Microsoft Cryptographic System

Windows CE .NET

The Microsoft cryptographic system is composed of different components. The three executable portions include the application, the operating system (OS), and the cryptographic service provider (CSP).

Applications communicate with the OS through the cryptographic API (CryptoAPI). The OS communicates with CSPs through the cryptographic service provider interface (CryptoSPI). The following illustration shows these concepts.


CSPs are independent modules that perform all the cryptographic operations. CSPs communicate with applications through Coredll.dll. A CSP is responsible for creating and destroying keys, and using them to perform a variety of cryptographic operations. Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others contain hardware components. The following illustration shows the relationship between applications, Coredll.dll, and the CSPs.


At a minimum, a CSP consists of a dynamic-link library (DLL) and a signature file. The signature file ensures that the OS recognizes the CSP. The OS validates this signature periodically to verify that the CSP has not been tampered with.

Each provider has both a name and a type. For example, the name of one of the CSPs currently shipped with Windows CE is Microsoft Enhanced Cryptographic Provider version 1.0, and its type is PROV_RSA_FULL. The name of each provider is unique, while the provider type is not.

Cryptographic standards are organized into groups known as families. Each family includes a set of data formats and protocols. Even if they use the same algorithm, two families will often use different cipher modes, key lengths, and default modes. In CryptoAPI, each CSP type represents a distinct family.

By default, when an application connects to a CSP of a particular type, each CryptoAPI function operates in a way prescribed by the family that corresponds to the CSP type. The following table shows the items specified by an application's choice of CSP type.

CSP type propertyDescription
Key exchange algorithmSpecifies one key exchange algorithm. Every CSP of a particular type must implement this algorithm. The only way applications can specify the key exchange algorithm is by selecting the appropriate CSP type.
Digital signature algorithmThis is the same as with the key exchange algorithm. Each CSP type specifies one digital signature algorithm.
Key binary large object formatSpecifies the format of exported keys. Keys can be exported out of a CSP into a key binary large object format for enhanced security during transfer between CSPs.
Digital signature formatPrescribes a particular digital signature format. This ensures that a signature produced by a CSP can be verified by any CSP of the same type.
Session key derivation schemeSpecifies the method used to derive session keys.
Key lengthSpecifies the key length.
Default modesSpecifies a default mode for various options, such as the block encryption cipher mode or the block encryption padding method.

See Also

Microsoft RSA Base Provider | Microsoft Enhanced Cryptographic Provider | Key Length Comparison | Cryptography | Using Basic Cryptography Services | About Cryptographic Service Provider | Protected Store | Cryptography Security | Cryptography Registry Settings | Certificates

 Last updated on Thursday, April 08, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.