Every CSP is responsible for storing public/private key pairs from session to session, in some sort of persistent memory. A CSP implemented completely in software might store these (encrypted) in the Windows Registry; those with a hardware component will likely store the key pairs in tamper-resistant hardware.
The key pairs are stored in logical data objects known as key containers. The CSP maintains one key container for each user (or client) that uses the CSP. Each key container can store one key pair of each type that the CSP recognizes. For example, the Microsoft® Base Cryptographic Provider recognizes two key pair types, the key exchange key pair and the digital signature key pair.
Several key containers may be "open" at any given time (either by a single application or multiple ones), but every call to a CryptoSPI function will specify the key container that is to be used via the first parameter to the function. This is illustrated by the following drawing.
Note In the context of CryptoSPI, the HCRYPTPROV data type is used to represent a handle to a particular key container within the CSP. This is slightly different than in the CryptoAPI context, where handles of the HCRYPTPROV data type also specify the CSP that is to be used.