CryptoAPI Keycontainer and UniqueKeyContainer Files

UniqueKeyContainer.cs is a simple .NET utility which manually derives the CryptoAPI CSP unique key container name from the keycontainer name. In W2k and WinXP, many of the Microsoft CSPs maintain keypairs as encrypted (protected by DPAPI) files with the filename specified as the unique key container name. For example, for RSA keypairs, the keypair files might be stored in:

     C:\Documents and Settings\<userid>\Application Data\Microsoft\Crypto\RSA\<SID>
The name of the encrypted files containing the keypairs is derived from a combination of the MD5 hash of the CryptoAPI "keycontainer" name contatenated with the MachineGuid registry value stored at:

In detail, the keycontainer name is converted to lower-case, a null byte is added, and the resultant ASCII byte[] is hashed using MD5. The resultant 16 byte hash data is then read as 4 DWORD values and encoded as hex data. (Since multi-byte data is read in little-endian order, this has the simple effect of reversing the hex-encoded bytes in groups of 4 bytes). Finally, the MachineGuid value data is extracted from the registry and appended with an underscore character separator. e.g.

   keycontainer        :   MyCoolContainer
   MD5 hash (hex bytes):   7641ab524cd7a921f1e0e3730a4e37bc
   MD5 as 4 DWORDS  hex:   52ab417621a9d74c73e3e0f1bc374e0a
   UniqueKeyContainer  :   52ab417621a9d74c73e3e0f1bc374e0a_<machineGuidfromregistry>

Note that these details of keycontainer files is platform dependent and may change. Therefore developers should not rely on these specific implemention details. If available, it is best to use API functions to access keycontainer name information.

For example, the unique key container name can also be obtained from CryptoAPI CryptGetProvParam() using dwParam = PP_UNIQUE_CONTAINER.
Also, CAPICOM provides access to the same unique key container name by PrivateKey.UniqueContainerName .

Michel I. Gallant