Functional classification of the Windows Cryptographic API

Local Data Encryption Protection
The local Data encryption protection mechanism provides a simple DAPI call interface, Key management and so on is handled by the system. DAPI's data encryption protection mechanism uses the operating system design to encrypt the protection of data and decrypt the restored data in a user logon session scope or on-premises, using DPAPI to protect the application from the challenge of generating and storing the encryption key, without concern for the source and management of the key.
This protection has the same effect as EFS, where the process of holding an encrypted security token can access the data. After a user logs on, all processes that are started in the user's desktop session may be able to be decrypted, and the process can be differentiated using a protected word. This is not a strong protection for infiltration of malicious code into the local, the malicious code can scan the file to obtain the stored protection Word, or you can intercept the password derived by the keyboard hook protection Word. Local computer-wide data protection is more capable of being opened by all programs that can be run on this machine. Beyond the DAPI boundary, DAPI can be considered a strong protection mechanism. Windows uses a well-designed key management mechanism to protect encrypted data.

Basic Cryptographic Algorithm Service
The built-in CSP and third-party CSP in the system generally provide the implementation of basic cryptographic algorithms such as symmetric encryption, asymmetric encryption, hashing, and so on. The application needs to complete the application-level encryption process by invoking the cryptographic capabilities provided by the appropriate CSP with the CryptoAPI function, based on the constraints of its own cryptographic security design.

Encrypted communication Service
SSL (HTTPS) Secure communication protocol is a network security communication protocol based on encryption technology. The protocol specifies the requirements for the use of various cryptographic algorithms, the negotiation of a key, the authentication method of the server and the client, and so on. The SChannel CSP is a CSP that is customized for cryptographic processing methods and procedures in SSL. Based on the Schannel CSP, the application is able to establish and maintain the SSL connections required for secure network communications.

Operating and managing digital certificates
Digital certificates on the computer accumulate over the user, and CryptoAPI provides tool functions for accessing, querying, validating, and deleting digital certificates. CryptoAPI also provides the method required to attach the certificate to the message. The digital certificate management function is divided into two categories, one is the function of managing the certificate storage container, and the other is the function of managing the certificate itself and the certificate revocation list, the certificate trust list and other specific objects. Through these functions, Windows systems and user programs are able to manipulate and manage the digital certificates used in the system.

CRYPTSPI Specification for CSP
Cryptographic hardware and software modules implemented in accordance with the CRYPTSPI interface specification can be integrated into Windows systems in the form of CSPs, and application programming often does not have to be concerned with this technology. Third-party development of new algorithms software modules, smart cards, Usbkey, SSL encryption accelerator and other cryptographic components, want to integrate into the Windows system, so that their products can be used for Windows systems and applications that invoke the System encryption API, must be required to follow the relevant specifications, Implement the Cryptospi interface, send the DLL file to the Microsoft signature, and register the cryptographic component with the target computer system at deployment time.

Functional classification of the Windows Cryptographic API