- Cryptographic service providers windows
- Certificates
- Integration
- Portability
- Features
- Implementation of CryptoPro CSP
- Implementation at the Crypto API 2.0 Level
- Implementation at the CSP Level
- Using Com Interfaces
- Certificate Enrollment Control
- CAPICOM 2.0
- Certificate Services
- Using TLS Protocol in Application Software
- Sample Applications of Cryptographic Security Tools
- CryptoAPI Cryptographic Service Providers
- Microsoft Base Cryptographic Provider v1.0
- Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
- Microsoft Base DSS Cryptographic Provider
- Microsoft Base Smart Card Crypto Provider
- Microsoft DH Schannel Cryptographic Provider
- Microsoft Enhanced Cryptographic Provider v1.0
- Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
- Microsoft Enhanced RSA and AES Cryptographic Provider
- Microsoft RSA Schannel Cryptographic Provider
Cryptographic service providers windows
CryptoPro CSP is a cryptographic software package which implements the Russian cryptographic algorithms developed in accordance with the Microsoft — Cryptographic Service Provider (CSP) interface.
Certificates
Integration
The integration of the CryptoPro CSP with MS Windows operating system allows the use of standard products.
The accordance with the Microsoft CSP interface allows for easy integration into applications by different vendors, which support this interface.
Support for digitally signed XML documents using XMLdsig for Windows (MSXML5, MSXML6) allows for the use of Russian cryptographic algorithms in the Microsoft Office InfoPath — a component system of Microsoft Office.
Portability
For easy and portable integration of cryptographic functions on the Unix platforms, the program interface similar to the Microsoft CryptoAPI 2.0 specifications is provided. This interface allows for the use of the high-level functions to create cryptographic messages (encryption, digital signature), building and verifying the chain of certificates, generating keys and processing the messages and certificates.
Features
- CryptoPro TLS supports the TLS (SSL) protocol of on all platforms.
- CryptoPro CSP can be used with the Oracle E-Business Suite, Oracle Application Server, Java and Apache applications, via the products of the Crypto-Pro company partners.
- Supports windows domain authentication using smart cards (USB tokens) and X.509 certificates.
- The usage of CryptoPro CSP in email applications, as well as in MS Word and Excel products.
- CryptoPro CSP includes a kernel mode driver for all platforms, which allows for the use of cryptographic functions (encryption/decryption, signing , hashing) in kernel mode applications.
- The private keys can be stored in various type of mediums, such as HDD, smart cards etc.
Implementation of CryptoPro CSP
The hierarchical architecture of the Cryptographic Functions in the Windows Operating System allows for the use of the Russian cryptographic algorithms implemented in CryptoPro CSP at all possible levels.
Implementation at the Crypto API 2.0 Level
CryptoPro CSP can be used in application software (as can any other cryptoprovider supplied with the Windows operating system) using the Crypto API 2.0 interface, a detailed description of which is provided in the MSDN (Microsoft Developer Network) program documentation. In such cases the method for selecting the algorithm for the application software can be determined by the user’s/sender’s public-key-algorithm identifier which is contained in the X.509 certificate.
Implementation at the Crypto API 2.0 level provides the ability to use a wide range of functions which solve most problems related to the presentation (formats) of various cryptographic communications (signed, encrypted) by means of the presentation of public keys as digital certificates and by means of the storage and retrieval of certificates in various directories including LDAP.
The functions of CryptoPro CSP allow for the full implementation of presentation and exchange of data in compliance with international recommendations and the Public Key Infrastructure.
Implementation at the CSP Level
CryptoPro CSP can be used directly in an application program by loading the module using the Load Library function. With this in mind the package includes a Programmer’s Manual describing the various sets of functions and the test software. With this type of implementation only a limited set of low-level cryptographic functions corresponding to the Microsoft CSP interface are accessible to the software.
Using Com Interfaces
CryptoPro can be used with COM interfaces developed by Microsoft.
- CAPICOM 2.0
- Certificate Services
- Certificate Enrollment Control
Certificate Enrollment Control
The COM interface Certificate Enrollment Control (implemented in the file xenroll.dll) is designed for the use of a limited number of Crypto API 2.0 functions related to key generation, certificate requests and the processing of certificates received from the Certification Authority using the programming languages Visual Basic, C++, Java Script, VBScript and the development environment Delphi.
