Interfacing with a Cryptographic Service Provider (CSP)

The Cryptographic Service Provider (CSP) architecture provides a safe way for multiple applications to access cryptographic and signature services. Instead of being passive sets of encryption routines, CSPs are independently functioning cryptographic modules capable of authenticating the user and checking for user assent to actions.

For example, some CSPs will require a personal identification number (PIN) to be entered by a user before a digital signature is generated, while some require a smart card. Others may require user intervention before executing private key functions, and still others have no authentication at all. The quality of protection for keys within the system is a design parameter of the CSP itself and not the system as a whole. This lets the same applications run in a variety of security contexts without modification.

The amount of access that applications have to the cryptographic internals has been carefully restricted. This facilitates secure and portable application development. The following three design rules apply: