小 (→Sample Form) |
|||
(未显示同一用户的2个中间版本) | |||
第247行: | 第247行: | ||
== API Calls == | == API Calls == | ||
+ | <pre> | ||
+ | CryptImportKey(blob) | ||
+ | CryptEncrypt(NULL, 8) -> 128 (128 bytes required) | ||
+ | CryptEncrypt(password, 8) -> encrypted pw | ||
+ | encrypted pw: | ||
+ | 0x03310BD0 D3 5F 47 03 22 A3 0D FA 0C DC 3D BE 06 43 E8 06 ._G.".....=..C.. | ||
+ | 0x03310BE0 AF 4D E3 85 80 04 6F 38 46 80 AC F7 E5 79 23 6C .M....o8F....y#l | ||
+ | 0x03310BF0 87 E0 D9 81 2B E7 EC 2B AE B7 BB 19 9B A4 13 68 ....+..+.......h | ||
+ | 0x03310C00 E9 2B B3 64 80 DE E4 66 66 10 BF D5 56 2A 4E BC .+.d...ff...V*N. | ||
+ | 0x03310C10 56 E4 47 66 7E 16 D7 DB 66 B7 05 43 BC AF D6 95 V.Gf~...f..C.... | ||
+ | 0x03310C20 AA AD 37 31 0D DE E7 37 7E 71 D2 43 CE 65 1B EB ..71...7~q.C.e.. | ||
+ | 0x03310C30 A4 03 03 D7 77 C7 7B A7 41 EA 51 B4 65 70 AD 08 ....w.{.A.Q.ep.. | ||
+ | 0x03310C40 63 B3 63 21 84 05 37 F8 6D 2E 74 3C 1A 6A E0 C8 c.c!..7.m.t<.j.. | ||
+ | |||
+ | 0x03332BA0 EC 3D A5 ED 3E B1 D7 59 60 9D 36 BA AC CB 22 EA .=..>..Y`.6...". | ||
+ | 0x03332BB0 87 15 9A BB 73 D4 39 82 DB 07 3D 66 E7 28 E5 BF ....s.9...=f.(.. | ||
+ | 0x03332BC0 6B 2E 0F C9 5E 23 9D 34 DC D2 D7 F3 99 20 A5 1E k...^#.4..... .. | ||
+ | 0x03332BD0 56 41 97 F9 38 94 60 A4 7B 36 90 CF 78 99 EA 87 VA..8.`.{6..x... | ||
+ | 0x03332BE0 4F 7E 3E 61 68 D8 C4 8E FD ED D3 DF FD 82 38 A1 O~>ah.........8. | ||
+ | 0x03332BF0 0B 18 29 14 41 D6 FC C5 3C 3B 6A D1 61 97 17 57 ..).A...<;j.a..W | ||
+ | 0x03332C00 E2 D2 F9 0E 11 57 4A AB 16 60 0F 3C 2D 4F DD 07 .....WJ..`.<-O.. | ||
+ | 0x03332C10 2B 57 5A 49 3C D2 F4 DF F8 A0 E1 2D 4A DB BF 25 +WZI<......-J..% | ||
+ | CryptGenRandom(10) -> random | ||
+ | random: | ||
+ | 00000000 c8 a4 67 20 dc ef ad ef 6b 79 |..g ....ky| | ||
+ | 00000000 d1 f9 3e 73 dc c6 ec f6 47 60 |..>s....G`| | ||
+ | CryptCreateHash(MD5) | ||
+ | CryptHashData(key1, 21) | ||
+ | key1: "csii_powerenter_jason" | ||
+ | 0x035092F8 63 73 69 69 5F 70 6F 77 65 72 65 6E 74 65 72 5F csii_powerenter_ | ||
+ | 0x03509308 6A 61 73 6F 6E jason | ||
+ | CryptDeriveKey(RC4, key1) -> dkey1 | ||
+ | |||
+ | CryptEncrypt(dkey1, key2, 16) -> encrypted key2 | ||
+ | key2: = base64(random) | ||
+ | 0x009AAC78 79 4B 52 6E 49 4E 7A 76 72 65 39 72 65 51 3D 3D yKRnINzvre9reQ== | ||
+ | 0x0330FD70 30 66 6B 2B 63 39 7A 47 37 50 5A 48 59 41 3D 3D 0fk+c9zG7PZHYA== | ||
+ | |||
+ | encrypted key2: = RC4_encrypt(MD5("csii_powerenter_jason"), base64(random)) | ||
+ | 0x009AAC78 D2 5B D6 88 DA F1 04 C6 97 0B 46 48 5F 07 84 D6 .[........FH_... | ||
+ | 0x0330FD70 9B 76 EF CD F0 86 04 F7 D2 3E 25 72 63 17 84 D6 .v.......>%rc... | ||
+ | |||
+ | CryptHashData(key1, 21) | ||
+ | CryptDeriveKey(RC4, key1) -> dkey1 | ||
+ | CryptDecrypt(dkey1, sth, 16) -> decrypted sth | ||
+ | sth: = encrypted key2 | ||