It is this interface that is used by the various Certification Authorities (Versign, Thawte, ect.) in the producing of user certificates on the Windows platform.
CAPICOM 2.0
CAPICOM (implemented in the file capicom.dll) offers the COM interface that uses the primary functions of CryptoAPI 2.0 . This component is an extension of the existing COM Certificate Enrollment Control interface (xenroll.dll) which is implemented by the client functions responsible for key generation, certificate requests and interchange with the certification authority.
With the release of this component the use of digital-signature generation and verification functions, functions responsible for the construction and verification of sequences of certificates and functions responsible for interaction with different directories (including the Active Directory) with Visual Basic, C++, JavaScript, VBScript and the development environment Delphi became possible. Using CAPICOM it is possible to implement the operation of the “thin” client within the browser Internet Explorer’s interface.
The component CAPICOM is freeware and is included as part of the Micrsoft Platform SDK Developer’s redistributable toolbox.
More detailed information on the CAPICOM interface is available on the server https://www.cryptopro.ru/products/csp/usage. The distributive for the interface and sample applications are available in the CD in the directory “\REDISTR\CAPICOM 2.0”
Certificate Services
Certificate Services include several COM interfaces which allow the user to alter the functionality of the Certification Authority built-in to the Windows Server operating system. Using these interfaces it is possible to:
- Process certificate requests from users.
- Alter the composition of X.509 addendums recorded in certificates issued by the authority.
- Determine additional means of publication (storage) of certificates issued by the authority.
Using TLS Protocol in Application Software
Aside from its use in the Internet Explorer interface, the TLS protocol can also be used by application software along with CryptoPro CSP for the authentication and protection of data transmitted according to its own private protocols based on TCP/IP and HTTPS.
For the implementation of the TLS protocol WebClient and WebServer sample implementations are included in the set of samples provided with the platform SDK.
Sample Applications of Cryptographic Security Tools
Test software, including sample invocations of the primary functions of Crypto API 2.0 is provided with CryptoPro CSP. These samples are found in the directory (“\SAMPLES\csptest”). A large number of sample applications of Crypto API 2.0, CAPICOM and Certificate Services functions are offered in the Microsoft Docs and in the Platform SDK developer’s toolbox.
A conference on issues surrounding the use of cryptographic functions and public-key certificates is held on the CryptoPro server (https://www.cryptopro.ru/forum2/).
CryptoPro CSP makes possible the use of reliable, certified cryptographic information-security tools as components of the wide range of tools and software of the Microsoft Corporation for the implementation of secure document flow and E-commerce based on the Public-Key infrastructure and in compliance with international recommendations X.509.
CryptoAPI Cryptographic Service Providers
Providers associated with Cryptography API (CryptoAPI) are called cryptographic service providers (CSPs) in this documentation. CSPs typically implement cryptographic algorithms and provide key storage. Providers associated with CNG, on the other hand, separate algorithm implementation from key storage. The following Microsoft CSPs are distributed with WindowsВ Vista and Windows ServerВ 2008.
Microsoft Base Cryptographic Provider v1.0
Implements the following algorithms to hash, sign, and encrypt content.
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| Data Encryption Standard (DES) | Encryption | Block | 56/56/56 |
| Hashed Message Authentication Checksum (HMAC) | Hashing | Any | 0/0/0 |
| Message Authentication Checksum (MAC) | Hashing | Any | 0/0/0 |
| Message Digest 2 (MD2) | Hashing | Any | 128/128/128 |
| Message Digest 4 (MD4) | Hashing | Any | 128/128/128 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| RSA Data Security 2 (RC2) | Encryption | Block | 40/40/56 |
| RSA Data Security 4 (RC4) | Encryption | Block | 40/40/56 |
| RSA Key Exchange | Key exchange | RSA | 512/384/1024 |
| RSA Signature | Signing | RSA | 512/384/16384 |
| Secure Hash Algorithm (SHA1) | Hashing | Any | 160/160/160 |
| Secure Socket Layer 3 SHA and MD5 (SSL3 SHAMD5) | Hashing | Any | 288/288/288 |
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
Implements the following algorithms to support hashing, signing, encryption, and Diffie-Hellman key exchange.
