"Kenneth R. Robinette" wrote:
>
> If I understand the handshaking of TLS/SSL between a host a client, the client sends
>a certificate
> to the host, then performs a RSA encryption operation using the certificate private
>key on
> challenge data sent by the host.
>
> If the certificate and private key is located on a USB token/Smart Card, and the
>private key is
> marked as "sensitive" or "cannot be exported", then how does the Microsoft Browser
>perform the
> private key encryption using cryptoapi, when the private key cannot be exported? I
>have searched
> the cryptoapi documentation and cannot find any way to do this without using
>CryptExportKey to
> obtain the private key.
>
The challenge data is sent to the token which then performs the signing
operation internally and returns the result.
This is token communication is handled by the token CSP. Under CryptoAPI
this is done by creating a hash object and then calling CryptSignHash():
the algorithm used is CALG_SSL3_SHAMD5 for SSL/TLS.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
