using the ncipher CSP with the MSCAPI to do AES encryption

Question

I'm trying to figure out how to use the MCSAPI to do AES encryption with the ncipher cryptographic service provider (CSP). What puzzles me is that the AesCryptoServiceProvider constructor does not accept a CspParameters class, used to specify nCipher as the csp.

CspParameters cp = new CspParameters(24, "nCipher Enhanced RSA and AES Cryptographic Provider");
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(CspParameters)  // works fine
AesCryptoServiceProvider aes = new AesCryptoServiceProvider();   // Constructor takes no parameters.

From what I can see The Rijndael classes also don't have a way to specify other third party CSP's. What am I missing? Is there a way to initialize my whole system to load a CSP for all subsequent cryptographic calls? Am I suppose to be using the CSP to just manage the symmetric key and then use the default AesCryptoServiceProvider to encrypt/decrypt? RSACryptoServiceProvider(CspParameters) works just fine. But I'm wanting to do symmetric encryption. I'm needing to do this in C# .NET framework.

Answer 1

AES is an symmetric algorithm, so no CspParameters can be used.

nCipher is a hardware standard (see http://technet.microsoft.com/en-us/library/dd277354) so it may be, that your token can calculate the AES algorithm, but as everybody (Alice and Bob) needs to know the secret key there is no benefit to calculate or store the key on a hardware-token.

You can see how to use AesCryptoServiceProvider in the MSDN example, maybe you want to use AesManaged (there is also an example).

Answer 2

Microsoft CAPI does not support hardware protected keys for symmetric algorithms. This is a shortcoming of the API, not of the nCipher CSP. The only keys that can be hardware protected are the Signing and Exchange key pair of the CAPI container. Any symmetric key created is generated and used in software.

You can wrap (software) symmetric keys in the (hardware) container keys for protection and persistence, but that does not make those symmetric keys hardware protected.

If you're deploying on anything Vista, Server 2008 or newer, you should consider CAPI Next Generation or CNG: it supports generating and using hardware protected symmetric keys and the Thales/nCipher CNG CSP has support for this. However, the Thales/nCipher CNG CSP does not support persisting symmetric keys, so to do that you'd have to wrap them in a container key pair same as you would with old school CAPI.

I work for Thales but do not speak for them: contact Thales Support if you have questions and/or want to find out how to obtain Developer Support.