Microsoft Cryptographic System

The Microsoft cryptographic system is composed of different components. The three executable portions include the application, the operating system (OS), and the cryptographic service provider (CSP).

Applications communicate with the OS through the Cryptographic API (CryptoAPI). The OS communicates with CSPs through the cryptographic service provider interface (CSPI). The following illustration shows these concepts.

All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). CSPs communicate with applications through Coredll.dll. A CSP is responsible for creating and destroying keys, and using them to perform a variety of cryptographic operations. Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others contain hardware components. The following illustration shows the relationship between applications, Coredll.dll, and the CSPs.

At a minimum, a CSP consists of a dynamic-link library (DLL) and a signature file. The signature file ensures that the OS recognizes the CSP. The OS validates this signature periodically to verify that the CSP has not been tampered with.

Each provider has both a name and a type. For example, the name of the CSP currently shipped with Windows CE is Microsoft Base Cryptographic Provider version 1.0, and its type is PROV_RSA_FULL. The name of each provider is unique, while the provider type is not.

Cryptographic standards are organized into groups known as families. Each family includes a set of data formats and protocols. Even if they use the same algorithm, two families will often use different cipher modes, key lengths, and default modes. In CryptoAPI, each CSP type represents a distinct family.

By default, when an application connects to a CSP of a particular type, each CryptoAPI function operates in a way prescribed by the family that corresponds to the CSP type. The following table shows the items specified by an application's choice of CSP type.

CSP type property
Description
Key exchange algorithm Specifies one key exchange algorithm. Every CSP of a particular type must implement this algorithm. The only way applications can specify the key exchange algorithm is by selecting the appropriate CSP type.
Digital signature algorithm This is the same as with the key exchange algorithm. Each CSP type specifies one digital signature algorithm.
Key binary large object format Specifies the format of exported keys. Keys can be exported out of a CSP into a key binary large object format to securely transfer keys between CSPs.
Digital signature format Prescribes a particular digital signature format. This ensures that a signature produced by a CSP can be verified by any CSP of the same type.
Session key derivation scheme Specifies the method used to derive session keys.
Key length Specifies the key length.
Default modes Specifies a default mode for various options, such as the block encryption cipher mode or the block encryption padding method.