Windows 2000 Certificate Services and Public Key Infrastructure |
Microsoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules. CSPs perform all cryptographic operations and manage private keys. CSPs can be implemented in software as well as in hardware. Windows 2000 Certificate Services uses CryptoAPI and CSPs to perform all cryptographic and private key management operations. CryptoAPI and CSP services are available to all services and applications that require cryptographic services. For more information about CryptoAPI and CSPs, see the Microsoft Security Advisor link and the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
CSPs can be software-based, hardware-based, or a combination of both. Hardware-based cryptography and key management is more secure than software-based cryptography and key management because cryptographic operations and private keys are isolated from the operating system. However, hardware-based CSPs (such as smart card CSPs) often store only a limited number of private keys and can take a long time to generate keys.
Software CSPs usually provide more flexibility than hardware CSPs, but at the cost of somewhat less security. Nevertheless, software-based CSPs can provide ample security to meet a wide range of needs. You usually use hardware-based CSPs only for special security applications, such as for logging on with smart cards or for secure Web communications with FORTEZZA Crypto Cards.
Vendors can develop hardware or software CSPs that support a wide range of cryptographic operations and technologies. However, Microsoft must certify and digitally sign all CSPs. CSPs do not work in Windows 2000 unless they have been digitally signed by Microsoft.
Windows 2000 includes the following Microsoft CSPs.
Microsoft Base Cryptographic Provider Provides a broad set of basic cryptographic functionality. It is not subject to United States government cryptography export restrictions and can be exported to other countries/regions (subject to general United States export restrictions, as well as the import restrictions of other countries/regions). The Base CSP uses RSA technology, which is licensed from RSA Data Security, Inc.
Microsoft Enhanced Cryptographic Provider Provides the same capabilities as the Microsoft Base Cryptographic Provider, but in addition, provides stronger security by supporting longer key lengths and additional cryptographic algorithms. This CSP is subject to government-imposed cryptography export restrictions and might not be available in your locality. The enhanced CSP also uses RSA technology.
Microsoft DSS Cryptographic Provider Provides data signing and signature verification capability by using the Secure Hash Algorithm (SHA) and Digital Signature Algorithm (DSA). It is not subject to United States government cryptography export restrictions and can be exported to other countries/regions (subject to general United States export restrictions, as well as the import restrictions of other countries/regions).
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider Provides a superset of the DSS Cryptographic Provider and also supports Diffie-Hellman key exchange, hashing (message digests), data signing, and signature verification by using the SHA and DSA algorithms. This CSP is subject to government-imposed export restrictions on cryptography and might not be available in your locality.
Schannel Cryptographic ProvidersThe Microsoft RSA/Schannel Cryptographic Provider, the Microsoft DSS Cryptographic Provider, and the Diffie-Hellman/Schannel Cryptographic Provider offer various cryptographic services that are required for data integrity, session key exchange, and authentication during secure Web communications with the SSL and TLS protocols. These CSPs are not subject to United States government cryptography export restrictions and can be exported to other countries/regions (subject to general United States export restrictions, as well as the import restrictions of other countries/regions).
The Windows 2000 Microsoft CSPs have received the Federal Information Processing Standard (FIPS)
The Microsoft Base Cryptographic Provider (Base CSP) is provided for export in compliance with United States government export restrictions on cryptography. The Microsoft Enhanced Cryptographic Provider (Enhanced CSP), however, is subject to United States government export restrictions on cryptography and is available only for localities where the export of strong cryptography is permitted. For more information about restrictions on cryptography, see "Cryptography for Network and Information Security" in this book, and see the Microsoft Security Advisor link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
Table 16.2 highlights differences between the Base CSP and the Enhanced CSP. The public key lengths shown in the table are the default key lengths.
Table 16.2 Comparison of Microsoft Base CSP and Microsoft Enhanced CSP
Algorithm | Base CSP | Enhanced CSP |
---|---|---|
RSA public key signature algorithm | Key length: 512 bits. | Key length: 1,024 bits. |
RSA public key exchange algorithm | Key length: 512 bits. | Key length: 1,024 bits. |
RC2 block encryption algorithm | Key length: 40 bits. | Key length: 128 bits. Salt length: Settable. |
RC4 stream encryption algorithm | Key length: 40 bits. | Key length: 128 bits. Salt length: Settable. |
DES | Not supported. | Key length: 56 bits. |
Triple DES |
Not supported. | Key length: 112 bits. |
Triple DES |
Not supported. | Key length: 168 bits. |
For both the Base CSP and the Enhanced CSP, public keys that are used for digital signatures can be up to 16,384 bits long. However, public keys that are used for key encryption and key exchange (to protect secret keys) are limited to a maximum of 1,024 bits for the Base CSP and 16,384 bits for the Enhanced CSP. In addition, the symmetric keys for the encryption algorithms in the Base CSP are limited to shorter key lengths, resulting in significantly weaker cryptographic security. Overall, the key lengths and the encryption algorithms in the Enhanced CSP provide far stronger cryptographic security.
For both the Base CSP and the Enhanced CSP, public keys used for signing or key exchange can be a minimum of 384 bits long. However, the use of
The Enhanced CSP is compatible with the Base CSP, except that the CSPs can generate only RC2 or RC4 keys of the default key length. The default symmetric key length for RC2 and RC4 in the Base CSP is 40 bits. The default symmetric length for RC2 and RC4 in the Enhanced CSP is 128 bits. Therefore, the Enhanced CSP cannot create keys with Base CSP–compatible key lengths. However, the Enhanced CSP can import RC2 and RC4 keys of up to 128 bits. Therefore, the Enhanced CSP can import and use
Windows 2000 includes smart card CSPs from two vendors: Gemplus SCA and Schlumberger Limited. The Gemplus GemSAFE Card CSP and the Schlumberger CSP support cryptographic operations for the Gemplus and Schlumberger PC/SC-compliant smart cards, respectively. Additional smart card CSPs might be developed and certified for use with Windows 2000. For current information about smart card CSPs that are currently available, see the Microsoft Security Advisor link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
CSPs are subject to cryptography export restrictions. Some governments, including the United States government, currently place export restrictions on encryption technology. Other governments also place import restrictions on encryption technology. The availability of CSPs varies according to the export or import restrictions for a specific geographical area.
All Windows 2000 products support a maximum of
For more information about the availability of the Encryption Pack CD and current cryptography export policies for Microsoft products, see the Microsoft Security Advisor link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.