Appendix A: Cryptography Used

To encrypt the user data into a file (store), USMT uses Secure Hash Algorithm (SHA-1) along with a key that is derived from the user's password. The hash size for the SHA-1 algorithm is 160 bits. Key derivation consists of computing the Triple DES (3DES) hash of the user password using the 3DES algorithm.

The following is code that shows how USMT calls the APIs that encrypt the data. The code creates an encrypted key and passes the key to the migration engine, which further encrypts the data.

    // Obtain the encryption key from the password
    if (!CryptAcquireContext(&m_hProv, NULL, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
    {
        m_hProv = NULL;
        err = GetLastError();
        USMTTRACE1(USMT_ERROR, "Not able to acquire crypt context. GetLastError returns 0x%X.", err);
        return USMT_UNABLE_SETKEY;
    }
 
    if(!CryptCreateHash(m_hProv, CALG_SHA1, 0, 0, &m_hHash))
    {
        err = GetLastError();
        USMTTRACE1(USMT_ERROR, "Not able create hash. GetLastError returns 0x%X.", err);
        m_hHash = NULL;
        return USMT_UNABLE_SETKEY;
    }
 
    if(!CryptHashData(m_hHash, key, size, 0))
    {
        err = GetLastError();
        USMTTRACE1(USMT_ERROR, "Unable to create hash data. GetLastError returns 0x%X.", err);
        return USMT_UNABLE_SETKEY;
    }
 
    if(!CryptDeriveKey(m_hProv, CALG_3DES, m_hHash, CRYPT_EXPORTABLE, &m_hKey))
    {
        err = GetLastError();
        USMTTRACE1(USMT_ERROR, "Unable to drive key. GetLastError returns 0x%X.", err);
        return USMT_UNABLE_SETKEY;
    }