Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Unlike Cryptography API (CryptoAPI), Cryptography API: Next Generation (CNG) separates cryptographic providers from key storage providers (KSPs). Use KSPs to create, delete, export, import, open, and store keys. Depending on the implementation, use them for asymmetric encryption, secret agreement, and signing. Microsoft installs the following KSPs on Windows. However, vendors can create and install other providers.
Microsoft Software Key Storage Provider
The Microsoft Software Key Storage Provider supports software key creation and storage and the following algorithms.
| Algorithm | Purpose | Key length (bits) |
|---|---|---|
| Diffie-Hellman (DH) | Secret agreement and key exchange | 512 to 4096 in 64-bit increments |
| Digital Signature Algorithm (DSA) | Signatures | 512 to 1024 in 64-bit increments |
| Elliptic Curve Diffie-Hellman (ECDH) | Secret agreement and key exchange | P256, P384, P521 |
| Elliptic Curve Digital Signature Algorithm (ECDSA) | Signatures | P256, P384, P521 |
| RSA | Asymmetric encryption and signing | 512 to 16384 in 64-bit increments |
Microsoft Smart Card Key Storage Provider
The Microsoft Smart Card Key Storage Provider supports smart card key creation and storage and the following algorithms.
| Algorithm | Purpose | Key length (bits) |
|---|---|---|
| Diffie-Hellman (DH) | Secret agreement and key exchange | 512 to 4096 in 64-bit increments |
| Elliptic Curve Diffie-Hellman (ECDH) | Secret agreement and key exchange | P256, P384, P521 |
| Elliptic Curve Digital Signature Algorithm (ECDSA) | Signatures | P256, P384, P521 |
| RSA | Asymmetric encryption and signing | 512 to 16384 in 64-bit increments |
Microsoft Platform Crypto Provider
The Microsoft Platform Crypto Provider is a key storage provider (KSP) that utilizes the Trusted Platform Module (TPM) for enhanced security. This provider is particularly useful for scenarios requiring hardware-backed security for cryptographic operations.
The Microsoft Platform Crypto Provider is designed to work with the TPM, a hardware-based security module that provides robust protection for cryptographic keys. By leveraging the TPM, this provider ensures that private keys are securely stored and cannot be extracted, even by malicious software.
Key Features
The following are some of the key features of the Microsoft Platform Crypto Provider:
- Hardware-backed security: Utilizes the TPM to store cryptographic keys securely.
- Enhanced protection: Prevents unauthorized access to private keys.
- Integration with Windows: Fully integrated with the Windows Cryptography API: Next Generation (CNG).
Usage
To use the Microsoft Platform Crypto Provider, you can specify it when opening a storage provider using the NCryptOpenStorageProvider function. For example:
#include <ncrypt.h>
NCRYPT_PROV_HANDLE hProvider = NULL;
SECURITY_STATUS status = NCryptOpenStorageProvider(
&hProvider,
MS_PLATFORM_CRYPTO_PROVIDER,
0
);
if (status == ERROR_SUCCESS) {
// Successfully opened the Microsoft Platform Crypto Provider
}
In this example, the MS_PLATFORM_CRYPTO_PROVIDER constant is used to specify the Microsoft Platform Crypto Provider.
Additional Resources
For more information, see NCryptOpenStorageProvider.