+ | 0x03309EC8 EE 42 D4 D1 D5 C5 4D DC 91 3E 4E 70 58 31 84 D6 .B....M..>NpX1.. | ||
+ | decrypted sth: = base64(random) = key2 | ||
+ | 0x03309EC8 45 52 50 37 46 7A 33 6C 74 50 31 4A 62 67 3D 3D ERP7Fz3ltP1Jbg== | ||
+ | |||
+ | submit pw: = base64(reverse(encrypted pw)) | ||
+ | Jb/bSi3hoPjf9NI8SVpXKwfdTy08D2AWq0pXEQ750uJXF5dh0Wo7PMX81kEUKRgLoTiC/d/T7f2OxNhoYT5+T4fqmXjPkDZ7pGCUOPmXQVYepSCZ89fS3DSdI17JDy5rv+Uo52Y9B9uCOdRzu5oVh+oiy6y6Np1gWdexPu2lPew= | ||
+ | 00000000 25 bf db 4a 2d e1 a0 f8 df f4 d2 3c 49 5a 57 2b |%..J-......<IZW+| | ||
+ | 00000010 07 dd 4f 2d 3c 0f 60 16 ab 4a 57 11 0e f9 d2 e2 |..O-<.`..JW.....| | ||
+ | 00000020 57 17 97 61 d1 6a 3b 3c c5 fc d6 41 14 29 18 0b |W..a.j;<...A.)..| | ||
+ | 00000030 a1 38 82 fd df d3 ed fd 8e c4 d8 68 61 3e 7e 4f |.8.........ha>~O| | ||
+ | 00000040 87 ea 99 78 cf 90 36 7b a4 60 94 38 f9 97 41 56 |...x..6{.`.8..AV| | ||
+ | 00000050 1e a5 20 99 f3 d7 d2 dc 34 9d 23 5e c9 0f 2e 6b |.. .....4.#^...k| | ||
+ | 00000060 bf e5 28 e7 66 3d 07 db 82 39 d4 73 bb 9a 15 87 |..(.f=...9.s....| | ||
+ | 00000070 ea 22 cb ac ba 36 9d 60 59 d7 b1 3e ed a5 3d ec |."...6.`Y..>..=.| | ||
+ | 00000080 | ||
+ | |||
+ | ran: 75915681 | ||
+ | token: k1ssjcn1 | ||
+ | |||
+ | |||
+ | </pre> | ||
+ | |||
+ | == Conclusion == | ||
+ | submit pw = base64(reverse(encrypted pw)) | ||
+ | pw encrypted by the public key in blob through CryptEncrypt() | ||
+ | random not used. |
2014年6月20日 (五) 08:59的最新版本
Objects
- cebiesign
<object id="cebiesign" name="cebiesign" classid="clsid:f3e92562-1b4d-4bfa-b2d4-e9bcabe3b5a8" codebase="js/cebiesign.ocx#version=2,0,0,4" border="0"> </object>
- powercommit
<object id="powercommit" codebase="js/PowerEnter.CAB#version=1,0,0,72" classid="clsid:BEEE2807-1709-4184-A05D-1B2DE01EE4CF" style="width:0px;height:0px" height="0" width="0"> <param name="width" value="0"> <param name="height" value="0"> <param name="frameName" value="mainFrame"> </object>
- powerpassword
<object id="powerpassword" codebase="js/PowerEnter.CAB#version=1,0,0,72" classid="clsid:614E58F9-74D0-4D7B-90E3-64A0F2AA73B4" style="width:186pxpx;height:23pxpx" height="23px" width="186px"> <param name="width" value="186px"> <param name="height" value="23px"> <param name="maxLength" value="20"> <param name="minLength" value="0"> <param name="maskChar" value="*"> <param name="backColor" value="#FFFFFF"> <param name="textColor" value="#000000"> <param name="borderColor" value="#7f9db9"> <param name="accepts" value="*"> <param name="msgBox" value="false"> <param name="fieldName" value="Password"> </object>
Commit Code
var blob ="BgIAAACkAABSU0ExAAQAAAEAAQAfFsbhRXwKJMLpsGExRSNaUxLZhaHvMp9ZJEgO2sa30lj6jc2BkNrF/35TKQuLphYVYwDLADdbRj23ChSzVWVmQwAs9CXrqR3tcYavKGsRBEeHEFctULIt6QFn/1Gz6F11k61K8G9yMXy9AGgN+pHum2X3EODpRJBFH9/w1VC+1w==";
function doLogin() {
var ran = "<random value>";
if(ran != null && ran !="") {
