.
January 1996
Revised: February 21, 1996 (new Q&A)
The Microsoft® Cryptographic API (CryptoAPI) provides services that enable application developers to add cryptography to their Win32® applications. Applications can use the functions in CryptoAPI without knowing anything about the underlying implementation, in much the same way that an application can use a graphics library without knowing anything about the particular graphics hardware configuration.
For more information, please see the sections below.
Cryptography provides a set of techniques for encoding data and messages such that the data and messages can be stored and transmitted securely. Cryptography can be used to achieve secure communications, even when the transmission media (for example, the Internet) is untrustworthy. You can also use cryptography to encrypt your sensitive files, so that an intruder cannot understand them. Cryptography can be used to ensure data integrity as well as to maintain secrecy. Using cryptography, it becomes possible to verify the origin of data and messages using digital signatures. When using cryptographic methods, the only part that must remain secret is the cryptographic keys. The algorithms, the key sizes, and file formats can be made public without compromising security.
The Microsoft Cryptographic Application Program Interface (CryptoAPI) consists of a set of functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private key data.
All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). One CSP, the Microsoft RSA Base Provider, is bundled with the operating system.
Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms while others contain hardware components such as smartcards. In addition, some CSPs may occasionally communicate with users directly, such as when digital signatures are performed using the user's signature private key.
The CryptoAPI programming model can be compared to the Windows GDI model in that the CSPs are analogous to graphics device drivers, and the cryptographic hardware (optional) is analogous to graphics hardware. Just as well-behaved applications are not allowed to communicate with graphics device drivers and hardware, well-behaved applications cannot directly access the CSPs and cryptographic hardware.
For a more comprehensive overview of CryptoAPI, be sure to read the Developer Network News article on
securing your apps with the Microsoft CryptoAPI.
For more information on the Microsoft CryptoAPI, please read the Microsoft CryptoAPI Application Programmer's Guide, version 0.9 (preliminary), available for downloading below. This document presents general information about how to incorporate cryptography into applications and offers specific information about the function data types in the Microsoft CryptoAPI. The guide is intended to be used by developers familiar with the Microsoft Windows programming environment. Previous experience with cryptography or other security related subjects is helpful, but not absolutely necessary.
The Microsoft CryptoAPI Application Programmer's Guide consists of an introduction and 13 chapters. For ease of online reading and printing, we've provided copies of this lengthy document in Microsoft Word and Postscript formats. Click the buttons below to download these files.
Download the Microsoft CryptoAPI Application Programmer's Guide in PostScript format (zipped, 214K).
To request a copy of the Cryptographic Service Provider Developer's Kit (CSPDK), Beta version 0.9, please fill out the form provided on http://pct.microsoft.com.
The sample applications below illustrate the use of the Microsoft CryptoAPI. After downloading, review the README.TXT file for each sample for more information.
Download the files for the INITUSER sample (zipped, 1.69K).
INITUSER is a sample console application that creates a key container for the default user, along with a signature public/private key pair and a key exchange public/private key pair.
Download the files for the ENCRYPT sample (zipped, 5.33K).
ENCRYPT consists of a pair of sample console applications that can be used to encrypt and decrypt files.
Download the files for the ENUMALGS sample (zipped, 2.08K).
ENUMALGS is a sample console application that lists the user default CSP's supporting algorithms.
Download the files for the SIGN sample (zipped, 4.36K).
SIGN consists of a pair of sample console applications that can be used to sign and later verify files.
Download the files for the CFILER sample (zipped, 76K).
CFILER is a Windows-based application that can be used to encrypt and sign files.
The Microsoft CryptoAPI is part of Windows NT™ 4.0 (formerly known as the "Windows NT Shell Upgrade Release"), which is available through Microsoft Developer Network Level II membership. See the Microsoft Developer Network Web site for information on joining Level II.
Please click the company names to link to the endorsing company's Web site for more information. (Note that these links point to servers that are not under Microsoft's control. Please read Microsoft's official statement regarding other servers.)
"Atalla is pleased to announce our support for Microsoft's CryptoAPI and our intent to design and deliver hardware-based security modules and associated software modules to function as a Cryptographic Service Provider (CSP) within the CryptoAPI programming model. The Atalla CSP will focus on high performance cryptographic processing, robust key management, encapsulation of functionality, and physical security for those customers who will utilize Windows NT on their server platforms for electronic commerce."
-- Gary Sabo, Vice-President, Product Management and Marketing
"Cylink applauds Microsoft's development and promotion of CryptoAPI, a robust, vendor-independent interface for providing cryptographic services to applications. This will serve to broaden the overall market for information security products and facilitate the seamless integration of CYLINK's high-performance, public-key based hardware and software INFOSEC products into the leading computer operating environments."
-- John Kennedy, Cryptographic Systems Architect
"I am excited to see that Microsoft is building the ability to use cryptographic solutions into Windows NT. Developers can now write secure applications that will allow access to security tokens such as iPower's PersonaCard, enabling server-based enterprise-wide security solutions."
-- Tom Rowley, Director of Marketing, National Semiconductor's iPower Business Unit
"Nortel (Northern Telecom) is pleased to see Microsoft's CryptoAPI announced, which will make it easier for developers to incorporate cryptography into their applications. Nortel will support CryptoAPI with its Entrust product that provides a public-key infrastructure for enterprise-wide cross-platform encryption and digital signature services."
-- Brian O'Higgins, Director, Nortel Secure Networks
"We're pleased to see Microsoft's announcement of CryptoAPI and CryptoAPI's use of RSA technology. This announcement makes more robust cryptography more easily available to more people--and RSA believes that's always a good thing."
-- Jim Bidzos, President, RSA Data Security, Inc.
Spyrus
"SPYRUS is committed to Microsoft CryptoAPI. We are building Cryptographic Service Providers (CSPs) for our line of Cryptographic PC Card Tokens. By the end of the 1Q96, we will deliver CSPs for our FORTEZZA Crypto Card which implements US Government algorithms and our LYNKS Privacy Cards which implement commercial algorithms including RSA, Diffie-Hellman, DES, RC2 and RC4."
-- Russell Housley, Chief Scientist
For more information on SPYRUS Cryptographic PC Card Tokens, send electronic mail to info@spyrus.com.
"Trusted Information Systems, Inc. believes that the Microsoft CryptoAPI will have a fundamentally positive effect on making cryptography available worldwide. We expect a large number of Cryptographic Service Providers (CSPs) to quickly emerge supporting this standard. TIS will work with CSPs and applications developers to ensure key recovery technologies are available throughout their product lines. In addition, our International Cryptography Experiment (ICE)
-- Steve Walker, President
"The Microsoft CryptoAPI team has done a remarkable job of anticipating market direction and the corresponding needs of application programmers. CryptoAPI will unquestionably serve a pivotal role in shaping the future of cryptographically enabled mainstream software applications.
"Through full support of CryptoAPI, Telequip's Crypta Plus family of secure tokens will provide tremendous cost savings to our corporate customers with large mobile workforces. They will now be able to conduct business safely and efficiently using the Internet as a Virtual Private Network. These organizations can take full advantage of cryptography to ensure identification, authenticity, privacy and integrity in business communications."
-- Michael Jones, President
For a list of frequently asked questions and their answers, see the CryptoAPI Q&A.
If you need more information or have specific questions you'd like us to answer, please send us e-mail.