Windows Cryptographic Services Architecture

Windows encryption is an important foundation and component of the security architecture. The modern CPU protection mode is the hardware cornerstone of the system security, based on the CPU hardware privilege grading, Windows allows its own key system code to run in the High processor privilege level kernel mode, the various applications run at the low processor privilege level user state, guarantees the system level basic security control logic (such as memory, Access control mechanisms for system resources such as files, etc.) are effective. The combination of encryption technology and system security control logic can keep the user information in a certain degree of unreliable storage and transmission environment, such as computer theft, the existence of network sniffing situation, still maintain its privacy, non-tamper integrity and other security attributes.

Windows cryptographic algorithms are organized in a service delivery package (CSP) mechanism. Windows defines the schema and its APIs for the CSP. After the system revealed to the application layer of the cryptographic API called Cryptoapi,windows Vista, Microsoft introduced the next generation of CryptoAPI (CryptoAPI Next generation abbreviated as CNG) through these API functions, An application can enumerate the CSPs present in the system, select the CSP that meets its needs, and encrypt operations using the algorithms implemented by the CSP. Each CSP contains a set of cryptographic algorithms and key protection mechanisms from a vendor implementation, and different CSPs can contain different implementations of the same algorithm. Some CSPs are combined with hardware, algorithmic logic and key protection are implemented on separate hardware, which is an interface adaptation that separates application software from the technical characteristics of these cryptographic hardware. Microsoft has pre-provisioned several CSPs in Windows that contain cryptographic algorithms that are available on all Windows computers. With the CSP framework, the application software can implement cryptographic operations using the unified API defined by Windows. In this way, applications can easily adapt to different implementations of cryptographic algorithms. It looks like a very different way of implementing encryption, and for applications, it's just the difference between CSP names. The choice of CSP can easily be configured as a configurable option, centrally controlled by the application system or selected by the end user.

CryptoAPI architecture

CNG architecture

Crypto API and CNG are not only two sets of APIs, but also presents the operating system encryption technology architecture. Take CryptoAPI as an example. Any vendor can implement the encryption algorithm in their own way, according to CSP specification, realize CRYPTOSPI, can add their own algorithm implementation to the Windows system. The user uses the CryptoAPI function defined by the operating system to invoke the implementation of any algorithm that has been registered.

Microsoft provides several CSPs with Windows systems that implement algorithms that can be used directly by any Windows program without relying on third-party encryption software.

Windows Cryptographic Services Architecture