views:

351

answers:

1

We have a need to create a private key that is seeded from 2 plaintext keys. The 2 plaintext keys are maintained by different managers. This is to satisfy a dual-control key requirements that we have. We can combine the two keys into a single seed. However, from reading the Microsoft CryptoAPI documentation, all key generation are completely random with no way to provide a seed. Is this true? If yes, can you suggest an alternative solution to creating this key?

Note: The key will be stored in the key container and marked as non-exportable.

+1  A: 

Why not do it the other way around? Generate a private key, then split that into two key shares, with each manager only having one. For a simple 2-out-of-2 scheme, all you need to do is generate a block of random (really random, not pseudo-random) data the size of the key, xor it with the generated key, and give one manager the random data, and the other manager the encrypted key.

Then, when you need to use the key, both managers provide their data and you reconstruct it from that, deleting it when you're done.

Nick Johnson