An except from Microsoft Knowledge Base Article Q228786: -- Snip -- Sometimes it is convenient to export/import plain text session keys. However, the Microsoft Cryptographic Providers (Base and Enhanced) do not support this feature, for which both CryptExportKey() and CryptImportKey()require a valid key handle to encrypt and decrypt the session key, respectively. But, by using an "exponent-of-one" private key the same effect can be achieved to "encrypt" and "decrypt" the session key. Since the exponent of the key is one, both the encryption and decryption do nothing to the plain text, and thus essentially leave the session key unencrypted. Sample code below illustrates how to implement this feature: -- Snip -- I don't know what's more scary, the fact that their CSP will accept an obviously invalid RSA key, or that they have an article telling you how to bypass the CSP's (ahem) "security". I love the creative way that "gaping security hole" has been redefined as "feature" too :-). Peter.
