参考:
1,使用 CNG 加密数据 - Win32 apps | Microsoft Learn
2,不记得了
(下文通过cng api演示rsa加密,不做原理性介绍)
相对于aes等对称加密算法,rsa加密算法不可逆性更强。非对称加密在通常情况下,使用公钥对数据进行加密之后,如果没有私钥,基本是不可能实现解密的。在一些勒索程序中,非对称加密会经常出现;这里算是填个坑吧。
下面代码实现:
1,rsa加密
2,公钥/私钥导出
#define RsaKeyLen 2048HRESULT bthr(BOOL b)
{return b ? S_OK : HRESULT_FROM_WIN32(GetLastError());
}//确实不需要直接从 BCryptExportKey 或 NCryptExportKey 进行 base64 编码输出,但需要执行额外的步骤 :
//
//使用 BCryptExportKey(或 NCryptExportKey) BCRYPT_RSAFULLPRIVATE_BLOB(但不是 BCRYPT_RSAPRIVATE_BLOB)或 BCRYPT_RSAPUBLIC_BLOB
//对生成的 BCRYPT_RSAKEY_BLOB 进行编码 CNG_RSA_PRIVATE_KEY_BLOB 或 CNG_RSA_PUBLIC_KEY_BLOB 并放入 CRYPT_PRIVATE_KEY_INFO
//使用 PKCS_PRIVATE_KEY_INFO 对 CRYPT_PRIVATE_KEY_INFO 进行编码 >
//调用CryptBinaryToStringAHRESULT ExportToPem(_In_ BCRYPT_KEY_HANDLE hKey, BOOL bPrivate, _Out_ PSTR* ppsz, _Out_ PULONG pcch)
{HRESULT hr;CRYPT_PRIVATE_KEY_INFO PrivateKeyInfo = { 0, {const_cast<PSTR>(szOID_RSA_RSA)} };CERT_PUBLIC_KEY_INFO PublicKeyInfo = { {const_cast<PSTR>(szOID_RSA_RSA)} };ULONG cbKey = 0;PUCHAR pbKey = 0;//really PBCRYPT_RSAKEY_BLOBPCWSTR pszBlobType;PCSTR lpszStructType;if (bPrivate){pszBlobType = BCRYPT_RSAFULLPRIVATE_BLOB;lpszStructType = CNG_RSA_PRIVATE_KEY_BLOB;}else{pszBlobType = BCRYPT_RSAPUBLIC_BLOB;lpszStructType = CNG_RSA_PUBLIC_KEY_BLOB;}while (0 <= (hr = BCryptExportKey(hKey, 0, pszBlobType, pbKey, cbKey, &cbKey, 0))){if (pbKey){if (bPrivate){if (0 <= (hr = bthr(CryptEncodeObjectEx(X509_ASN_ENCODING,lpszStructType,pbKey, CRYPT_ENCODE_ALLOC_FLAG, 0,&PrivateKeyInfo.PrivateKey.pbData,&PrivateKeyInfo.PrivateKey.cbData)))){hr = bthr(CryptEncodeObjectEx(X509_ASN_ENCODING, PKCS_PRIVATE_KEY_INFO,&PrivateKeyInfo, CRYPT_ENCODE_ALLOC_FLAG,0,&pbKey, &cbKey));LocalFree(PrivateKeyInfo.PrivateKey.pbData);}}else{//public keyif (0 <= (hr = bthr(CryptEncodeObjectEx(X509_ASN_ENCODING,lpszStructType, pbKey, CRYPT_ENCODE_ALLOC_FLAG, 0,&PublicKeyInfo.PublicKey.pbData,&PublicKeyInfo.PublicKey.cbData)))){hr = bthr(CryptEncodeObjectEx(X509_ASN_ENCODING,X509_PUBLIC_KEY_INFO,&PublicKeyInfo, CRYPT_ENCODE_ALLOC_FLAG, 0,&pbKey, &cbKey));LocalFree(PublicKeyInfo.PublicKey.pbData);}}if (0 <= hr){PSTR psz = 0;ULONG cch = 0;while (0 <= (hr = bthr(CryptBinaryToStringA(pbKey,cbKey,CRYPT_STRING_BASE64HEADER, //CRYPT_STRING_BASE64HEADER without the "---------BEGIN CERTIFICATE---------"psz,&cch)))){if (psz){*ppsz = psz, * pcch = cch;break;}if (!(psz = (PSTR)LocalAlloc(0, cch))){hr = HRESULT_FROM_WIN32(GetLastError());break;}}LocalFree(pbKey);}break;}pbKey = (PUCHAR)malloc(cbKey);}return hr;
}BOOL DecryptAnd(BCRYPT_KEY_HANDLE hKey, PUCHAR pbData, ULONG cbData)
{UCHAR buf[0x1000] = { 0 };ULONG pbcResult = 0;NTSTATUS status = 0;if (!NT_SUCCESS(BCryptDecrypt(hKey,pbData,cbData,NULL,NULL,0,buf,0x1000,&pbcResult,BCRYPT_PAD_PKCS1))){wprintf(L"BCryptDecrypt fail,error:%d\n", GetLastError());goto end;}//print cipher textPrintBytes(buf, pbcResult);end:return status == 0 ? TRUE : FALSE;
