Provider Types

The field of cryptography is very large. There are dozens of different standard data formats and protocols. These are generally organized into groups or families, each of which has its own set of data formats and way of doing things. Even if they use the same algorithm (for example, the RC2 block cipher), two families will often use a different padding scheme, different key lengths, and different default modes. The CryptoAPI has been designed so that each CSP type represents a particular family.

When an application connects to a CSP of a particular type, each of the CryptoAPI functions will, by default, operate in a way prescribed by the family that corresponds to the CSP type. An application's choice of provider type specifies the following items:

Key exchange algorithm. Each provider type specifies one and only one key exchange algorithm. Every CSP of a particular type must implement this algorithm. The only way applications can specify which key exchange algorithm is used is by selecting a CSP of the appropriate provider type.
Digital signature algorithm. This is the same as with the key exchange algorithm. Each provider type specifies one and only one digital signature algorithm.
Key blob format. When a public key or session key is exported out of a CSP, the format of the resulting key blob is specified by the provider type.
Digital signature format. The provider type prescribes a particular digital signature format. This ensures that a signature produced by a CSP of a given provider type can be verified by any CSP of the same provider type.
Session key derivation scheme. When a key is derived from a hash, the method used is specified by the provider type.
Key length. Some provider types will specify that the public/private key pairs or the session keys be of a certain length.
Default modes. The provider type will often specify a default mode for various options, such as the block encryption cipher mode or the block encryption padding method.

Each application will generally work only with a single type of CSP. However, an advanced application might connect to more than one CSP at a time. When writing an application, you will often need to obtain all the documentation that relates to the CSP type you are using. For example, it is not recommended that you try to write an application by using the PROV_RSA_FULL provider type without obtaining the Public-Key Cryptographic Standards (PKCS) from RSA Data Security, Inc. The relevant third-party documentation for each provider type is listed later in this chapter.