AllAPI Network - The KPD-Team

Allapi Network

 API List

API Resources
 Tips & Tricks
 VB Tutorials
 Error Lookup
Misc Stuff
 VB examples
 VB Tools
 VB Links
 Top Downloads
This Site
 Search Engine
 Contact Form

Donate to


The CryptDeriveKey function generates cryptographic keys derived from base data. This function guarantees that all keys generated from the same base data will be identical, provided the same CSP and algorithms are used.

Declare Function CryptDeriveKey Lib "advapi32.dll" (ByVal hProv As Long, ByVal Algid As Long, ByVal hBaseData As Long, ByVal dwFlags As Long, phKey As Long) As Long


Operating Systems Supported
Windows NT 4.0 or later; Windows 95 OSR2 or later (or Windows 95 with Internet Explorer 3.02 or later)


Parameter Information
· hProv
[in] A handle to the application’s CSP. An application obtains this handle using the CryptAcquireContext function.

· Algid
[in] The identifier for the algorithm for which the key is to be generated.
The valid values for this parameter will vary, depending on the CSP that is used. See the “Remarks” section for a list of possible algorithm identifiers.

· hBaseData
[in] A handle to a hash object that has been fed exactly the base data.
To obtain this handle, an application must first create a hash object with CryptCreateHash and then add the base data to the hash object with CryptHashData. This process is described in detail in the section Hashes and Digital Signatures.

· dwFlags
[in] The flags specifying the type of key generated. This parameter can be zero, or you can specify one or more of the following flags, using the binary OR operator to combine them.
If this flag is set, then the session key can be transferred out of the CSP into a key blob through the CryptExportKey function. Because keys generally must be exportable, this flag should usually be set.
If this flag is not set, then the session key will not be exportable. This means the key will only be available within the current session and only the application that created it will be able to use it.
This flag does not apply to public/private key pairs.

Typically, when a session key is made from a hash value, there are a number of leftover bits. For example, if the hash value is 128 bits and the session key is 40 bits, there will be 88 bits leftover.
If this flag is set, then the key will be assigned a salt value based on the unused hash value bits. You can retrieve this salt value using the CryptGetKeyParam function with the dwParam parameter set to KP_SALT.
If this flag is not set, then the key will be given a salt value of zero.
When keys with nonzero salt values are exported (using CryptExportKey), the salt value must also be obtained and kept with the key blob.

If this flag is set, then the user will be notified through a dialog box or another method when certain actions are attempted using this key. The precise behavior is specified by the CSP being used.
The Microsoft RSA Base Provider ignores this flag.

Some CSPs use session keys that are derived from multiple hash values. When this is the case, CryptDeriveKey must be called multiple times.
If this flag is set, a new session key is not generated. Instead, the key specified by phKey is modified. The precise behavior of this flag is dependent on the type of key being generated and on the particular CSP being used.
The Microsoft RSA Base Provider ignores this flag.

· phKey
[in/out] The address to which the function copies the handle of the newly generated key.

The Microsoft Base Cryptographic Provider defines the following hashing algorithms.
CALG_HMAC HMAC: a keyed hash algorithm
CALG_MAC: Message Authentication Code
CALG_SHA: US DSA Secure Hash Algorithm
CALG_SSL3_SHAMD5: SSL3 client authentication

Return Values
If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To retrieve extended error information, use the GetLastError function.

The following table lists the error codes most commonly returned by the GetLastError function. The error codes prefaced by “NTE” are generated by the particular CSP you are using.
One of the parameters specifies an invalid handle.

One of the parameters contains an invalid value. This is most often an illegal pointer.

The Algid parameter specifies an algorithm that this CSP does not support.

The dwFlags parameter contains an invalid value.

The hBaseData parameter does not contain a valid handle to a hash object.

The hProv parameter does not contain a valid context handle.

The function failed in some unexpected way.


Related Functions

No VB.NET Example Found



Copyright © 1998-2007, The Team - Privacy statement
Did you find a bug on this page? Tell us!
This site is located at