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| CYLINK Message Encryption Algorithm | Encryption | Block | 40/40/40 |
| Data Encryption Standard (DES) | Encryption | Block | 56/56/56 |
| Diffie-Hellman Key Exchange Algorithm | Key exchange | Diffie-Hellman | 512/512/1024 |
| Diffie-Hellman Ephemeral Algorithm | Key exchange | Diffie-Hellman | 512/512/1024 |
| Digital Signature Algorithm (DSA) | Signing | DSS | 1024/512/1024 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| RSA Data Security 2 (RC2) | Encryption | Block | 40/40/56 |
| RSA Data Security 4 (RC4) | Encryption | Stream | 40/40/56 |
| Secure Hash Algorithm (SHA1) | Hashing | Any | 160/160/160 |
Microsoft Base DSS Cryptographic Provider
Implements the following algorithms to sign and hash content:
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| Digital Signature Algorithm (DSA) | Signing | DSS | 1024/512/1024 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| Secure Hash Algorithm (SHA1) | Hashing | Any | 160/160/160 |
Microsoft Base Smart Card Crypto Provider
Supports smart cards and implements the following algorithms to hash, sign, and encrypt content.
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| Advanced Encryption Standard 128 (AES128) | Encryption | Block | 128/128/128 |
| Advanced Encryption Standard 192 (AES192) | Encryption | Block | 192/192/192 |
| Advanced Encryption Standard 256 (AES256) | Encryption | Block | 256/256/256 |
| Data Encryption Standard (DES) | Encryption | Block | 56/56/56 |
| Two Key Triple DES | Encryption | Block | 112/112/112 |
| Three Key Triple DES | Encryption | Block | 168/168/168 |
| Hashed Message Authentication Checksum (HMAC) | Hashing | Any | 0/0/0 |
| Message Authentication Checksum (MAC) | Hashing | Any | 0/0/0 |
| Message Digest 2 (MD2) | Hashing | Any | 128/128/128 |
| Message Digest 4 (MD4) | Hashing | Any | 128/128/128 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| RSA Data Security 2 (RC2) | Encryption | Block | 128/40/128 |
| RSA Data Security 4 (RC4) | Encryption | Stream | 128/40/128 |
| RSA Key Exchange | Key exchange | RSA | 1024/1024/4096 |
| RSA Signature | Signing | RSA | 1024/1024/4096 |
| Secure Hash Algorithm (SHA1) | Hashing | Any | 160/160/160 |
| Secure Hash Algorithm 256 (SHA256) | Hashing | Any | 256/256/256 |
| Secure Hash Algorithm 384 (SHA384) | Hashing | Any | 384/384/384 |
| Secure Hash Algorithm 512 (SHA512) | Hashing | Any | 512/512/512 |
| Secure Socket Layer 3 SHA and MD5 (SSL3 SHAMD5) | Hashing | Any | 288/288/288 |
Microsoft DH Schannel Cryptographic Provider
Supports the Secure Channel (Schannel) security package which implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. This CSP also supports Diffie-Hellman key exchange and implements the following algorithms.
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| CYLINK Message Encryption Algorithm | Encryption | Block | 40/40/40 |
| Data Encryption Standard (DES) | Encryption | Block | 56/56/56 |
| Two Key Triple DES | Encryption | Block | 112/112/112 |
| Three Key Triple DES | Encryption | Block | 168/168/168 |
| Diffie-Hellman Key Exchange Algorithm | Key exchange | Diffie-Hellman | 512/512/4096 |
| Diffie-Hellman Ephemeral Algorithm | Key exchange | Diffie-Hellman | 512/512/4096 |
| Digital Signature Algorithm (DSA) | Signing | DSS | 1024/512/1024 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| RSA Data Security 2 (RC2) | Encryption | Block | 40/40/128 |
| RSA Data Security 4 (RC4) | Encryption | Stream | 40/40/128 |
| Secure Hash Algorithm (SHA1) | Hashing | Any | 160/160/160 |
| Schannel Encryption Key | Encryption | Schannel | 0/0/-1 |
| Schannel MAC Key | Encryption/Hashing | Schannel | 0/0/-1 |
| Schannel Master Hash | Encryption/Hashing | Schannel | 0/0/-1 |
| Secure Sockets Layer (SSL3) Master | Encryption | Schannel | 384/384/384 |
| Transport Layer Security (TLS1) Master | Encryption | Schannel | 384/384/384 |
Microsoft Enhanced Cryptographic Provider v1.0
Provides stronger security than the Microsoft Base Cryptographic Provider v1.0 by using longer keys with some of the existing algorithms and by implementing additional algorithms.
