Microsoft KB Archive/331367

= PRB: Cannot Decrypt Data Using Data Encryption Standard (DES) Key Across Windows Platforms =

Article ID: 331367

Article Last Modified on 1/5/2007

-

APPLIES TO

 Microsoft Win32 Application Programming Interface, when used with:  Microsoft Windows NT 4.0

 Microsoft Windows 2000 Standard Edition

 Microsoft Windows XP Professional

 Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q331367

<div class="symptoms_section">

SYMPTOMS
Data that is encrypted using the data encryption standard (DES) key in Microsoft Windows XP or later versions cannot be decrypted in pre-Windows XP operating systems (such as Microsoft Windows 2000 or Windows NT 4.0).

Likewise, data that is encrypted using the DES key in these earlier versions of Windows cannot be decrypted in Windows XP or later.

<div class="cause_section">

CAUSE
In Windows XP and later versions, DES algorithm implementation always uses the full key length for DES algorithms, regardless of the key length specified by the application.

The key length is specified in the upper 16 bits of the  parameter in the CryptDeriveKey function or the CryptGenKey function calls.

<div class="resolution_section">

Microsoft Windows XP and Later Versions
In Windows XP and later versions, the DES session key always uses the full key length as follows:

<pre class="fixed_text">CALG_DES - 64 bits CALG_3DES_112 - 128 bits CALG_3DES - 192 bits

Versions Earlier than Windows XP
On platforms earlier than Windows XP (Microsoft Windows 2000, Windows NT 4.0, Windows 95, Windows 98, and Windows Millennium Edition), if the application does not specify a key length in the upper 16 bits of, the DES session key size is as follows:

<pre class="fixed_text">CALG_DES - 64 bits CALG_3DES_112 - 128 bits CALG_3DES - 192 bits

On platforms earlier than Windows XP, CryptDeriveKey and CryptGenKey calls accept the following key size without parity bits for DES algorithms:

<pre class="fixed_text">CALG_DES - 64 - 8 bits (Parity) = 56 bits CALG_3DES_112 - 128 - 16 bits (Parity) = 112 bits CALG_3DES - 192 - 24 bits (Parity) = 168 bits

If the application specifies this key size without the parity bits in the upper 16 bits of, the decryption does not succeed between Windows XP and pre-Windows XP operating systems. Specifically, CryptDecrypt does not succeed and generates the 0x80090005 (NTE_BAD_DATA) error.

To encrypt and decrypt across Windows platforms, explicitly specify the key size that corresponds to the Windows XP implementation in either the CryptDeriveKey function or the CryptGenKey function (or in both functions). You can specify the Windows XP key sizes for DES algorithms if you have the high encryption pack installed on the earlier versions of the operating system.

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

MORE INFORMATION
The encryption and decryption for DES family algorithms works fine across Windows platforms if the application uses the default key size (that is, if the application does not specify a key length in the upper 16 bits of the  parameter in CryptGenKey or CryptDeriveKey calls).

Keywords: kbapi kbcrypt kbkernbase kbpending kbprb kbsecurity KB331367

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.