Microsoft KB Archive/841715

= You cannot decrypt data on Windows XP SP1 or later versions =

Article ID: 841715

Article Last Modified on 5/18/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows NT 4.0 Service Pack 2
 * Microsoft Windows 2000 Advanced Server

-





SUMMARY
''When you try to decrypt data on a computer that is running the Microsoft Windows XP operating system, and the data was encrypted by using the RC2 algorithm on a computer that is running Microsoft Windows 2000, you may not be able to decrypt the data successfully.

To be able to decrypt the data successfully, you must make an explicit call to the CryptSetKeyParam function. The CryptSetKeyParam function is defined in the Advapi32.dll file to adjust the key length for the RC2 algorithm explicitly.

This article contains the links to download the sample code for both the encryption program and the decryption program. It also contains information about how the problem can be reproduced.''



SYMPTOMS
If data has been encrypted on a computer that is running Windows 2000, you may not be able to decrypt the data on a computer that is running Window XP and that has Window XP Service Pack 1 (SP1) installed.



CAUSE
The encryption program and the decryption program use the Microsoft Enhanced Cryptographic Service Provider V1.0 as the Cryptographic Service Provider (CSP). This behavior occurs because a change has been implemented in the RC2 cipher text algorithm.

In the earlier implementation of the CryptSetKeyParam function in the version of Microsoft Enhanced Cryptographic Provider that is included with Windows 2000, the RC2 session keys are 128 bits long. However, the effective key length that is used to expand keys in the key table is 40 bits. This is the default behavior.

For security reasons, Microsoft changed this default behavior beginning with the version of Microsoft Enhanced Cryptographic Provider that is included with Microsoft Windows XP SP1. By default, the effective key length is now 128 bits for a 128-bit session key in the RC2 algorithm.



WORKAROUND
To work around this behavior, you must make an explicit call to the CryptSetKeyParam function in your program to set the correct session key length.

For more information, and for instructions to download and to run the sample encryption program and the sample decryption program, see the &quot;More information&quot; section.



STATUS
This behavior is by design.



Sample programs
In the following downloadable DecryptSample program, the CryptSetKeyParam function is called to set the effective key length to 40 bits.

The following files are available for download from the Microsoft Download Center:

Download the EncryptSample package now.

Download the DecryptSample package now.

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Instructions to run the EncryptSample program

 * 1) On your computer that is running Microsoft Windows 2000, download the Encrypt.exe file. Save the file to the C folder.
 * 2) Unzip the file to the C:\EncryptSample folder.
 * 3) Locate the C:\EncryptSample\EncryptInVB6 folder, and then double-click the EncryptGroup.vbg file. The EncryptGroup project group opens in Microsoft Visual Basic 6.0.
 * 4) On the Run menu, click Start With Full Compile. A Windows Form that is named Form1 opens. This form is the user interface (UI) of the EncryptSample program.
 * 5) In the Enter full path\filename for a file to encrypt box, type C:\EncryptSample\input.txt, and then press TAB. The name of the file where the encrypted string will be stored appears in the Name and location of encrypted file box.

Note The path of the encrypted file appears as c:\CryptographySample\input.enc.
 * 1) Click Encrypt. The Encrypt Files message box appears.
 * 2) Click OK.
 * 3) Click Exit to quit the program. The program puts the encrypted string in the C:\EncryptSample\Input.enc file.
 * 4) Copy the C:\EncryptSample\Input.enc file to the C:\DecryptSample folder on your computer that is running Windows XP SP1.

Note If the C:\DecryptSample folder does not exist on your computer, create this folder, and then copy the C:\EncryptSample\Input.enc file to it.

Instructions to run the DecryptSample program

 * 1) On your computer that is running Microsoft Windows XP SP1, download the Decrypt.exe file. Save the file to the C folder.
 * 2) Unzip the file to the C:\DecryptSample folder.
 * 3) Locate the C:\DecryptSample\DecryptInVB6 folder, and then double-click the DecryptGroup.vbg file. The DecryptGroup project group opens in Visual Basic 6.0.
 * 4) On the Run menu, click Start With Full Compile. A Windows Form that is named Form1 opens. This form is the UI of the DecryptSample program.
 * 5) In the Enter full path\filename for a file to decrypt box, type C:\DecryptSample\input.enc, and then press TAB. The name of the file where the decrypted data will be stored appears in the Name and location of decrypted file box.

Note The path of the decrypted file appears as c:\DecryptSample\input.dec.
 * 1) Click Decrypt. The Decrypt Files message box appears.
 * 2) Click OK.
 * 3) Click Exit to quit the program. The program puts the decrypted data in the C:\DecryptSample\Input.dec file.

Steps to reproduce the behavior
To reproduce this behavior, comment the following lines of code in the CryptoDecrypt method of the clsCryptoAPI.cls class of the CryptWrap.vbp project in the DecryptGroup.vbg program group.

Note The DecryptGroup.vbg is the same program group that is described in the &quot;Instructions to run the DecryptSample program&quot; section. If Not CBool(CryptSetKeyParam(lngkey, ByVal KP_EFFECTIVE_KEYLEN, _ lngKeyLen, ByVal 0)) Then

MsgBox &quot;Error: &quot; & CStr(GetLastError) & &quot; during CryptSetKeyParam!&quot;, _ vbExclamation Or vbOKOnly, &quot;Encryption Errors&quot; GoTo CleanUp End If After you had commented the code, run the DecryptSample program to decrypt the file that you encrypted in the &quot;Instructions to run the EncryptSample program&quot; section.

You may not experience this behavior when you create an encryption program or a decryption program in Microsoft Visual Studio .NET by using the Microsoft Enhanced Cryptographic Service Provider. The Microsoft .NET Framework handles this difference in key length internally by changing the key length depending on the operating system. Therefore, this difference in key length becomes transparent when you are developing encryption programs and decryption programs in Visual Studio .NET.

