Every CSP of type PROV_RSA_FULL or PROV_RSA_SIG must provide an implementation of the RC2 block cipher and the RC4 stream cipher. These algorithms are used by the session keys to perform the encryption and decryption of bulk data.
The Microsoft Base Cryptographic Provider uses 40-bit session keys, with 88 bits of salt (128 bits total). Your CSP is free to use larger keys, although this can make exporting your CSP rather difficult. For more information on export control, see Getting CSPs Signed.
If your CSP does use session keys larger than 40-bits, this will tend to make key exchange between your CSP and the Microsoft Base Cryptographic Provider rather difficult.