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| Data Encryption Standard (DES) | Encryption | Block | 56/56/56 |
| Two Key Triple DES | Encryption | Block | 112/112/112 |
| Encryption | Block | 168/168/168 | |
| Hashed Message Authentication Checksum (HMAC) | Hashing | Any | 0/0/0 |
| Message Authentication Checksum (MAC) | Hashing | Any | 0/0/0 |
| Message Digest 2 (MD2) | Hashing | Any | 128/128/128 |
| Message Digest 4 (MD4) | Hashing | Any | 128/128/128 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| RSA Data Security 2 (RC2) | Encryption | Block | 128/40/128 |
| RSA Data Security 4 (RC4) | Encryption | Stream | 128/40/128 |
| RSA Key Exchange | Key exchange | RSA | 1024/384/16384 |
| RSA Signature | Signing | RSA | 1024/384/16384 |
| Secure Hash Algorithm (SHA1 | Hashing | Any | 160/160/160 |
| Secure Socket Layer 3 SHA and MD5 (SSL3 SHAMD5) | Hashing | Any | 288/288/288 |
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
Provides stronger security than the Microsoft Base DSS and Diffie-Hellman Cryptographic Provider CSP by using longer keys with some of the existing algorithms and by implementing additional algorithms.
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| CYLINK Message Encryption Algorithm | Encryption | Block | 40/40/40 |
| Data Encryption Standard (DES) | Encryption | Block | 56/56/56 |
| Two Key Triple DES | Encryption | Block | 112/112/112 |
| Three Key Triple DES | Encryption | Block | 168/168/168 |
| Diffie-Hellman Key Exchange Algorithm | Key exchange | Diffie-Hellman | 1024/512/4096 |
| Diffie-Hellman Ephemeral Algorithm | Key exchange | Diffie-Hellman | 1024/512/4096 |
| Digital Signature Algorithm (DSA) | Signing | DSS | 1024/512/1024 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| RSA Data Security 2 (RC2) | Encryption | Block | 128/128/128 |
| RSA Data Security 4 (RC4) | Encryption | Stream | 128/128/128 |
| Secure Hash Algorithm (SHA1) | Hashing | Any | 160/160/160 |
Microsoft Enhanced RSA and AES Cryptographic Provider
Implements the following algorithms to sign, encrypt, and hash content.
| Name | Use | Type | Key size (Default/Min/Max) |
|---|---|---|---|
| Advanced Encryption Standard 128 (AES128) | Encryption | Block | 128/128/128 |
| Advanced Encryption Standard 192 (AES192) | Encryption | Block | 192/192/192 |
| Advanced Encryption Standard 256 (AES256) | Encryption | Block | 256/256/256 |
| Data Encryption Standard (DES) | Encryption | Block | 56/56/56 |
| Two Key Triple DES | Encryption | Block | 112/112/112 |
| Three Key Triple DES | Encryption | Block | 168/168/168 |
| Hashed Message Authentication Checksum (HMAC) | Hashing | Any | 0/0/0 |
| Message Authentication Checksum (MAC) | Hashing | Any | 0/0/0 |
| Message Digest 2 (MD2) | Hashing | Any | 128/128/128 |
| Message Digest 4 (MD4) | Hashing | Any | 128/128/128 |
| Message Digest 5 (MD5) | Hashing | Any | 128/128/128 |
| RSA Data Security 2 (RC2) | Encryption | Block | 128/128/128 |
| RSA Data Security 4 (RC4) | Encryption | Stream | 128/128/128 |
| RSA Key Exchange | Key exchange | RSA | 1024/384/16384 |
| RSA Signature | Signing | RSA | 1024/384/16384 |
| Secure Hash Algorithm (SHA1) | Hashing | Any | 160/160/160 |
| Secure Hash Algorithm (SHA256) | Hashing | Any | 256/256/256 |
| Secure Hash Algorithm (SHA384) | Hashing | Any | 384/384/384 |
| Secure Hash Algorithm (SHA512) | Hashing | Any | 512/512/512 |
| Secure Socket Layer 3 SHA and MD5 (SSL3 SHAMD5) | Hashing | Any | 288/288/288 |
Microsoft RSA Schannel Cryptographic Provider
Supports the RSA Secure Channel (Schannel) security package which implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols.
