The CSP encryption service provider (Cryptographic Service Provider) has the following features:
- CSP is an independent module that truly performs password operations.
- Physical CSP consists of two parts: a dynamic connection library and a signature file.
- The signature file ensures that the cryptographic service provider is authenticated to prevent the attacker from impersonating the CSP.
- If the encryption algorithm is implemented by hardware, CSP also includes hardware devices.
- Microsoft provides a CSP in the operating system by bundling the RSA base provider and uses the RSA public key encryption algorithm. More CSPs can be added to applications as needed.
- Windows 2000 and later comes with a variety of different CSPs
1. CSP Service System
CSP Service System Hierarchy
The CSP service system is divided into three independent layers from the perspective of system structure and system invocation level (for example, service hierarchy ):
1) The bottom layer is the provision layer of the encryption service, which is a specific CSP. It is an independent module provided by the encryption service provider and acts as the real data encryption service, this includes using different encryption and signature algorithms to Generate Keys, exchange keys, encrypt data, generate data summaries, and digital signatures. It is independent of the application layer and operating system, its general SPI programming interface El interacts with the operating system layer. Some CSPs use special hardware to work together for encryption, while others use RPC to distribute its functions to achieve higher security.
2) the middle layer, that is, the operating system (0 s) layer. Here it refers to the specific 32-bit operating platform of Win9x, NT and 2 K and later versions. In the CSP system, it also provides unified API interfaces for the application layer and SPI interfaces for the encryption service layer. The operating system layer isolates the underlying CSP and specific encryption implementation details for the application layer, users can interact with each CSP independently. It provides certain management functions, including regular CSP verification.
3) the application layer, that is, any user process or thread uses the encryption service application by calling the crypto API provided by the operating system layer.
According to the CSP service hierarchy, applications do not have to worry about the specific implementation details of the underlying CSP, and use a unified API interface for programming, the operating system interacts with the specific encryption service provider through a unified SPI interface, and other vendors implement encryption and signature algorithms based on the Service programming interface SPI, it facilitates digital encryption and digital signature.
To implement digital encryption and digital signature in applications, the program programming interface crypto API provided by Microsoft is generally called. Applications cannot communicate directly with the encrypted service provider (CSP). They can communicate with the corresponding CSP only after filtering through the crypto API operating system interface and passing through the crypto SPI System Service Interface. CSP is an independent module that truly implements all encryption operations.
Ii. CSP Composition
CSP is the most core layer for decryption on the Windows platform. It is an independent module that truly performs encryption. CSP and Windows interfaces are implemented in the form of DLL. CSP is an independent module that truly performs encryption.
According to the different implementation methods of CSP, it can be divided into pure software implementation and implementation with hardware. The implementation of CSP with hardware can be divided into the use of smart card chip (built-in encryption algorithm) according to different hardware chips) and the storage type that does not use the smart card chip. The interface with the computer is usually USB, so the CSP hardware is called the USB key.
Physical CSP consists of dynamic link libraries, signature files, and signature files to ensure that the provider has been authenticated. The operating system can identify the CSP, and the operating system can use it to periodically verify the CSP, this vulnerability is not tampered. You can also use the auxiliary DLL to implement CSP. The auxiliary DLL is not part of CSP. However, the auxiliary dll must also be signed and the signature file must be available if it contains the function called by CSP, each DLL is verified before it is loaded. Each CSP has a name and a type. If hardware is implemented, CSP also includes hardware devices. CSP is logically composed of the following parts (CSP ):
(1) Implement the SPI interface functions provided by Microsoft. In the SPI interface provided by Microsoft, a total of 23 basic cryptographic system functions are called by applications through CAPI. CSP must support these functions, which provide basic functions.
(2) Implement the encryption signature algorithm. If the CSP is implemented by pure software and the CSP is implemented by the stored USB key, these functions are implemented in the csp dll or the auxiliary DLL, with the CSP implemented by hardware devices, and the Encrypted USB key is used. The Dynamic CSP library is a framework. The general function implementation is in the Dynamic CSP library, and the core of the main function is implemented in hardware, in the Dynamic CSP library, it is only a function framework, such as encryption/decryption, hash data, and signature verification. This is because the private key is generally not exported, these functions are implemented mainly on hardware devices with good confidentiality.
