Microsoft CryptoAPI
Lua error in package.lua at line 80: module 'strict' not found. The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. The Crypto API was first introduced in Windows NT 4.0 [1] and enhanced in subsequent versions.
CryptoAPI supports both public-key and symmetric key cryptography, though persistent symmetric keys are not supported. It includes functionality for encrypting and decrypting data and for authentication using digital certificates. It also includes a cryptographically secure pseudorandom number generator function CryptGenRandom.
CryptoAPI works with a number of CSPs (Cryptographic Service Providers) installed on the machine. CSPs are the modules that do the actual work of encoding and decoding data by performing the cryptographic functions. Vendors of HSMs may supply a CSP which works with their hardware.
Cryptography API: Next Generation
Windows Vista features an update to the Crypto API known as Cryptography API: Next Generation (CNG). It has better API factoring to allow the same functions to work using a wide range of cryptographic algorithms, and the inclusion of a number of newer algorithms that are part of the National Security Agency (NSA) Suite B. It is also flexible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. However, CNG Key Storage Providers still do not support symmetric keys.[2] CNG works in both user and kernel mode, and also supports all of the algorithms from the CryptoAPI. The Microsoft provider that implements CNG is housed in Bcrypt.dll.
CNG also supports elliptic curve cryptography which, because it uses shorter keys for the same expected level of security, is more efficient than RSA.[3] The CNG API integrates with the smart card subsystem by including a Base Smart Card Cryptographic Service Provider (Base CSP) module which encapsulates the smart card API. Smart card manufacturers just have to make their devices compatible with this, rather than provide a from-scratch solution.
CNG also adds support to Dual_EC_DRBG,[4] a pseudorandom number generator defined in NIST SP 800-90A that could expose the user to eavesdropping by the National Security Agency unless the user remembers to generate new random numbers with a different cryptographically secure pseudorandom number generator or a true random number generator and then publishing the generated seed in order to make it secure. It is also very slow.[5] It is only used when called for explicitly.
CNG also replaces the default PRNG with CTR_DRBG using AES as the block cipher, because the earlier RNG which is defined in the now superseded FIPS 186-2 is based on either DES or SHA-1, both which have been broken.[6] CTR_DRBG is one of the two algorithms in NIST SP 800-90 endorsed by Schneier, the other being Hash_DRBG.[5]
See also
References
- ↑ Poking Around Under the Hood: A Programmer's View of Windows NT 4.0
- ↑ Key Storage and Retrieval, Microsoft
- ↑ The Case for Elliptic Curve Cryptography, NSA
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ 5.0 5.1 Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
External links
- Cryptography Reference on MSDN
- Microsoft CAPI at CryptoDox
- The Case for Elliptic Curve Cryptography, National Security Agency