Introduction to Microsoft CryptoAPI

Microsoft's CryptoAPI is a recommended encryption API for PKI. It provides application developers with standard encryption interfaces when using encryption, authentication, and other security services in Win32 environments. CryptoAPI is located between the application and the CSP (Cryptographic Service Provider) (see figure 1 ).

The Programming Model of CryptoAPI is similar to that of the Windows Graphics Device Interface GDI. The encryption service provider CSP is equivalent to the graphics device driver, and the encryption hardware (optional) is equivalent to the graphics hardware, the applications at the upper layer are similar. They do not need to deal directly with the device drivers and hardware.

CryptoAPI consists of five parts: simple message functions, low-level message functions, and base cryptographic functions), certificate codec functions (certificate encode/decode functions) and certificate library management functions (certificate store functions ). Among them, the first three can be used to encrypt or sign sensitive information to ensure the privacy of the network transmission confidence. The second two can ensure the authentication in network information exchange through the use of certificates.

CSP is an independent module that implements encryption. It can be implemented by software or hardware. CSP must comply with the CryptoAPI specification.

Each CSP has a name and a type. The name of each CSP is unique, so that the corresponding CSP can be found by CryptoAPI. There are currently nine CSP types, and they are still growing. The following table lists the supported key exchange algorithms, signature algorithms, symmetric encryption algorithms, and hash algorithms.
(Table 1)

As shown in figure 1, each CSP has a keystore used to store keys. Each keystore contains one or more key containers ). Each key container contains all key pairs belonging to a specific user. Each key container is assigned a unique name. CSP permanently saves each key container before destroying the key container, including the public/private key pairs in each key container (see figure 2 ).