}BOOL EncryptAnd(BCRYPT_KEY_HANDLE hKey, PUCHAR pbData, ULONG cbData)
{UCHAR buf[0x1000] = { 0 };ULONG pbcResult = 0;NTSTATUS status = 0;printf("plain text length:%d\n", cbData);if (!NT_SUCCESS(BCryptEncrypt(hKey,pbData,cbData,NULL,NULL,0,buf,0x1000,&pbcResult,BCRYPT_PAD_PKCS1))){wprintf(L"BCryptEncrypt fail,error:%d\n", GetLastError());goto end;}//print cipher textprintf("cipher text length:%d\n", pbcResult);PrintBytes(buf, pbcResult);printf("begin to decrypt \n");//begin to decryptDecryptAnd(hKey, buf, pbcResult);end:return status == 0 ? TRUE : FALSE;
}void UnsymmetricEncrypt()
{NTSTATUS status =0;BCRYPT_ALG_HANDLE hAlgRsa=NULL;BCRYPT_KEY_HANDLE hRsaKey=NULL;DWORD rsaPublicKeyLen = (RsaKeyLen) * 2;UCHAR rsaPublicKey[(RsaKeyLen) * 2] = { 0 };UCHAR rsaPrivateKey[(RsaKeyLen) * 2] = { 0 };ULONG cbResult = 0;PSTR PublicKey = NULL;PSTR PrivateKey = NULL;UCHAR plainText[0x20] = "abcdefghijklm";//opne rsa algorithm providerif (!NT_SUCCESS(status = BCryptOpenAlgorithmProvider(&hAlgRsa,BCRYPT_RSA_ALGORITHM,NULL,0))){wprintf(L"BCryptOpenAlgorithmProvider fail,error:%d\n", GetLastError());goto end;}//generate key pair if (!NT_SUCCESS(status = BCryptGenerateKeyPair(hAlgRsa,&hRsaKey,RsaKeyLen,0))){wprintf(L"BCryptGenerateKeyPair fail,error:%d\n", GetLastError());goto end;}//finalizeif (!NT_SUCCESS(status = BCryptFinalizeKeyPair(hRsaKey,0))){wprintf(L"BCryptFinalizeKeyPair fail,error:%d\n",GetLastError());goto end;}//encrypt and decryptEncryptAnd(hRsaKey, plainText, 13);printf("\n");if (!NT_SUCCESS(status = BCryptExportKey(hRsaKey,NULL,BCRYPT_RSAPUBLIC_BLOB,rsaPublicKey,rsaPublicKeyLen,&cbResult,0))){wprintf(L"BCryptExportKey fail,error:%d\n", GetLastError());goto end;}else{//printf public key//0x52, 0x53, 0x41, 0x31, 0x00, 0x02, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,//0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0xb4, 0x7a, 0xb0, 0x43, 0xee,//0x48, 0xbf, 0x53, 0x05, 0x60, 0xe3, 0x0e, 0xd9, 0xe2, 0x52, 0xa3, 0xb2, 0xef, 0x08, 0x20, 0xef,//0xe4, 0x39, 0x40, 0xb7, 0xf9, 0xf3, 0x72, 0xe5, 0xf7, 0x3c, 0x25, 0x7e, 0x88, 0xe8, 0xe8, 0x9a,//0x13, 0x67, 0xca, 0x5d, 0x45, 0xd6, 0x33, 0x6f, 0x9d, 0xda, 0xcc, 0xae, 0x07, 0x44, 0x2c, 0x11,//0x5c, 0x82, 0xdf, 0xe9, 0x87, 0xd9, 0xf0, 0xcd, 0xb7, 0xb2, 0xc1,printf("rsa public key blob:\n");PrintBytes(rsaPublicKey, cbResult);//if (S_OK != ExportToPem(// hRsaKey,// TRUE,// &PrivateKey,// &cbResult))//{// wprintf(L"ExportToPem PrivateKey fail!\n");// goto end;//}if (S_OK != ExportToPem(hRsaKey,FALSE,&PublicKey,&cbResult)){wprintf(L"ExportToPem PrivateKey fail!\n");goto end;}printf("\npublic key in pem:\n%s\n", PublicKey);//printf("private key in pem:\n%s\n", PrivateKey);}wprintf(L"\n UnsymmetricEncrypt success!\n");
end:if (hAlgRsa){BCryptCloseAlgorithmProvider(hAlgRsa, 0);}if (hRsaKey){BCryptDestroyKey(hRsaKey);}
}
运行结果如下图:
第一次运行
第二次运行
通过运行结果可以看出,调用系统cng api 每次生成的密钥对都不一样,这就很ok。从表面上来看,非对称加密算法比对称加密算法多一个密钥,这就更安全一点。
