Cryptographic Provider Types
The field of cryptography is large and growing. There are many different standard data formats and protocols. These are generally organized into groups or families, each of which has its own set of data formats and way of doing things. Even if two families use the same algorithm (for example, the RC2 block cipher), they will often use different padding schemes, different key lengths, and different default modes. CryptoAPI is designed so that a CSP provider type represents a particular family.
When an application connects to a CSP of a particular type, each of the CryptoAPI functions will, by default, operate in a way prescribed by the family that corresponds to that CSP type. An application's choice of provider type specifies the following items:
| Item | Description |
|---|---|
| Key exchange algorithm | Each provider type specifies one and only one key exchange algorithm. Every CSP of a particular type must implement this algorithm. Applications specify the key exchange algorithm to use by selecting a CSP of the appropriate provider type. |
| Digital signature algorithm | Each provider type specifies one and only one digital signature algorithm. Every CSP of a particular type must implement this algorithm. Applications specify the digital signature algorithm to use by selecting a CSP of the appropriate provider type. |
| Key BLOB formats | The provide type determines the format of the key BLOB used to export keys from the CSP and to import keys into a CSP. |
| Digital signature format | The provider type determines the digital signature format. This ensures that a signature produced by a CSP of a given provider type can be verified by any CSP of the same provider type. |
| Session key derivation scheme | The provider type determines the method used to derived a session key from a hash. |
| Key length | Some provider types specify the length of public/private key pairs and the session keys. |
| Default modes | The provider type often specifies default modes for various options, such as the block encryption cipher mode or the block encryption padding method. |
Some advanced application might connect to more than one CSP at a time, but most application generally use only a single CSP.
There are currently a number of predefined provider types. The next sections provide information on the following provider types:
- PROV_RSA_FULL
- PROV_RSA_AES
- PROV_RSA_SIG
- PROV_RSA_SCHANNEL
- PROV_DSS
- PROV_DSS_DH
- PROV_DH_SCHANNEL
- PROV_FORTEZZA
- PROV_MS_EXCHANGE
- PROV_SSL
Even though some CSP types might be partially compatible with others, two or more applications that need to exchange keys and encrypted messages should use CSPs of the same type.
A custom CSP writer can define a new provider type. However, the CSP writer is then responsible for distributing the new provider type to the authors of any applications that are to use it. For information about writing custom CSPs, see Cryptographic Service Providers.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for