Win32 CSP Cryptographic Service System and Its Application

 

0 Introduction
To meet the security requirements of network data, the Microsoft 32-bit platform provides a CSP system for providing encryption services.
Layered to shield users from the underlying encryption implementation details, and use the unified Application Programming Interface (JJN password API,
Encryption and Data signature services for applications. This article analyzes and discusses Microsoft's Win32
Password System and programming mechanism to better understand it...

1 CSP Service Architecture
From the perspective of system structure, the CSP service system is divided into three layers (see figure 1): ① the bottom layer is the encrypted service provision layer,
It is a specific CSP provided by various encryption service providers, and the specific encryption operations are completed by this layer.
Established at the application layer and operating system, the general SPI programming interface provided by the system interacts with the operating system layer; ② the middle layer, that is
Operating System (OS) layer, which refers to the 32-bit operating platform of the specific Win95, NT4.0 and later versions, in the CSP System
And provides unified API interfaces and SPI interfaces for the application layer and encryption service;
③ The application layer is the specific application that uses the encryption service. It can be a process or thread.
Through this system hierarchy, applications do not have to worry about the specific implementation details of the underlying CSP, and use a unified API interface
Programming, and the operating system interacts with the specific encryption service provider through a unified SPI interface.

 

 

CSP Architecture

1.1 encryption service provision Layer
1.1.1 encryption service provider CSPs'
The encryption service provider layer is a specific CSP. It is an independent module provided by the encryption service provider.
Data Encryption, including using different encryption and signature algorithms to Generate Keys, exchange keys, encrypt data, and generate
Generate a data digest for digital signature. Some CSPs use special hardware for encryption, while others use RPC
In theory, CSP is a completely independent function module, and each application at the application layer
The program can interact with any CSP. The specific implementation details or hardware operations at the underlying layer are undertaken by CSP.
Applications can directly use various encryption services without considering the complexity of the underlying CSP.
CSP is at least a dynamic link library (DLL) and a data signature file. The DLL provides specific encryption services
The word signature file is used to ensure that the operating system can identify the CSP. The operating system can use it to regularly verify the CSP to ensure that it has not been tampered.
1.1.2 CSP keystore and key container
Each encryption service provider has an independent keystore, which is a CSP internal database. This database package
The container contains one or more containers belonging to each independent user. Each container is identified by an independent identifier.
CSP Composition 2 is shown in.

Figure 2 CSP Composition
Generally, each user has two pairs of permanent public/private key pairs.
The signature public/private key pair is used to create a digital signature. In addition, each user
Many conversational keys are randomly generated, but their lifecycles are valid only during the dialog.

1.2 operating system layer
The operating system layer is the middle layer of the encryption service. Applications use the unified encryption application provided by the operating system layer.
The API of the programming interface interacts with the operating system, and the operating system converts the commands sent by the upper layer (Application Layer)
Use the unified encryption service program design interface SPI to interact with a specific underlying CSP module.
The interface is used to design its own CSP service provider to implement specific encryption functions or algorithms, which is not described here ).
The layer isolates the bottom-layer CSP and specific encryption implementation details for the application layer. You can interact with each CSP independently.
The system layer also provides certain management functions, including regular CSP verification.
1.3 Application Layer
The application layer is a process or thread of any user. It uses the encryption API provided by the operating system layer to encrypt applications.
Service, and the operating system layer interacts with the underlying CSP, so that the application can be independent of the underlying implementation details.
The layer provides the encryption service.

 

2 Win32 operating system encryption service programming mode
2.1 data encryption/decryption and dialog Key Exchange
In the programming mode of the Win32 operating system encryption service, the conversation key is generally the key required for the actual encryption operation.
It only exists in each session. The session key is generated using symmetric encryption algorithms. Both parties use the same password for encryption and decryption.
You can use a conversation key to convert plaintext to ciphertext by Using symmetric encryption algorithms.
The message is sent to the receiver on Intemet. After receiving the ciphertext, the receiver uses the same key as the encrypted one for data decoding.
Password. Because the receiver of the preceding operation uses the same conversation key as the sender, the application should output this conversation from the CSP.
Key. To prevent users from directly processing the conversation key data, the key is implemented in an opaque data structure.
2.2 Public Key Exchange
The sender must know the public key of the receiver and must exchange the public key for secure exchange of the conversation key.
The exchange of public keys is implemented by a certificate mechanism provided by a third-party organization (Certification Authority). In order to obtain a certificate
The certificate must be connected to and registered with the Certificate Authority. The Authority will verify its identity and create a certificate, which is unique
It is generally in line with the X.509 protocol. When users communicate with each other, certificates can be exchanged to exchange public keys.
2.3 Digital Signature
A digital signature is used to verify whether a batch of data is actually sent by the sender of the signature and whether the data is
Tampered. The digital signature is a small data structure, which can be sent together with the signed data. Create a digital signature first
Step 1: generate a data digest for the signed basic data, and then use the private key of the sender to act on the data digest,
Obtain the digital signature. The digital signature is sent to the receiver together with the basic data. Then, the receiver produces the signature in the same way.
Generate a Data Summary of the basic data and verify the digital signature together with the public key of the received digital signature sender.

