Search code examples
opensslcng

Use key stored in Windows key store as a pre-shared secret key in OpenSSL

I'm wondering if this is possible. I've already implemented an SSL connection that uses PSK, but I wanted to somehow secure the PSK so that it could only be accessible by the current user. I figured the windows key store would be the safest.

Does anyone have tips that I could do this? The SSL portion is already done using OpenSSL, but I'm not sure about the key storage. I've been trying out the windows CNG api, but having a hard time figuring out how use the stored random key as the PSK.

Solution

  • I've already implemented an SSL connection that uses PSK, but I wanted to somehow secure the PSK so that it could only be accessible by the current user. I figured the windows key store would be the safest...

    What you want is called "Protected Storage". It goes by different names depending on the platform you are using. For example, its called a Keychain on Apple platforms, and KeyChain on Android platforms.

    Microsoft has protected storage, and a few implementations depending on the technology you are working with. In the early days, Microsoft called it Protected Storage and it was provided by the Protected Storage Service.

    Microsoft deprecated Protected Storage with Windows Server 2003 and Windows XP, and offered Protected Storage (Pstore) for those operating systems. See Protected Storage (Pstore) on MSDN. Microsoft also recommended using the Data Protection API (DPAPI) for encrypting secrets under the user logins. That ended sometime around Windows 8.

    Microsoft provides the Credential Manager for Windows 7 and above. It allows you to store passwords for user logins, and bits like PSK keys.

    If you need something stronger with a key hierarchy, then the Cryptography API or Crypto API Next Generation can be used. If you use CryptoAPI or CNG, then I believe you need to create a public/private keypair, and then encrypt the PSK under the public key. You decrypt it with the private key when needed. You store the encrypted PSK anywhere you like, from the file system to the registry or online. Also see Softwariness's answer at How to deal with plaintext keys using CNG?