CSP development process 1

At present, many research institutions in China have developed high-strength encryption algorithms. These encryption algorithms are either in the form of pure software or encrypted cards.

Provide to users. Different encryption service providers often provide different encryption interfaces, which may cause inconvenience to users. Therefore

Secret API international standards and specifications are presented to users in several unified forms. Currently, the main international encryption API standards and specifications are as follows:

: GSS-APIV2.0, GCS-API, CDSA, rsapkcs #11cryptographictokeninterfacestandardv2. 01, rsab

Safeapi and Microsoft cryptoapiv2.0. Among them, CDSA, rsapkcs #11, and Microsoft CryptoAPI are widely used in practice.

It is a recommended encryption API for PKI. The following describes how Microsoft CryptoAPI calls the encryption service to provide (CSP) and how to develop it.

Provided based on Microsoft CryptoAPI encryption service.

1. Encryption Architecture

Microsoft public

The security encryption application framework and services proposed by the Division. All Windows operating systems support Microsoft CryptoAPI. And other security encryption

Similar to the application framework, microsoftcryptoapi also complies with a series of PKI standards and specifications. Application developers can easily and quickly develop applications.

Standard, common, and scalable security encryption applications. C

The ryptoapi function is a standard encryption interface for application developers to use encryption, verification, and other security services in Win32 environments. Micro

The architecture of the soft CryptoAPI is shown in Figure 1. Applications are built on top of CryptoAPI, and CSPs are built on the bottom. CSP is a truly unique encryption function.

Module. A typical CSP is Microsoft rsabaseprovider. To become a valid CSP for Microsoft, any encryption service provider must

A signature file authorized by Microsoft must be obtained, which ensures that Microsoft CryptoAPI recognizes the CSP. For valid Microsoft CSPs,

Microsoft will provide its CryptoAPI specifications. Microsoft provides the CSP installer to store each CSP file in the corresponding directory.

In the registry, register the CSP by the CSP type and name. CryptoAPI uses the system registry to store the number of CSPs in the CSP database.

All CSPs installed on the computer are recorded in the database.

2. CryptoAPI calls the underlying CSP Service

Microsoft CryptoAPI ensures secure communication in two aspects: confidentiality and verification. CSP is a module that truly performs encryption independently. Physical last

CSPs consist of two parts: a dynamic link library and a signature file. If the encryption algorithm is implemented by hardware, CSP also includes hardware devices.

When the CryptoAPI function calls the underlying CSP function, use the cryptacquirecontext function to specify the parameters of the CSP name and

Type parameter. This function returns a CSP handle pointing to the selected CSP. CSP has a keystore. The keystore is used to store keys.

The keystore contains one or more key containers ). Each key container contains all key pairs belonging to a specific user. Each

The key container is assigned a unique name. The cryptacquirecontext parameter is used to obtain the handle pointing to the key container.

. CSP will permanently Save the key container, including saving the public/private key pairs (except session keys) in each key container ). When the key is exchanged, or the key needs to exit

When the CSP (that is, the export key) is used, there is a problem about the data structure storage key to choose. Microsoft CryptoAPI uses the keyblob data structure to store the data.

The Internal Key of the CSP. The key is always stored securely within the CSP, and the application can only access the key through the handle, with the exception of keyblob. When using

When the cryptexportkey function exports the key from CSP, keyblob is created. Then, use the cryptimportkey function to import the key

In other CSPs (different CSPs on different machines ). Therefore, keyblob is a secure transfer key carrier between different CSPs. Keyblob has a standard information

The header and the data segment after the information header indicate the key itself. The application does not access the inside of keyblob, but treats keyblob as a transparent

Image.

Because the public/private key must be absolutely confidential to the private key, the private key must be encrypted using a symmetric encryption algorithm. When privatekeyblob is encrypted

All parts except the blobheader must be encrypted. However, the algorithm and key (or key parameter) used for encryption are not stored together with the keyblob.

The application is responsible for managing the information.

 

3 CSP Program Development

For CSP program development, select and implement CSP to support encryption algorithms and data formats. After the encryption algorithms and data formats are determined

It is easier to design specific programs after understanding the functions and function procedures implemented by CSP.

1) Basic Process for CSP development.

After selecting and implementing CSP to support every encryption algorithm and data format, the process of creating a CSP is as follows:

1. Create CSP. dll and export the crytospi function interface.

2. Develop the CSP installer and create the appropriate registry key.

3. Test the CSP. dll implementation function.

4. Use cryptapi to test the CSP.

5. Let Microsoft officially sign the CSP so that the CSP can be applied to the Microsoft Windows operating systems.

6. The CSP was officially signed by Microsoft. This step is the same as step 4, but the CSP has passed the formal signature of Microsoft.

The following describes in detail the first step of CSP development. Only 1 can be done, 2 ~ 6 is also relatively easy, not detailed.

 

2) functions implemented by CSP and their functions.

In the created CSP. dll, CSP should implement the following 24 functions.