var random = parseFloat(ran)+1;
document.form1.ran.value = random;
} else {
document.form1.ran.value = 0;
}
var powercommit = document.getElementById("powercommit");
var powerpassword = document.getElementById("powerpassword");
powercommit.reset();
powerpassword.publicKeyBlob(blob);
powerpassword.commit("powercommit");
powercommit.submit("form1");
}
Form Params
<form name="form1" action="perlogin1.do" method="post">
<input type="hidden" name="_viewReferer" value="login/login01" />
<input type="hidden" name="_locale" value="zh_CN" />
<input type="hidden" name="version" value="20140529" />
<input type="hidden" name="Password" />
<input type="hidden" name="ran" value="063319703" />
<input type="hidden" name="TransName" value="" />
<input type="hidden" name="Plain" value="" />
<input type="hidden" name="Signature" value="" />
<input type="hidden" name="MerName" value="" />
<input type="hidden" name="TransType" value="" />
<input type="hidden" name="OperationNo" value="" />
<input type="hidden" name="MerDCFlag" value="" />
<input type="hidden" name="checkloginflag" value="" />
<input type="hidden" name="_tokenName" value="1jjihb5u" />
<div class="box">
<!--头部-->
<div class=" head"><table cellpadding="0" cellspacing="0" border="0" style="margin:10px 0;"><tr><td align="left" ><img src="images/public/login_2.gif" /></td>
</tr>
</table>
</div>
<!--头部结束-->
<!--内容-->
<div class="content">
<table cellpadding="0" cellspacing="0" border="0">
<tr>
<td class="conback" valign="top" >
</td>
<td class="conback2" valign="top" align="center">
<!--登录区-->
<table cellpadding="0" cellspacing="0" border="0" class="login" width="433">
<tr><td valign="top" class="title line01" align="left"><img src="images/public/yhdl.gif" width="120" height="22" />
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="1" height="1" id="flash" align="middle">
<param name="allowScriptAccess" value="sameDomain"/>
<param name="movie" value="/per/bharosa_web/flash/bharosa.swf"/>
<param name="quality" value="low"/>
<param name="bgcolor" value="#ffffff"/>
<param name=FlashVars value="dcUrl=/dc?s=true&"/>
<embed src="/per/bharosa_web/flash/bharosa.swf" quality="low" bgcolor="#ffffff" FlashVars="dcUrl=/dc?s=true&" width="1" height="1"name="flash" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash"/>
</object>
</td></tr>
<tr><td height="35" align="center">
</td></tr>
<tr><td align="left">
<table cellpadding="0" cellspacing="3" border="0" width="100%">
<tr>
<td class="size01 txt02" align="right" width="120">登录名或账号: </td>
<td align="left" height="32" width="190"><input name="LoginName" id="skey" value="" class="input_out3"
onfocus="this.className='input_on3';this.onmouseout=''" onblur="this.className='input_off3';this.onmouseout=function(){this.className='input_out3'};" type="text" size="16" /></td>
<td width="100"> </td>
