Specifying a Salt Value
Both the Base Provider and the Extended Provider can specify the value and length of the salt value to be used. The Base Provider sets a salt value using the KP_SALT parameter value. The Base Provider always sets eleven bytes of salt value.
The Enhanced Provider sets the salt value by calling CryptSetKeyParam with the KP_SALT_EX parameter value specified and with the pbData parameter pointing to a CRYPT_INTEGER_BLOB structure that contains the salt.
Note The total length of an Enhanced Provider symmetric key and its salt value cannot be greater than 128 bits.
KP_SALT continues to be provided for backward compatibility with the Base Provider. Newer applications should use the KP_SALT_EX parameter value.
Salt Value Functionality
The Base Provider creates 40-bit symmetric keys created with eleven bytes of zero-value salt, eleven bytes of nonzero salt if CRYPT_CREATE_SALT is specified, or no salt value. A 40-bit symmetric key with zero-value salt, however, is not equivalent to a 40-bit symmetric key without salt. For interoperability, keys must be created without salt. This problem results from a default condition that occurs only with keys of exactly 40 bits. All other key lengths do not have salt allocated by default.
Both the Base Providers and the Extended Provider can use the CRYPT_NO_SALT flag to specify that no salt value is allocated for a 40-bit symmetric key. The functions that accept this flag are CryptGenKey, CryptDeriveKey, and CryptImportKey. By default, these functions provide backward compatibility for the 40-bit symmetric key case by continuing the use of the eleven-byte-long zero-value salt.
扫一扫
2554
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
