(s) should remain secure and, well…private! Should anyone get a hold of it, depending on the certificate type, they could create phishing websites with your organization’s certificate in the address bar, authenticate to corporate networks by impersonating you, sign applications or documents in your name, or read your encrypted emails.
In many cases, your private keys are your employees’ identities (and therefore also an extension of your organization’s identity) and protecting them equates to protecting your fingerprints when using biometric credentials. You wouldn’t allow a hacker to get hold of your fingerprint, why let them have your private key?
In this post, we’ll discuss your options for private key protection and storage. As you’ll see, these can vary slightly depending on the type of certificate(s) and what you will use it for (e.g. best practices for SSL/TLS Certificates are different than those for end user certificates).
Examples: Windows Certificate Store, Mac OS Keychain
Several operating systems and browsers provide certificate or key stores. These are software-based databases that store your public/private keypair, as part of a certificate, locally on your machine. This type of key storage is quite popular because many applications know to look here automatically, rather than you manually looking for the certificate file each time, so it’s a fairly user-friendly option.
Another appeal of this option is it’s fairly easy to customize – you can enable/disable private key exportability, enable strong private key protection (prompts for password every time your certificate is used) and you can create back-ups if your private key is exportable. Also, for Windows users, by enabling profile-roaming, your certificate is tied to your profile and available for use if you sign into another machine with that profile.
If you choose to go this route for your key storage, you should be aware of the following considerations. First, even if you mark your private key as non-exportable, there are utilities that can circumvent this protection (i.e. non-exportability is not 100% guaranteed). Also, if someone accessed your Windows account and you didn’t have strong private key protection enabled (no password required to use your certificate), they could use your certificate. Finally, if your private key is marked as exportable, someone using your machine would be able to export it. Even if you have private key protection enabled, they wouldn’t have to enter the password to export.
One final note is that Chrome and IE both use the Windows Certificate Store, while Firefox uses its own certificate store (provided by Mozilla). This means if you import into the Windows Store, Chrome and IE will automatically find your certificate, but Firefox will not.
Commonly Used For:
- Applications for Digital Signing (e.g. Adobe Acrobat, Microsoft Outlook and Office will look to Windows [user] Certificate Store).
- Microsoft IIS (Windows server) also looks to the Windows [machine] Certificate Store for SSL Certificates
- Client Authentication (user or machine), depending on how it’s set up, most commonly looks to Windows ] Certificate Store.
- Windows Code Signing (signing applications or drivers).
PKCS#12 (.pfx or .p12) and .jks* (created by the Java keytool) are files containing your public/private keypair. Unlike the locally-stored OS and browser keystores, these files can be stored virtually anywhere, including remote servers and are always password protected (meaning any time you want to use your private key, you have to enter a password). Another appeal is that since these are ultimately just files, you can easily distribute copies if you have multiple people who need to use the certificate.
If you decide to store your file on a remote server, you should take extra care to restrict access to it. If someone were able to gain access, they would be able to use your certificate. On a similar note, you should also be careful with the ease of duplication and distribution these files offer. While that can be a great convenience, it also means if someone gets their hands on your keystore, it wouldn’t be difficult to make and steal a copy. The private key password is still required for the copied file to be used effectively. This is yet another reason to use strong passwords with 15+ characters containing mixed-case letters, numbers and special characters. Another thing to consider with this storage option is that it leaves a lot of responsibility in the hands of the end user, in terms of where the file lives and whether it is properly stored.
If you can’t use cryptographic hardware or the Windows keystore (described above), but still want to enhance security (rather than just having the keystore file sitting on your machine), you can store these files on a removable thumb drive that you keep in a secure location. Of course, convenience is the counterpoint to this – if you do a lot of signing, you may want to keep the file local for easier access.
Commonly Used For:
- Windows or Java Code Signing.
- FDA ESG and IRS IDES both use .pfx for secure communications to government services.
- Some webservers (e.g. Apache Tomcat or Jboss).
*Note: It looks like Java is planning to transition from JKS to PKCS#12 as the default keystore type, but no launch date has been announced.
