For what purpose is _Crypto_DeriveKey?

[qwert]

I've recently started working with the encryption functions.  I'm able to encrypt and decrypt files just fine.  But I keep noticing references to _Crypto_DeriveKey.  Yet I can't find any explanation of how it fits in.  And the description from msdn isn't any help (to me):

 

The CryptDeriveKey function generates cryptographic session keys derived from a base data value. This function guarantees that when the same cryptographic service provider (CSP) and algorithms are used, the keys generated from the same base data are identical. The base data can be a password or any other user data.

 

What are the intended uses?

Any help will be appreciated.

[TheDcoder]

Generates random a key which is constant IMO. For real I don't know what It does...

TD

[jvanegmond]

I don't know about Crypto API but when you want to use a symmetric cypher such as AES, you need to use the same shared key for decryption as for encryption. With public-key cryptography (commonly known as being used in certificates for authentication and encryption) you don't have a shared secret key. So you have algorithms to negotiate and compute a shared secret key for this session only (also known as session key), for example by combining both of your public keys. An example of this is Diffie-Hellman key exchange.

It wouldn't be much of a stretch to assume that this is an implementation of such an algorithm. Also make sure you are reading the right documentation: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379916(v=vs.85).aspxAnd in general working with encryption requires a solid understanding of the theory.

[TheDcoder]

@Manadar Do you mean that _Crypto_DeriveKey  generates a (constant) key for a session (i.e from start of the program till exit) ?

TD

[jchd]

No this primitive generates a key structure from the credential supplied which is suitable for further cryptographic processing.

Say you supply a key = 'abcdef' for encrypting with AES for instance, the call derives (hence its name) a key structure useable by subsequent AES encryption.

[TheDcoder]

key structure ?

[jchd]

See MSDN for more details. In short, most if not all crypto standards use a predetermined key size. For instance, AES uses keys of 128, 192 or 256 bits. If your user-level password is 'abc', there is not enough data^(*) so your 'abc' (base key) is transformed into a hash and you get a handle to this key block in return from CryptoDeriveKey. Parameters for this call dictate which algorithm will be used and flags allow for flexibility.

(*) Even when your supplied user-level base key is long enough, it is also transformed into a cryptographic hash.