Upgrade Intel IPT with PKI, then CryptImportKey does not work

Upgrade Intel IPT with PKI, then CryptImportKey does not work

I recently upgrade IPT with PKI  from v3.1.0.182 to v4.0.5.25, then I can not use CryptImportKey  any more.

Because it returns 0x000000b7(maybe ERROR_ALREADY_EXISTS) after PIN setting PTD displayed.

Only container created.

I set dwFlags as CRYPT_USER_PROTECTED to use PKI with PTD.

I did not change any source codes, but only changed provider from Intel IPT Enhanced Cryptographic Provider to Intel IPT CSP - Non-Exportable Keys

What is wrong with it? or any misuse?

Is there any solution to it? 

Thank you in advance.

11 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hello,

As indicated in the attached Release Notes for v4.0.5.25 and the excerpt below, the name of the Cryptographic Service Providers (CSP) in v4 has changed, and the “Intel IPT Cryptographic Provider” CSP has been removed.  You will need to change your code to use the new CSP names.

Attachments: 

AttachmentSize
Downloadapplication/pdf Release Notes.pdf120.61 KB

Yes. I changed provider name. It works when I try to generate a new one.
But It fails when I try to import a certificate at CryptImportKey step with 0x000000b7 code after CryptAcquireContext success.

Best Reply

Hello,

In version 4.x, the secure import and secure export functionality is not supported in the “Intel IPT CSP – Non-Exportable Keys” CSP.

To use secure import or secure export, you must use the new “Intel IPT CSP – Exportable Keys” CSP.

Please let me know if this helps you,

Gael

Hello,

I was looking forward to your response :) 

You mean that I cannot use certificates in the form of pkcs#12 any more with PTD?

Actually I tried to import through “Intel IPT CSP – Exportable Keys”, but the result was same.

If "secure import" means import through a migration authority,

Then how can I import certificates securely?

There is any technical documents of secure import or detail of changed specification of IPT with PKI?

I am so sorry for too many questions.

 

I really appreciate your kind and detail answer.

 

Kiyoung

I am talking to the experts on this - so that is why there is a delay in my responses.  They are wondering if you are integrating this into a product or if this is a Proof of Concept?

Thanks,

Gael

In Korea, almost people have one or more certificates already.

So if it is impossible to import certificate, we can not use IPT even though it is a wonderful technology.

I hope I can make many people, companies, and government use Intel IPT with PKI.

Next week. I have to show manufacturers it is possible with a 6th generation machine of them.

Our company finished development with  Intel IPT Enhanced Cryptographic Provider on Broadwell PC.

I tried to use 3.x IPT on new machine, but it was impossible to install on the machine.

Is there any solution?

 

Kiyoung

Quote:

Gael Hofemeier (Intel) wrote:

I am talking to the experts on this - so that is why there is a delay in my responses.  They are wondering if you are integrating this into a product or if this is a Proof of Concept?

Thanks,

Gael

Yes, We are using IPT with PKI as a main secure certificate storage in our product.

If we can not use it, manufacturers do not make a vPro product line.

 

Thanks,

Kiyoung

According to the Release Notes,

 

Intel IPT Enhanced Cryptographic Provider     The name of this CSP has been changed to: “Intel IPT CSP – Non-Exportable Keys”.
                                                                         The functionality of the CSP has not changed.

 

I think that certificate import should be allowed. if not, it is bug.

Hi - could you send me your email in a private message?  I need to connect you to our folks who can help you.

Gael

Quote:

Gael Hofemeier (Intel) wrote:

Hi - could you send me your email in a private message?  I need to connect you to our folks who can help you.

Gael

Hello,

I did not receive any message from your folks.

Did you received my message? if not, my email address is kiyoung.kky  at gmail.com.

I have not much time, I have to answer to my customers - manufacturers.

Would you let me know what is going on inside the team?

 

Thank you,

Kiyoung

Leave a Comment

Please sign in to add a comment. Not a member? Join today