Microsoft Cryptographic System
A version of this page is also available for
4/8/2010
The Microsoft cryptographic system is composed of different elements. The three executable portions include the application, the operating system (OS), and the cryptographic service provider (CSP).
Applications communicate with the OS through the cryptographic API (CryptoAPI). The OS communicates with CSPs through the cryptographic service provider interface (CryptoSPI). The following illustration shows these concepts.
CSPs are independent units that perform all the cryptographic operations. CSPs communicate with applications through Coredll.dll. A CSP is responsible for creating and destroying keys, and using them to perform a variety of cryptographic operations. Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others contain hardware elements. The following illustration shows the relationship between applications, Coredll.dll, and the CSPs.
At a minimum, a CSP consists of a dynamic-link library (DLL) and a signature file. The signature file ensures that the OS recognizes the CSP. The OS validates this signature periodically to verify that the CSP has not been tampered with.
Each provider has both a name and a type. For example, the name of one of the CSPs currently shipped with Windows Embedded CE is Microsoft Enhanced Cryptographic Provider version 1.0, and its type is PROV_RSA_FULL. The name of each provider is unique, while the provider type is not.
Cryptographic standards are organized into groups known as families. Each family includes a set of data formats and protocols. Even if they use the same algorithm, two families will often use different cipher modes, key lengths, and default modes. In CryptoAPI, each CSP type represents a distinct family.
By default, when an application connects to a CSP of a particular type, each CryptoAPI function operates in a way prescribed by the family that corresponds to the CSP type. The following table shows the items specified by an application's choice of CSP type.
CSP type property | Description |
---|---|
Key exchange algorithm |
Specifies one key exchange algorithm. Every CSP of a particular type must implement this algorithm. The only way applications can specify the key exchange algorithm is by selecting the appropriate CSP type. |
Digital signature algorithm |
This is the same as with the key exchange algorithm. Each CSP type specifies one digital signature algorithm. |
Key binary large object format |
Specifies the format of exported keys. Keys can be exported out of a CSP into a key binary large object format for enhanced security during transfer between CSPs. |
Digital signature format |
Prescribes a particular digital signature format. This ensures that a signature produced by a CSP can be verified by any CSP of the same type. |
Session key derivation scheme |
Specifies the method used to derive session keys. |
Key length |
Specifies the key length. |
Default modes |
Specifies a default mode for various options, such as the block encryption cipher mode or the block encryption padding method. |
See Also
Concepts
Microsoft RSA Base Provider
Microsoft Enhanced Cryptographic Provider
Key Length Comparison
Using Basic Cryptography Services
About Cryptographic Service Provider
Protected Store
Cryptography Security
Cryptography Registry Settings