The Cryptography API, or How To Keep A Secret
Translation: Due to the earlier release of this article, some contents have changed, and the translators have been marked.
Robert Coldidgemicrosoft Developer Network Technology GROUP
August 19, 1996
Summary
This document describes the Microsoft Cryptography Application Programming Interface of the new Windows NT 4.0 and the Microsoft Cryptography Application Programming INTERFACE that is about to be released in the Windows 95. This article verifies the conditions that need to be installed and used for these new APIs. In order to complete the compilation of the routine, you need Microsoft Visual C 4.2 or later version and Windows NT 4.0 or later.
Note The partial encryption algorithm API is under the export of US government. (Translation: The US government has revoked the export restriction of strong plus products)
Download routines http://download.microsoft.com/download/win95/api-samp/1.0/win98mexp/en-us/5003.exe
Introduction
Encryption API has an important application in the Enterprise Computing Model. Enterprise calculation is meant to have more globalization, such as international commodity trade, instruction management, etc. In these areas, sensitive information is often transmitted through unsafe channels, such as electricity contracts, and orders, and other situations. With encryption API (Cryptography API), you can guarantee information security.
This article uses the CryptoAPI routine to demonstrate how to encrypt, decrypt data (Decrypt or Encrypt Data), the Sign and Verify Files, and Add and Remove Users.
Encryption API Overview
Encryption Service Provider Module (CRYPTOGRAPHY Service Provider - CSP)
[Editor Note: Some of the contents in the article directly take the CryptoAPI article of the platform SDK (Platform SDK). The paragraphs of these parts have been indented (all paragraphs have left alignment), but they do not use numbers, project symbols or "attention:", so you should be easily identified]
When the user's private sensitive data is protected, the function in the encryption API allows the application to encrypt or e-sign data in a flexible way. All encryption operations are implemented by separate modules, which are called Cryptographic Service Provider. A CSP has been included in the operating system, named "Microsoft RSA Base Provider".
Each CSP provides a different implementation of the encrypted API layer. Some provide strong intensive algorithms, while others will include hardware components such as smart cards (SmartCards, smart cards are embedded with plastic cards containing user security information chips). In addition, some CSPs may interact directly with the user, such as using the user's signature private data signature.
The application does not use properties that depend on a particular CSP. For example, "Microsoft RSA Base Provider" currently uses 40 session keys and 512-bit public keys (see "Symmetric Versus public-key encryption," MSDN Library, Platform, SDK, DDK documentation ). When the program maintains these, be careful not to assume how much memory needs to store them. In addition, the program is likely to be wrong when the user installs a different CSP in the system. You have to work hard to write the procedure as much as possible Well-Behaved and flexible (good behavior and easy to expand). Demon
Each CSP has a Key Database, which stores algorithms that are saved by CSP. Each secret library contains one or more secrets, each container contains all dense pairs that belong to a specific user (or client program using an encrypted API). Each secretor is assigned to a unique name, this name is the parameter to the function CRYPTACQUIRECONTEXT when the program is to get this container handle. Figure 1 illustrates the contents of the secret container:
Figure 1 Content of the secret container
CSP holds all secret containers between two sessions, including all public / private key pairs that belong to it. However, the session keys are not saved between session keys.
Although these secrets can be found in the computer, these dense is saved in a encrypted security format.
Typically, a default demon container is created for each user. This secret container is named by the user's login name, and after any programs can be used. Applications you can also create your own secret containers and dense pairs, your application can name yourself.
Dense
Session
The session secret is used when encrypted and decrypt data. Apply Use the CryptGenkey or CryptderiveKey function to create it. The CSP is saved inside the secret.
Unlike the dense pair, the conversation is variable. The application can save the secret to the application with the CrypTexportKey function to encrypt the crypto-binary large object or the encrypted Miki Binary Object or Secret Object, and then transfer to other people. .
Public, private
Each user usually has two pairs of public / private. A pair for encryption session, another pair is used to create a digital signature. They are called the Key Exchange Pair Pair of Signature (Signature).
Note that although most CSP created a secret container contains two pairs of dense, this is not necessary. Some CSPs are not stored at all, while others will store additional.