(3) CSP keystore and key container. Each encryption service provider has an independent keystore, which is an internal CSP database, this database contains one or more containers belonging to each independent user. Each container is identified by an independent identifier. Different key containers have different users' signature key pairs, exchange key pairs, And X.509 digital certificates in memory. For security reasons, private keys cannot be exported. CSP with hardware implementation. The CSP keystore and key container are placed in the hardware storage, and the pure soft CSP implementation is placed in the files on the hard disk.
Iii. CSP implementation
The CSP design framework is shown in. Microsoft CSP is implemented through the dedicated API for smart cryptographic keys. To be compatible with the PKCS #11 supported by the Netscape browser, you can call the PKCS # ll interface to implement the Microsoft CSP Service programming interface based on the implementation of PKCS # ll. This makes it much easier to implement PKCS on other operating systems.
Obtain the pin on the user interface.
When an application requires access to the user's private key or other identity information, it must first use the user identity code (PIN) to authenticate the user. The user interface obtains the pin. The authenticated program allows access to user sensitive data in the identity key. The user program's access to user sensitive data in the identity key must be completed in a transaction. Before the transaction starts, the identity key is in the unauthenticated status. After the transaction ends, the identity key is still returned to the unauthenticated status. To avoid requiring the user to enter a pin for each operation, the pin should be cached in the CSP. All the display and operations on the user pin must be directly obtained from the cache, And the cached pin must be synchronized with the specific login user and the specific user identity key, once the login user changes or the identity key is removed from the host, the corresponding PIN cache must be cleared.
Iv. Supported CSP module functions
Zhongfu smart cryptographic keys seamlessly integrate with CryptoAPI applications by providing standard CSP modules. The CSP module of the Fufu smart cryptographic key is written in accordance with Microsoft's crypto service provider programming specification and can be compatible with current and future CryptoAPI applications. The secondary CSP is a type of csp of the prov_rsa_full type. It has the following features:
Provides secure RSA key pair containers
Provides multiple grouping and Hash Algorithms
Hardware-implemented RSA operations
Support for domestic encryption algorithms
Individual digital certificate carrier
The following lists CSP module functions supported by the smart Password Key of EF. These functions are csp spi. CryptoAPI applications do not need to directly call these interfaces and are indirectly called through Microsoft's security system.
Name |
Description |
Connection Functions |
Cpacquirecontext |
Create a context for the application |
Cpgetprovparam |
Obtain CSP Information |
Cpreleasecontext |
Release the context obtained by cpacquirecontext |
Cpgetprovparam |
Set CSP Parameters |
Key Generation and exchange functions |
Cpderivekey |
Generate a session key from a data hash to ensure that the generated keys are different from each other. |
Cpdestroykey |
Release the key handle. The key handle is invalid and cannot be accessed again. |
Cpduplicatekey |
Create a copy of the key |
Cpexportkey |
Export key from CSP key container |
Cpimportkey |
Import keys from a blob to a CSP container |
Cpgenkey |
Generate a key or key pair |
Cpgenrandom |
Generate random number |
Cpsetkeyparam |
Set key properties |
Cpgetkeyparam |
Get key attributes |
Cpgetuserkey |
Obtain the persistent key pair in the key container |
Data Encryption Functions |
Cpencrypt |
Encrypted plaintext |
Cpdecrypt |
Decrypt ciphertext |
Hash and digital signature functions |
Cpcreatehash |
Initialize a hash object |
Cpdestroyhash |
Delete A hash object |
Cpdublicatehash |
Create a hashed object copy |
Cpsethashparam |
Set attributes of a hashed object |
Cpgethashparam |
Retrieve attributes of a hashed object |
Cphashdata |
Hash input data |
Cphashsessionkey |
Hash a session key |
Cpsignhash |
Sign a hash object |
Cpverifysignature |
Verify a hash object |
The cpacquirecontext function is the most advanced function called by all CSP functions. Upper-layer applications call this function to specify the key container to operate on. Each key container can only save one pair of RSA key pairs and any number of session keys. An RSA key pair is a persistent object, and a session key can only exist at runtime. If the application needs to access the RSA private key in the key container, the csp of the Zhongfu smart key requires the user's pin code to be verified. The Verify user pin dialog box is displayed. The user enters the Correct PIN code. After the verification is correct, the CSP module will perform subsequent operations.