</tr>
<tr>
<td class="size01 txt02" align="right" width="120">登录密码:<img src="images/public/wen.gif" alt="请输入您设置的8~14位网银登录密码"/></td>
<td align="left" height="32">
<script type="text/javascript">writePassObject("powerpassword",{"fieldName":"Password","maxLength":"20","minLength":"0","width":"186px","height":"23px","msgBox":"false","maskChar":"*","borderColor":"#7f9db9"});</script>
</td>
<td align="left">
<a href="####" class="txt_line txt07" onclick="MM_openBrWindow('pwdHelp.do','个人网上银行常见问题解答','width=640,height=420')">密码输入帮助</a>
<img id="image1" src="tokenImage.xx?_timesShowToken=2&ran=063319703" style="display:none"/>
</td>
</tr>
<tr><td colspan="3" height="10"></td></tr>
<tr><td colspan="3" align="center">
<img src="images/public/denglu_1.gif" onclick="doLogin();" style="cursor: hand"/>
</td></tr>
</table>
</td></tr>
<tr><td height="23"></td></tr>
<tr><td class="txt08" align="center"><a href="FP320501.do" class="txt07 txt_line">找回登录名</a> | <a href="FP320301.do" class="txt07 txt_line">忘记登录密码</a> | <a href="FP990101.do?ident=gr&idper=ds" class="txt07 txt_line">我要开通网银</a> </td></tr>
</table>
<!--登录区结束-->
</td>
</tr>
</table>
</form>
Sample Form
- username = 11111111
- password = 22222222
<entry method="POST" url="https://www.cebbank.com/per/perlogin1.do">
<timestart>2014-06-19T06:00:43.594Z</timestart>
<timeend>2014-06-19T06:00:44.064Z</timeend>
<duration>0.470 s</duration>
<processname>C:\Program Files\Internet Explorer\iexplore.exe</processname>
<result>200 OK</result>
<size>0</size>
<stage>REQUEST_CLOSE</stage>
<mimetype>text/html</mimetype>
<redirecturl/>
<requestCamefromCache>False</requestCamefromCache>
<responseCamefromCache>False</responseCamefromCache>
<requestobjectname>/per/perlogin1.do</requestobjectname>
<winet_sr_result>True</winet_sr_result>
<winet_sr_errormessage/>
<bodySize>9333</bodySize>
<Web_PageID>0</Web_PageID>
<PageTitle/>
<Socket_SendSize>0</Socket_SendSize>
<Socket_RecvSize>0</Socket_RecvSize>
<Starred>False</Starred>
<Comment/>
<headers>
<requestheaders>
<header>POST /per/perlogin1.do HTTP/1.1</header>
<header>Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*</header>
<header>Referer: https://www.cebbank.com/per/prePerlogin.do?_locale=zh_CN</header>
<header>Accept-Language: en-us</header>
<header>User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)</header>
<header>Content-Type: application/x-www-form-urlencoded</header>
<header>Accept-Encoding: gzip, deflate</header>
<header>Host: www.cebbank.com</header>
<header>Connection: Keep-Alive</header>
<header>Cache-Control: no-cache</header>
<header>Cookie: WT_FPC=id=2b3fd12fcdda9131eb91403212946597:lv=1403212951284:ss=1403212946597; cebmemberbranchcode=3550; cebmemberbranchname=%u5317%u4EAC%u5206%u884C; PERJSESSIONID=t6m9Tv0cW5s9jN7JhXFLBhvsbwnG9h4gLn0pyqKgDp97tnNPxdpC!-2124310495; BIGipServerpool_eb_8005=2366482624.17695.0000</header>