3. CSP application programming mode
The CSP programming mode is described below, which basically shows
Operation details, which can be used as a filter to process data encryption during network transmission and generate digital signatures while receiving
The decryption and digital signature authentication are completed. In addition, the certificate creation program is for reference only, and the user plans to be his/her own certificate authority.
Refer to the relevant standard agreement.
3.1 CSP System Configuration
When using the CSP service system for programming, the user workstation must install a CSP, and the security of the service provider
File Installation will be registered in the corresponding system key of the system registry. Currently, the 32-bit CSP platform of Microsoft uses the Microsoft RSA
Base provider provides RSA, RC2, RC4, MD5, and Sha algorithms. Among them, RSA is a non-symmetric algorithm used to generate public
Common/private key, which supports both encryption and digital signature. RC2 is a Block Symmetric algorithm. It uses 64 bit as a block
To complete the block encoding, it uses the filling method to fill the data to be encoded, to form multiple complete
Block. RC4 is a stream symmetric algorithm that creates an encoding bit on each bit of the plaintext. It is faster than the block encoding algorithm,
But the security is poor. MD5 uses the 128-bit hash algorithm. Sha uses the 160-bit hash algorithm.
3.2 Initialization
The Registry is a 32-bit operating system used to organize system and application configuration information, which will record the User System
Software/hardware settings and special configuration information of the application.
3.3 certificate creation
The first step for users to perform digital encryption and signature operations is to first obtain a public password that contains the user from a third-party Certificate Authority.
Key and other information certificate. Before the encrypted conversation starts, the certificate is exchanged between the sender and the receiver to complete the public key delivery.
For certificate creation, the user shall call the encryption application programming interface API function cryptacquirecontext () from CSP
Obtain a dialog handle. In addition, when this function is called for the first time, you can create a key container for a specific user and then call
Cryptgenkey () establishes a public/private key pair. The public key in this key pair will be transferred by the function cryptexportkey ()
To the key password, this hidden code is written to the certificate file of the person in the corresponding format. Similarly, the public hidden code of the signature will also be written into the certificate.

File. Now, the certificate is created. to end an encrypted conversation, the application should call cryptreleasecontext ()
Disconnect from CSP.
3.4 certificate resolution
The sender obtains the public key of the receiver to exchange the conversation key during the encryption operation.
Certificate resolution. During the resolution process, you should refer to the certificate production scheme and certificate format of a third-party Certificate Authority.
Analysis, the application can obtain information such as the receiver's exchanged public key password, certificate signature public key code, and then
The key-secret code calls the API function crypthnportkey () to input to the CSP to obtain the exchange public key handle and signature.
Public Key handle.
3.5 Data Encryption
After the previous certificate resolution, the sender can obtain the exchange public key of the receiver. For _ encrypted conversations
Cryptgenkey () generates a random conversation key, which is used only for one conversation period.
For decryption, the sender must call the public key of the cryptexportkey () receiver for encryption.
The ciphertext is written to the encrypted file to be sent. After receiving the encrypted file, the receiver reads the hidden code,
Use the private key of the recipient to call cryptimportkey () to enter the hidden code and obtain the conversation key handle to complete the conversation key.
The dialog key can be used for subsequent decryption operations.
Sends basic data (ciphertext) to the receiver of the network.
3.6 data decryption
After the recipient receives the ciphertext, the application should read the ciphertext conversation key secret and then call cryptimportkey ()
Use the receiver to exchange the Private Key to the CSP to obtain the conversation handle pointing to the conversation key. This key handle can be used
Subsequent decryption operations. In addition, for digital signature authentication, the recipient should call cryptcreatehash () to create a hash
The receiver's data decryption operation is to use the conversation key to call cryptdecrypt ()
After this function conversion, the ciphertext is converted to plain text to complete the entire encrypted conversation. This function can also generate the number of encrypted basic data.
In order to perform digital signature authentication, the user also generates data in the same order as the sender.
Data Abstract. These operations are performed by the cryptsessionkey () and crypthashdata () functions.