Bulk Data Encryption

A bulk encryption key is generated by hashing one of the MAC keys using CryptHashSessionKey together with the message contents and other data. The message is encrypted/decrypted with one of the bulk encryption keys in the usual manner.

When using a block cipher, the Schannel protocol engine does all necessary block cipher padding. When CryptEncrypt and CryptDecrypt are called, the Final flag is always FALSE and the data length is a multiple of whole block lengths.


The CSP must never buffer data internally. After the data has been encrypted (or decrypted), the size of the plaintext must always exactly match the size of the ciphertext.