<header>Content-Length: 388</header>
</requestheaders>
<responseheaders>
<header>HTTP/1.1 200 OK</header>
<header>Server: Sun-Java-System-Web-Server/7.0</header>
<header>Date: Thu, 19 Jun 2014 10:01:06 GMT</header>
<header>Cache-Control: no-cache</header>
<header>Date: Thu, 19 Jun 2014 09:59:58 GMT</header>
<header>Pragma: No-cache</header>
<header>Content-type: text/html; charset=gbk</header>
<header>Expires: Thu, 01 Jan 1970 00:00:00 GMT</header>
<header>Content-Language: zh-CN</header>
<header>X-Powered-By: Servlet/2.5 JSP/2.1</header>
<header>Connection: Keep-alive</header>
<header>Via: 1.1 AN-0001544151441131</header>
<header>Content-Length: 9333</header>
</responseheaders>
</headers>
<content>
<contentLength>9333</contentLength>
<mimetype>text/html</mimetype>
</content>
<cookies>
<sent>
<cookie name=" WT_FPC">id=2b3fd12fcdda9131eb91403212946597:lv=1403212951284:ss=1403212946597</cookie>
<cookie name=" cebmemberbranchcode">3550</cookie>
<cookie name=" cebmemberbranchname">±±¾©·ÖÐÐ</cookie>
<cookie name=" PERJSESSIONID">t6m9Tv0cW5s9jN7JhXFLBhvsbwnG9h4gLn0pyqKgDp97tnNPxdpC!-2124310495</cookie>
<cookie name=" BIGipServerpool_eb_8005">2366482624.17695.0000</cookie>
</sent>
<received/>
</cookies>
<cache>
<BeforeRequest>
<UrlInCache>False</UrlInCache>
</BeforeRequest>
<AfterRequest>
<UrlInCache>False</UrlInCache>
</AfterRequest>
</cache>
<QueryString/>
<PostData>
<mimetype>application/x-www-form-urlencoded</mimetype>
<size>388</size>
<params>
<param name="_viewReferer">login/login01</param>
<param name="_locale">zh_CN</param>
<param name="version">20140529</param>
<param name="Password">XQn0aqYKjJeFutYuXaooFuDF7cAU7jAYd4lpIff/qaZOd1gElxbw/ChRmY1mipjeUlpO0lO8FHO13VaeEyaQf54np25wFo6X2t0LlAKKpruupbDHEWas3pVuajAXsuUqsyqSeDqNlsXpckRWdFBopnzoKuggcgkaMLXsyJtGLU8=</param>
<param name="ran">55924190</param>
<param name="TransName"/>
<param name="Plain"/>
<param name="Signature"/>
<param name="MerName"/>
<param name="TransType"/>
<param name="OperationNo"/>
<param name="MerDCFlag"/>
<param name="checkloginflag"/>
<param name="_tokenName">z90qww5h</param>
<param name="LoginName">11111111</param>
</params>
</entry>
API Calls
CryptImportKey(blob) CryptEncrypt(NULL, 8) -> 128 (128 bytes required) CryptEncrypt(password, 8) -> encrypted pw encrypted pw: 0x03310BD0 D3 5F 47 03 22 A3 0D FA 0C DC 3D BE 06 43 E8 06 ._G.".....=..C.. 0x03310BE0 AF 4D E3 85 80 04 6F 38 46 80 AC F7 E5 79 23 6C .M....o8F....y#l 0x03310BF0 87 E0 D9 81 2B E7 EC 2B AE B7 BB 19 9B A4 13 68 ....+..+.......h 0x03310C00 E9 2B B3 64 80 DE E4 66 66 10 BF D5 56 2A 4E BC .+.d...ff...V*N. 0x03310C10 56 E4 47 66 7E 16 D7 DB 66 B7 05 43 BC AF D6 95 V.Gf~...f..C.... 0x03310C20 AA AD 37 31 0D DE E7 37 7E 71 D2 43 CE 65 1B EB ..71...7~q.C.e.. 0x03310C30 A4 03 03 D7 77 C7 7B A7 41 EA 51 B4 65 70 AD 08 ....w.