Microsoft® Cryptography

CSPs

In Microsoft Windows, a Cryptographic Service Provider (CSP) is a software library that implements the Microsoft CryptoAPI (CAPI). Each CSP has a key database in which it stores its persistent cryptographic keys. Each key database contains one or more key containers, each of which contains all the key pairs belonging to a specific user (or Cryptography API client). Each key container is given a unique name, which applications provide to the CryptAcquireContext function when acquiring a handle to the key container. Below figure is an illustration of the contents of a key database:

ms867086.cryptapi_1(en-us,MSDN.10).gif

 

The CSP stores each key container from session to session, including all the public/private key pairs it contains. However, session keys are not preserved from session to session.笔者在自己的Win8系统查看了一下都有哪些类型的CSP,以及各个类型都有哪些具体的CSP,列表如下:

  • PROV_RSA_FULL(1): RSA Full (Signature and Key Exchange)
    • Microsoft Base Cryptographic Provider v1.0
    • Microsoft Base Smart Card Crypto Provider
    • Microsoft Enhanced Cryptographic Provider
    • Microsoft Strong Cryptographic Provider [Default CSP]
  • PROV_DSS(3) : DSS Signature
    • Microsoft Base DSS Cryptographic Provider[Default CSP]
  • PROV_RSA_SCHANNEL(12): RSA SChannel
    • Microsoft RSA SChannel Cryptographic Provider[Default CSP]
  • PROV_DSS_DH(13): DSS Signature with Diffie-Hellman Key Exchange
    • Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider[Default CSP]
    • Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
  • PROV_DH_SCHANNEL(18): Diffie-Hellman SChannel
    • Microsoft DH SChannel Cryptographic Provider[Default CSP]
  • PROV_RSA_AES(24): RSA Full and AES
    • Microsoft Enhanced RSA and AES Cryptographic Provider[Default CSP]

 一看这个列表还挺多,现在想一个问题,PROV_RSA_FULL有4个CSP,它们4个有什么共同点,以至于都被划分为类型为PROV_RSA_FULL的CSP呢?或者从另外一个角度考虑,如果我们是CSP的实现者,要实现若干CSP,那哪些应该被归为一类,哪些不应该呢?简单说就是,CSP类型之间的区别是什么?

  • 有且仅有一个密钥交换算法
  • 有且仅有一个数字签名算法
  • 指定的KEY BLOB格式(密钥导入/导出的格式)
  • 指定的数字签名格式
  • 指定的Session Key分散模式
  • 指定的密钥长度
  • 指定的分组加密算法的缺省模式(如CBC、ECB等)

 

再有一个问题是,同类型的CSP之间有什么区别呢? 答案是实现同样功能的方法细节不一样,比如有的用smart card实现,有的使用了更长的key,或者用了额外的算法,对于CSP实现的细节,可以参考Cryptographic Provider Development Kit,具体选用哪个CSP,可以参考Microsoft Cyptopraphic Service Providers

Session Keys

Session keys are used when encrypting and decrypting data. They are created by applications using either the CryptGenKey or the CryptDeriveKey function. These keys are kept inside the CSP for safekeeping. Unlike the key pairs, session keys are volatile. Applications can save these keys for later use or transmission to other users by exporting them from the CSP into application space in the form of an encrypted key binary large object or key blob using the CryptExportKey function.

session key在很多情况下,是针对一个session的,session结束,这个key就无效了,比如TLS中会通过certificate加密双方交互一些信息,然后双方基于这些信息生成session key,然后互相使用session key加密/解密信息,这个连接断开后,意味着一个session结束了,session key也抛弃了。所以说session keys are volatile。但也有一些情况,你会想把session key保存下来:比如应用用session key加密了一个数据库文件,然后在之后的某个时候应用要用这个session key对这个文件进行解密。


Public or Private Key Pairs
Each user generally has two public or private key pairs. One key pair is used to encrypt session keys and the other to create digital signatures. These are known as the key exchange key pair and the signature key pair, respectively. Note that although key containers created by most CSPs will contain two key pairs, this is not required. Some CSPs do not store any key pairs, while others store additional ones.

Apple® Cryptography

Keychain Services
Certificate, Key, and Trust Services

keychain提供了对密码、certificate等数据的存储。 有2种推荐的API用于访问keychain。就是 Keychain Services 和 Certificate, Key, and Trust Services

Cryptographic Message Syntax Services

这个服务允许开发者加密S/MIME消息或者对S/MIME消息添加数字签名。