Key Use Counting

You can configure the CNG provider to count the number of times a key is used. Use this functionality, for example, to retire a key after a set number of uses, or for auditing purposes.

Key counting is not supported in HSM Pool mode.

To enable key use counting in the Security World Key Storage Provider, call NCryptSetProperty with NCRYPT_USE_COUNT_ENABLED_PROPERTY on the provider handle. Alternatively, to override the behavior of third-party software that would not otherwise provide the user with the option to enable key use counting, use one of the following methods:

  • Set the environment variable NCCNG_USE_COUNT_ENABLED to 1.

  • Set the registry key Software\nCipher\CryptoNG\UseCountEnabled to 1.

Keys created while the provider has key use counting enabled continue to have their use counts incremented, regardless of the state of the provider’s handle. Key use counts are not recorded for keys created while the NCRYPT_USE_COUNT_ENABLED_PROPERTY is disabled on the provider handle.

Because the key counter is a 64-bit area in a specific module’s NVRAM, the counted keys are specific to a single module. When a key is created you are prompted to specify which module to use, unless there is only one module in the Security World, or preload was used to preload authorization from an ACS on only one module.

The key counter is incremented each time a private key is used to:

  • sign

  • decrypt

  • negotiate a secret agreement.

To test the performance of keys with counters, run the cngsoak command with the -C option:

cngsoak -C --sign --length=1024

To view the current key use count for keys, run the cnglist command with the --list-keys and --verbose options:

cnglist --list-keys --verbose