{.A.Q.ep.. 0x03310C40 63 B3 63 21 84 05 37 F8 6D 2E 74 3C 1A 6A E0 C8 c.c!..7.m.t<.j.. 0x03332BA0 EC 3D A5 ED 3E B1 D7 59 60 9D 36 BA AC CB 22 EA .=..>..Y`.6...". 0x03332BB0 87 15 9A BB 73 D4 39 82 DB 07 3D 66 E7 28 E5 BF ....s.9...=f.(.. 0x03332BC0 6B 2E 0F C9 5E 23 9D 34 DC D2 D7 F3 99 20 A5 1E k...^#.4..... .. 0x03332BD0 56 41 97 F9 38 94 60 A4 7B 36 90 CF 78 99 EA 87 VA..8.`.{6..x... 0x03332BE0 4F 7E 3E 61 68 D8 C4 8E FD ED D3 DF FD 82 38 A1 O~>ah.........8. 0x03332BF0 0B 18 29 14 41 D6 FC C5 3C 3B 6A D1 61 97 17 57 ..).A...<;j.a..W 0x03332C00 E2 D2 F9 0E 11 57 4A AB 16 60 0F 3C 2D 4F DD 07 .....WJ..`.<-O.. 0x03332C10 2B 57 5A 49 3C D2 F4 DF F8 A0 E1 2D 4A DB BF 25 +WZI<......-J..% CryptGenRandom(10) -> random random: 00000000 c8 a4 67 20 dc ef ad ef 6b 79 |..g ....ky| 00000000 d1 f9 3e 73 dc c6 ec f6 47 60 |..>s....G`| CryptCreateHash(MD5) CryptHashData(key1, 21) key1: "csii_powerenter_jason" 0x035092F8 63 73 69 69 5F 70 6F 77 65 72 65 6E 74 65 72 5F csii_powerenter_ 0x03509308 6A 61 73 6F 6E jason CryptDeriveKey(RC4, key1) -> dkey1 CryptEncrypt(dkey1, key2, 16) -> encrypted key2 key2: = base64(random) 0x009AAC78 79 4B 52 6E 49 4E 7A 76 72 65 39 72 65 51 3D 3D yKRnINzvre9reQ== 0x0330FD70 30 66 6B 2B 63 39 7A 47 37 50 5A 48 59 41 3D 3D 0fk+c9zG7PZHYA== encrypted key2: = RC4_encrypt(MD5("csii_powerenter_jason"), base64(random)) 0x009AAC78 D2 5B D6 88 DA F1 04 C6 97 0B 46 48 5F 07 84 D6 .[........FH_... 0x0330FD70 9B 76 EF CD F0 86 04 F7 D2 3E 25 72 63 17 84 D6 .v.......>%rc... CryptHashData(key1, 21) CryptDeriveKey(RC4, key1) -> dkey1 CryptDecrypt(dkey1, sth, 16) -> decrypted sth sth: = encrypted key2 0x03309EC8 EE 42 D4 D1 D5 C5 4D DC 91 3E 4E 70 58 31 84 D6 .B....M..>NpX1.. decrypted sth: = base64(random) = key2 0x03309EC8 45 52 50 37 46 7A 33 6C 74 50 31 4A 62 67 3D 3D ERP7Fz3ltP1Jbg== submit pw: = base64(reverse(encrypted pw)) Jb/bSi3hoPjf9NI8SVpXKwfdTy08D2AWq0pXEQ750uJXF5dh0Wo7PMX81kEUKRgLoTiC/d/T7f2OxNhoYT5+T4fqmXjPkDZ7pGCUOPmXQVYepSCZ89fS3DSdI17JDy5rv+Uo52Y9B9uCOdRzu5oVh+oiy6y6Np1gWdexPu2lPew= 00000000 25 bf db 4a 2d e1 a0 f8 df f4 d2 3c 49 5a 57 2b |%..J-......<IZW+| 00000010 07 dd 4f 2d 3c 0f 60 16 ab 4a 57 11 0e f9 d2 e2 |..O-<.`..JW.....| 00000020 57 17 97 61 d1 6a 3b 3c c5 fc d6 41 14 29 18 0b |W..a.j;<...A.)..| 00000030 a1 38 82 fd df d3 ed fd 8e c4 d8 68 61 3e 7e 4f |.8.........ha>~O| 00000040 87 ea 99 78 cf 90 36 7b a4 60 94 38 f9 97 41 56 |...x..6{.`.8..AV| 00000050 1e a5 20 99 f3 d7 d2 dc 34 9d 23 5e c9 0f 2e 6b |.. .....4.#^...k| 00000060 bf e5 28 e7 66 3d 07 db 82 39 d4 73 bb 9a 15 87 |..(.f=...9.s....| 00000070 ea 22 cb ac ba 36 9d 60 59 d7 b1 3e ed a5 3d ec |."...6.`Y..>..=.| 00000080 ran: 75915681 token: k1ssjcn1
Conclusion
submit pw = base64(reverse(encrypted pw)) pw encrypted by the public key in blob through CryptEncrypt() random not used.