0

I am trying to export private key from smart card, the key can be exported only by wrapping (encrypted) and not as plaintext.

In Pkcs11 there are Wrap and Unwrap functions that can by used to wrap private key with symmetric temporary key.

So I want to use the same logic with CNG - NCrypt functions.

I thing that I need use NCryptExportKey with NCRYPT_PKCS8_PRIVATE_KEY_BLOB flag, and use the hExportKey parameter.

But I don't know how can I generate symmetric key (like 3DES) on the smart card using CNG.

Sagir
  • 3
  • 2
  • Smart Cards themselves don't implement PKCS#11, at least not fully, as the interface is a local C interface. So there needs to be a PKCS#11 library on the host side. Then that library is commonly called by CSP (Crypto Service Provider) implementation, which in turn can be used by the CNG runtime / API. However, I would not be surprised if this functionality is not implemented in the CSP. That means you'd have to use PKCS#11 or even a smart card specific API instead. In the end this is a *key management* related function, rather than a *use case specific function*. – Maarten Bodewes Jul 05 '20 at 16:09
  • If the key was generated on the smart card (otherwise there should be no need to export it), the card may not support export at all. ISO 7816-8 at least provides just the option to export the public key. Does your first paragraph imply, that you checked that and export is possible in encrypted form? – guidot Jul 06 '20 at 07:38

0 Answers0