Data Encryption with CryptoAPI (Windows CE 5.0)
CryptoAPI provides services that enable application developers to add data encryption/decryption schemes, to authenticate using digital certificates, and to encode/decode to and from ASN.1 to their Microsoft Win32®-based applications. Application developers can use the functions in CryptoAPI without detailed knowledge of the underlying implementation. CryptoAPI works with a number of cryptographic service providers (CSPs) that perform the actual cryptographic functions, such as encryption, decryption, and key storage and security.
The three elements of the Microsoft cryptographic system are the operating system, the application, and the CSP. Applications communicate with the operating system through the CryptoAPI layer and the operating system communicates with the CSPs through the cryptographic service provider interface (CSPI). The following illustration shows the concept.
CSPs are independent modules, usually a DLL, that contain algorithms and perform all cryptographic operations. Ideally, CSPs are written to be independent of a particular application, so that any application will run with a variety of CSPs. In reality, however, some applications have specific requirements that require a customized CSP. EOMs can write their own CSP package and add it to the registry.
The following table shows the predefined CSPs included in Windows CE.
CSP | Description |
---|---|
Microsoft RSA Base Provider | Supports digital signature and data encryption. It is considered to be a general-purpose cryptographic tool. |
Microsoft Enhanced Cryptographic Provider | Supports 128-bit key encryption. It provides stronger security through longer keys and additional algorithms. |
Microsoft DSS and Diffie-Hellman Cryptographic Provider | Supports Diffie-Hellman (D-H) key exchange, SHA hashing, DSS data signing, and DSS signature verification. |
Smart Card CSP | Supports smart cards for Windows. A sample smart card CSP in source code can be found in the %_WINCEROOT%\Public\Common\Sdk\Samples\ directory.
This CSP illustrates how to properly integrate a smart card with the various functions and services provided by CryptoAPI. |
Applications can use CryptoAPI functions to:
- Generate and exchange keys.
- Encrypt and decrypt data.
- Encode and decode certificates.
- Manage and secure certificates.
- Create and verify digital signatures and compute hash.
The capabilities provided by CryptoAPI 1.0 in Windows CE are very similar to the Windows 2000 and Windows NT; however, only a subset of CryptoAPI 2.0 is supported. The following capabilities available in CryptoAPI 2.0 are supported in Windows CE: encoding and decoding digital certificates based on the X.509 standard and certificate management. The following capabilities are not supported: tools to manage certificate revocation lists (CRLs) and certificate trust lists (CTLs), low-level messaging functions, and simplified messaging functions.
Coredll.lib exports CryptoAPI 1.0 functions and Crypto32.lib exports the CryptoAPI 2.0 functions; all these functions are defined in the Wincrypt.h header file.
See Also
Enhancing the Security of a Device | Cryptography | Cryptography Security | Certificates
Last updated on Thursday, February 02, 2006
Send Feedback on this topic to the authors