As hinted above, storing your private key on hardware can offer increased security. However, there is a big difference between using cryptographic tokens or smart cards and standard flash or thumb drives. With cryptographic hardware, the key is generated on the hardware itself and is not exportable. This means the private key never leaves the device, making it much more difficult for someone to access and compromise.
Note: If you want to leverage the extra security of crypto hardware for a private key that has already been generated (i.e. not generated on the token itself), you can import a .pfx file and then delete the original .pfx.
Using a crypto token will also prompt for a password each time you want to use your certificate. This means even if someone gets a hold of your token, they would still need your password before being able to use it. Storing your key on a token means you can also securely use the same certificate across multiple machines without having to make multiple copies and going through the export/import process. Cryptographic hardware can also help meet FIPS compliance, which is required for some industry and government regulations.
Of course, there are some other considerations to keep in mind if you decide to go this route…did you cringe at the first mention of hardware? Aside from managing the tokens, you should also know that this option might not work with automated builds because of the password requirement each time the certificate is used. There is also no way to back-up the certificate since the private key isn’t exportable (the downside to that extra security). Finally, there are some fringe scenarios where this storage option may not be ideal, including specialized appliances that don’t support tokens or smart cards and situations where employees do not have physical access to the computer, but are using a remote terminal.
Cryptographic Key Management Policy
Commonly Used For:
Generally, all use cases mentioned above for OS/browser keystores (Document Signing, Code Signing, Client Authentication, Windows IIS) are supported by crypto tokens or smart cards - as long as there’s a driver on the crypto token that can make a connection to your OS/browser certificate store, it can serve the same purpose. However, this might not always be practical (e.g. webservers, automated build processes for code signing that require a password each time a signature is applied).
Compliance is one of the leading reasons for using crypto tokens.
- Required for Extended Validation (EV) Code Signing, as per CA/Browser Forum Guidelines.
- Recommended for standard Code Signing, as per CA Security Council Minimum Requirements - Certificate Authorities are obligated to recommend crypto hardware as the primary issuance option. If not issued on crypto hardware, an agreement must be obtained from the customer that they will store the private key on some kind of removable hardware (that they remove when signing isn’t taking place)
- Required for Digital Signatures to be publicly trusted in Adobe products, as per Adobe Approved Trust List (AATL) requirements.
- Industry-specific regulations, such as the FDA’s CFR 21 Part 11 and state engineering Digital Signature requirements, often have language about the private key remaining in sole possession of the owner. Storing on crypto hardware meets these requirements.
HSMs are another cryptographic hardware-based option for key storage, especially if you don’t want to, or it would be too cumbersome to rely on individual tokens. While tokens are more geared toward end users with manual or one-off applications (e.g. signing lower volumes of documents or code, authenticating to VPNs or other networks), HSMs use APIs and can support automated workflows and builds. They can also help meet FIPS compliance and generally offer a higher rating than tokens.
Traditionally, HSMs are physical appliances located on-premises, requiring internal resources to manage and ensure baseline requirements and SLAs are met. This can get costly and resource-intensive, which has hindered adoption in the past. Fortunately, recent years have seen the emergence of cloud-based HSMs, which offer many of the same benefits as on-premises HSMs without requiring internal maintenance.
An example of this that you may be familiar with is Microsoft Azure’s Key Vault, which can safeguard your cryptographic keys in Microsoft’s own cloud HSM. If you are a smaller organization without the ability to purchase and manage your own HSM, this is a great solution and can be integrated with public CAs, including GlobalSign.
If you are looking at the document signing use case, you should also know that we recently launched a new Digital Signing Service, which also leverages cloud-based HSM storage for the private keys. It’s also worth noting that the new service can support individual signing identities. In the past, most HSM-based digital signing scenarios could only use a department or organization level identity (e.g. Accounting, Marketing, Finance), rather than an individual identity (e.g. John Doe). This meant organizations who needed employee credentials had to rely on tokens, which as we noted above, can be cumbersome to manage. With this new service, you can enable individual employee Digital Signatures without any hardware to manage (or for your employees to lose).
Commonly Used For:
- High volume Document or Code Signing.
- SSL (dependent on server configuration).