Initialization function: CSP initialization functions include cpacquirecontext and cpreleasecontext. cpacquirecontext has two functions.

One is to obtain different CSPs Based on the provided parameters, and the other is to generate or destroy the key container based on the parameters. Cpreleasecontext is used to release

Encryption interface function handle. If the above two functions are successfully called, a non-0 value is returned.

Hash Functions: CSP hash functions include cpcreatehash, cphashdata, cpgethashparam, cpdestroyhash,

There are six cphash-sessionkey and cpgenrandom functions. The first four functions are usually used together and hash values are generated based on the given data.

Cpcre-atehash is used to generate a CSP hashed object handle. This handle is used by the subsequent cphashdata function to generate a hashed value, followed

Cpgeth-ashparam obtains the generated hash value. Finally, cpdestroyhash destroys the hashed object handle. According to the specific Hash Algorithm

The cpcreatehash parameter is determined. You can set parameters in cpgethashparam to prevent the same data from being encrypted multiple times. Cphashsessionkey

This function is used to generate hash values for key objects. cpgenrandom is used to populate the buffer zone with random numbers. This function is mainly used to encrypt random numbers.

Key Generation function: the key generation function includes cpderivekey, cpgenkey, cpdestroykey, and other functions. cpderivekey is used

Generate a password Based on the password. cpgenkey is used to generate a password based on a random number. When the crypt-exportable parameter is used,

You can output the key so that it can be used between different computers or sessions. cpdestroykey is used to release the key handle.

Encryption/decryption functions: the encryption and decryption functions include cpencrypt, cpdecrypt, cpsignhash, cpverifysignature, and other functions,

Cpencrypt is used for encryption and cpdecrypt is used for decryption. These two functions are particularly useful. They include the following parameters, key handle,

Hashed object handle, used to determine whether it is the last Boolean value, data block pointer encryption/decryption, number of encrypted/decrypted buffer, and other parameters.

Note that some encryption algorithms make the length of the encrypted data the same as that of the decrypted data, but some algorithms increase the length of the encrypted data block. Cpsign-Hash

The essence of Data signature is to hash the data and encrypt the hash result (signature private key. Cpverifysig-Nature Signature

Verify that the original data is hashed to obtain result 1. decrypt the signature data (Signature Public Key) to obtain result 2, and compare whether the two are consistent.

If yes, the verification is successful. Otherwise, the verification fails.

Key operation functions: the key input/output functions include cpexportkey and cpimportkey. cpexportkey is used to export the key and generate a copy. cpimportkey is used to import the copy key. The key parameter functions include cpgetkeyparam, cpgetuserkey, and cpsetkeyparam. cpgetkeyparam is used to obtain the data of the current key operation. cpgetuserkey is used to obtain the user key parameter handle, and cpsetkeyparam is used to customize the key.

Other functions: cpgetprovparam, cpsethashparam,

Cpset-provider, cpsetprovparam, and so on. cpgetprovparam is used to obtain the CSP parameter of the current operation, and cpsethashparam is used

Column object Customization Operation. cpsetprovider is used to specify the default CSP for the current user, and cpsetprovparam is used to customize various CSP operations.

3) Other considerations for CSP development.

During CSP development, the function process should be very clear. CSP provides operation functions including hash operation, encryption/decryption, signature/Signature calculation,

Key output/input operations, object attribute settings, and reading. During CSP internal operation, cpacquirecontext is generally used to obtain the key container handle,

In future function calls, the key Container Handle is used to provide various cryptographic operations using CSP. Therefore, during CSP development, various CSP initialization work should be completed in cpacquirecontext. During CSP development, the most important thing is to consider its data structure. Only a reasonable data structure can ensure its orderly operation. Its data structure mainly includes the storage data structure and memory data structure. The following is the data structure used in development for reference.

1. Storage Data Structure

The Data Structure Stored in CSP consists of two parts. One part is the CSP registration information.

For positioning information. One part is the CSP's own information, that is, the content of the key container used in the CSP is saved. After CSP is installed

OS provides location information and key container information. In this key container, different encryption methods should be differentiated.

Function of the encrypted dynamic Connection Library. The key container can contain various user key information, such as the Public Key Value and private key value of the signature.

Whether the signature key pair can be output, whether the encryption public key value, the encryption private key value, and whether the encryption key pair can be output.

2. Memory Data Structure

The memory data structure mainly describes the memory representation of the key value. No matter what type of key, it is a structured data block in the memory.

It can be processed as a one-dimensional array. The dynamic Connection Library Function of the underlying cryptographic algorithm should be able to process this one-dimensional array. Obviously,

The array value of the key value must be saved in the registry.

4 knots

According to the above method, you can develop your own CSP, embed the CSP into the Microsoft operating system, and use the Microsoft CryptoAPI function to call

CSP facilitates encryption, decryption, signature, signature verification, and other operations, and truly realizes the localization of the CSP password module. To ensure security on the network

Data transmission lays the foundation.