Share via

NCryptSetProperty returns error 0x80090026 while deriving session keys using NCryptDeriveKey

Sourabh 20 Reputation points
2026-02-10T18:39:42.0166667+00:00

I am trying to use NCryptDeriveKey to derive session encryption and authentication keys using HKDF. I can generate ephemeral key-pair NCryptCreatePersistedKey and return the key handle and public key.

In another function for deriving session keys I am first importing keys using NCryptImportKey and create secret agreement NCryptSecretAgreement. next I am using NCryptSetProperty to set hash and salt values and then use NCryptDeriveKey to derive session keys. But the NCryptSetProperty returns error NCryptSetProperty failed: 0x80090026

Reference document: https://learn.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptderivekey#bcrypt_kdf_hkdf-lhkdf

It mentions usage of BCryptSetProperty and BCryptDerviceKey instead of NCryptSetProperty and NCryptDeriveKey. why is that?

Windows development | Windows API - Win32
0 comments
Answer accepted by question author
  1. Jack Dang (WICLOUD CORPORATION) 15,205 Reputation points Microsoft External Staff Moderator
    2026-02-11T04:24:24.97+00:00

    Hi @Sourabh ,

    Thanks for reaching out.

    It looks like the NCryptSetProperty failure with 0x80090026 may be happening because HKDF is implemented at the BCrypt layer, not fully in NCrypt. While NCryptDeriveKey supports the "HKDF" KDF string, the HKDF-specific properties, like BCRYPT_HKDF_HASH_ALGORITHM and BCRYPT_HKDF_SALT_AND_FINALIZE, are generally expected to be set using BCryptSetProperty on the secret handle. NCrypt may not recognize these properties, which could explain the invalid parameter error.

    https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptkeyderivation#hkdf

    A couple of approaches that might help are:

    1. Using BCrypt entirely for HKDF: create the secret agreement with BCryptSecretAgreement, configure hash and salt with BCryptSetProperty, then derive keys with BCryptDeriveKey.
    2. A hybrid approach: use NCryptSecretAgreement to create the secret, export the raw secret, then import it into BCrypt to perform HKDF.

    The main point is that configuring HKDF properties via NCryptSetProperty may not be supported. Trying one of the approaches above could potentially work in your scenario.

    Hope this helps! If my answer was helpful - kindly follow the instructions here so others with the same problem can benefit as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-10T18:40:53.4633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error code 0x80090026 indicates that the requested operation is not supported. In the context of using NCryptSetProperty and NCryptDeriveKey, this error may occur because the functions you are trying to use are not compatible with the properties you are attempting to set or the key type you are working with.

    The documentation suggests using BCryptSetProperty and BCryptDeriveKey instead of their NCrypt counterparts. This is likely because the BCrypt API is designed to handle certain cryptographic operations more effectively, particularly those involving key derivation functions like HKDF. The BCrypt API may provide better support for the properties and operations you are trying to perform, which could resolve the error you are encountering.

    To address the issue, consider switching to the BCrypt API for key derivation and property setting, as it may be better suited for your requirements.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.