- CA infrastructure for running in-house CA (root CA, sub-CA, RFC 3161 Timestamping server) – one may be offline, one online (root CA is generally offline).
The key storage options discussed above are somewhat traditional methods that have been used for years. However, just like seemingly everything else in the world of information security, key storage is not immune to the IoT’s influence and new options are being developed accordingly.
As more and more devices are coming online with the need to authenticate themselves and communicate securely, many developers and manufacturers are turning to PKI-based solutions, which in turn is bringing about new considerations, requirements and technologies for protecting private keys. Below are two trends we’ve seen emerge.
Trusted Platform Modules (TPM)
TPMs themselves are not new, but leveraging them for private key protection is gaining increasing use. A TPM can be used to store (or wrap) the root key and protects additional keys created by an application. The application keys cannot be used without the TPM, making this a very useful authentication method for endpoints like laptops, servers and IoT device manufacturers. While many laptops currently ship with TPMs today, we haven’t see much adoption in the enterprise space. We do see them a lot in the IoT space, however, where they’re used as a hardware root of trust for secure device identity.
The IoT has created a challenge where so many devices communicating anonymously are making it easier for hackers to intercept communications or pose as these devices. Because a chip can be introduced as early as in the manufacturing process it can be leveraged to protecting the device cryptographic key and hence the identity of the device.
During manufacturing, the device generates a private and public key pair. The public key is sent to the CA for signing and issuing a Digital Certificate. The private key never leaves the device and is stored securely on the chip and cannot be exported/copied/destroyed. The certificate is now the identity of the device, and the protected private key forms the hardware-based root of trust.
We’ve been working closely with our partner Infineon to develop IoT solutions that combine PKI-based device identities with TPM-based roots of trust. For more information, check out our Proof of Concept: Securely authenticating to and controlling hardware using GlobalSign's cloud-based Certificate Services and Infineon's OPTIGA™ TPM.
Physically Unclonable Functions (PUF)
Physical Unclonable Function (PUF) technology represents a paradigm shift in key protection. Instead of keys being stored (where they are susceptible to physical attack), keys are instead derived from unique physical properties of a chip’s SRAM memory and exist only when powered up. That is, rather than securely storing the private key, the same key can be regenerated over and over again (for the lifetime of the device) on demand. Using an SRAM-based PUF, these are guaranteed to be unique since they utilize the inherent randomness in silicon bit patterns.
PUF technology in conjunction with a Trusted Execution Environment (TEE) presents an attractive solution to market needs demand for low-cost, easy-to-integrate ultra-secure key protection. PUF in conjunction with PKI presents a comprehensive solution for identity.
Our partner, Intrinsic ID has created such a key provisioning system based on SRAM PUF that produces unique, unspoofable, unclonable device fingerprints identities rooted in hardware. Using our certificate services, we are able to bootstrap these fingerprints into digital identities and add PKI capabilities. Thus, each device ends up with a unique, uncloneable keypair that is not stored on the device when powered-off - but the same key can be regenerated on demand. This protects from attacks while the device (and its security) is powered down.
For more information about our joint IoT device identity solution, check out our recent webinar: Strong Device Identities through SRAM PUF-based Certificates.
Private key storage shouldn’t be a dark art. Ultimately, the right option for you is going to depend on who’s using the certificates and what they’re used for, any regulations you need to comply with, costs, and your current environment and available internal resources, and I hope this post will help guide you through your decision.
Have questions about any of the methods discussed above or need help deciding which one is right for you? Talk to us today!
Please enable JavaScript to view the comments powered by Disqus. Test
-->Important This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
The CryptGenKey function generates a random cryptographic session key or a public/private key pair. A handle to the key or key pair is returned in phKey. This handle can then be used as needed with any CryptoAPI function that requires a key handle.The calling application must specify the algorithm when calling this function. Because this algorithm type is kept bundled with the key, the application does not need to specify the algorithm later when the actual cryptographic operations are performed.
Syntax
Parameters
hProv
A handle to a cryptographic service provider (CSP) created by a call toCryptAcquireContext.
Algid
AnALG_ID value that identifies the algorithm for which the key is to be generated. Values for this parameter vary depending on the CSP used.
For ALG_ID values to use with the Microsoft Base Cryptographic Provider, seeBase Provider Algorithms.
For ALG_ID values to use with the Microsoft Strong Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, seeEnhanced Provider Algorithms.
For a Diffie-Hellman CSP, use one of the following values.
Value | Meaning |
---|---|
| Specifies an 'Ephemeral' Diffie-Hellman key. |
| Specifies a 'Store and Forward' Diffie-Hellman key. |
In addition to generating session keys for symmetric algorithms, this function can also generate public/private key pairs. Each CryptoAPI client generally possesses two public/private key pairs. To generate one of these key pairs, set the Algid parameter to one of the following values.
Value | Meaning |
---|---|
| Key exchange |
| Digital signature |
Note When key specifications AT_KEYEXCHANGE and AT_SIGNATURE are specified, the algorithm identifiers that are used to generate the key depend on the provider used. As a result, for these key specifications, the values returned from CryptGetKeyParam (when the KP_ALGID parameter is specified) depend on the provider used. To determine which algorithm identifier is used by the different providers for the key specs AT_KEYEXCHANGE and AT_SIGNATURE, see ALG_ID.
dwFlags
Specifies the type of key generated. The sizes of a session key, RSA signature key, and RSA key exchange keys can be set when the key is generated. The key size, representing the length of the key modulus in bits, is set with the upper 16 bits of this parameter. Thus, if a 2,048-bit RSA signature key is to be generated, the value 0x08000000 is combined with any other dwFlags predefined value with a bitwise-OR operation. The upper 16 bits of 0x08000000 is 0x0800, or decimal 2,048. The RSA1024BIT_KEY value can be used to specify a 1024-bit RSA key.
Due to changing export control restrictions, the default CSP and default key length may change between operating system versions. It is important that both the encryption and decryption use the same CSP and that the key length be explicitly set using the dwFlags parameter to ensure interoperability on different operating system platforms.
In particular, the default RSA Full Cryptographic Service Provider is the Microsoft RSA Strong Cryptographic Provider. The default DSS Signature Diffie-Hellman Cryptographic Service Provider is the Microsoft Enhanced DSS Diffie-Hellman Cryptographic Provider. Each of these CSPs has a default 128-bit symmetric key length for RC2 and RC4 and a 1,024-bit default key length for public key algorithms.
If the upper 16 bits is zero, the default key size is generated. If a key larger than the maximum or smaller than the minimum is specified, the call fails with the ERROR_INVALID_PARAMETER code.
The following table lists minimum, default, and maximum signature and exchange key lengths beginning with Windows XP.
Key type and provider | Minimum length | Default length | Maximum length |
---|---|---|---|
RSA Base Provider Signature and ExchangeKeys | 384 | 512 | 16,384 |
RSA Strong and Enhanced Providers Signature and Exchange Keys | 384 | 1,024 | 16,384 |
DSS Base Providers Signature Keys | 512 | 1,024 | 1,024 |
DSS Base Providers Exchange Keys | Not applicable | Not applicable | Not applicable |
DSS/DH Base Providers Signature Keys | 512 | 1,024 | 1,024 |
DSS/DH Base Providers Exchange Keys | 512 | 512 | 1,024 |
DSS/DH Enhanced Providers Signature Keys | 512 | 1,024 | 1,024 |
DSS/DH Enhanced Providers Exchange Keys | 512 | 1,024 | 4,096 |
For session key lengths, see CryptDeriveKey.
For more information about keys generated using Microsoft providers, seeMicrosoft Cryptographic Service Providers.
The lower 16-bits of this parameter can be zero or a combination of one or more of the following values.
Value | Meaning |
---|---|
| If this flag is set, the key can be exported until its handle is closed by a call to CryptDestroyKey. This allows newly generated keys to be exported upon creation for archiving or key recovery. After the handle is closed, the key is no longer exportable. |
| This flag is not used. |
| If this flag is set, then the key is assigned a random salt value automatically. You can retrieve this salt value by using the CryptGetKeyParam function with the dwParam parameter set to KP_SALT. If this flag is not set, then the key is given a salt value of zero. When keys with nonzero salt values are exported (throughCryptExportKey), then the salt value must also be obtained and kept with the key BLOB. |
| This flag is not used. |
| If this flag is set, then the key can be transferred out of the CSP into a key BLOB by using the CryptExportKey function. Because session keys generally must be exportable, this flag should usually be set when they are created. If this flag is not set, then the key is not exportable. For a session key, this means that the key is available only within the current session and only the application that created it will be able to use it. For a public/private key pair, this means that the private key cannot be transported or backed up. This flag applies only to session key and private key BLOBs. It does not apply to public keys, which are always exportable. |
| This flag specifies strong key protection. When this flag is set, the user is prompted to enter a password for the key when the key is created. The user will be prompted to enter the password whenever this key is used. This flag is only used by the CSPs that are provided by Microsoft. Third party CSPs will define their own behavior for strong key protection. Specifying this flag causes the same result as calling this function with the CRYPT_USER_PROTECTED flag when strong key protection is specified in the system registry. If this flag is specified and the provider handle in the hProv parameter was created by using the CRYPT_VERIFYCONTEXT or CRYPT_SILENT flag, this function will set the last error to NTE_SILENT_CONTEXT and return zero. Windows Server 2003 and Windows XP: This flag is not supported. |
| This flag is not used. |
| This flag is not used. |
| This flag specifies that a no salt value gets allocated for a forty-bit symmetric key. For more information, see Salt Value Functionality. |
| This flag is not used. |
| This flag specifies an initial Diffie-Hellman or DSS key generation. This flag is useful only with Diffie-Hellman and DSS CSPs. When used, a default key length will be used unless a key length is specified in the upper 16 bits of the dwFlags parameter. If parameters that involve key lengths are set on a PREGEN Diffie-Hellman or DSS key using CryptSetKeyParam, the key lengths must be compatible with the key length set here. |
| This flag is not used. |
| This flag is not used. |
| This flag is not used. |
| If this flag is set, the user is notified through a dialog box or another method when certain actions are attempting to use this key. The precise behavior is specified by the CSP being used. If the provider context was opened with the CRYPT_SILENT flag set, using this flag causes a failure and the last error is set to NTE_SILENT_CONTEXT. |
| This flag is not used. |
phKey
Address to which the function copies the handle of the newly generated key. When you have finished using the key, delete the handle to the key by calling the CryptDestroyKey function.
Cryptographic Key Management
Return value
Returns nonzero if successful or zero otherwise.
For extended error information, callGetLastError.
The error codes prefaced by 'NTE' are generated by the particular CSP being used. Some possible error codes are listed in the following table.
Return code | Description |
---|---|
| One of the parameters specifies a handle that is not valid. |
| One of the parameters contains a value that is not valid. This is most often a pointer that is not valid. |
| The Algid parameter specifies an algorithm that this CSP does not support. |
| The dwFlags parameter contains a value that is not valid. |
| The hProv parameter does not contain a valid context handle. |
| The function failed in some unexpected way. |
| The provider could not perform the action because the context was acquired as silent. |
Remarks
If keys are generated for symmetricblock ciphers, the key, by default, is set up in cipher block chaining (CBC) mode with an initialization vector of zero. This cipher mode provides a good default method for bulk encrypting data. To change these parameters, use theCryptSetKeyParam function.
To choose an appropriate key length, the following methods are recommended:
- Enumerate the algorithms that the CSP supports and get maximum and minimum key lengths for each algorithm. To do this, call CryptGetProvParam with PP_ENUMALGS_EX.
- Use the minimum and maximum lengths to choose an appropriate key length. It is not always advisable to choose the maximum length because this can lead to performance issues.
- After the desired key length has been chosen, use the upper 16 bits of the dwFlags parameter to specify the key length.
Examples
The following example shows the creation of a random session key. For an example that includes the complete context for this example, see Example C Program: Encrypting a File. For another example that uses this function, see Example C Program: Decrypting a File.
Requirements
Minimum supported client | Windows XP [desktop apps only] |
Minimum supported server | Windows Server 2003 [desktop apps only] |
Target Platform | Windows |
Header | wincrypt.h |
Library | Advapi32.lib |
DLL | Advapi32.dll |