Microsoft CSP

Microsoft implements several cryptographic algorithms and protocol is a software framework referred to as the Microsoft Cryptographic Services Provider. The CSP as Microsoft refers to its Cryptographic Services Providers includes a series of APIs for use by both hardware and software vendors. In its latest incarnation, the Microsoft CSP consist of ten modules : Microsoft Base Cryptographic ProviderMicrosoft Strong Cryptographic ProviderMicrosoft Enhanced Cryptographic ProviderMicrosoft AES Cryptographic ProviderMicrosoft DSS  Cryptographic ProviderMicrosoft Base DSS and Diffie-Hellman Cryptographic Provider ,Microsoft Enhanced DSS and Diffie-Hellman Cryptographic ProviderMicrosoft DSS and Diffie-Hellman/Schannel Cryptographic Provider ,Microsoft RSA/Schannel Cryptographic Provider ,and Microsoft RSA Signature Cryptographic Provider .

Of the ten, Microsoft Base Cryptographic Provider is the only one that is safe for export to any nation. The other nine because of the specific protocols they implement or the number of scheme bits they support, they are governed by export restrictions.

The Base Cryptographic Provider is a basic cryptographic implementation of the RSA algorithm with support for up to 512 bits of asynchronous cryptography. This is the equivalent of about 40 bits of synchronous chryptography. Brute force attack on this scheme will cover  a space of just 2^80 trials and thus it is considered a very weak algorithm. The BCP however supports several cryptographic protocols and functions including digital signature, digital certificates. The BCP also supports implementation for both RC2 and RC4 for 40 bits. It does not however support DES or higher grade schemes. DES is a 56 bit algorithm and is already broken.

The Strong Cryptographic Provide is an improvement over the BCP and was released with windows 2000 server family. The SCP includes support for 1024 bit RSA, DES and 3DES (both two and three key implementations). The maximum key strenght is 128 bit. A significant mprovement over BCP and it is under export restrictions. The SCP also supports RC2 and RC4 with 128 bits of symmetrical key.

The Enhanced Cryptographic Provider is an enhancement over SCP in that while it is a similar implementation to SCP, it includes some basic foil for some of the standard attacks against SCP schemes including support for variable salt lenght. This helps reduce the effects of parallel attacks against DES and 3DES. The ECP was implemented post Windows 2000 Server.

The AES Cryptogphic Provide includes implementation of the Rinjdael algorithm or Advanced Encryption Standard. The AES was develop under the guidance of NIST in the late 1990s as a replacement to the DES and its immediate successor 3DES. While DES and 3DES have maximum of 56 and 168 bits respecively, the AES has a minimum bit strenght of 128 bits and maximum of 256. This is considerably stronger than the DES.  The ACP however supports the lower end of the AES strenght, 128 bit for symmetrical key and 1024 bit RSA.  The ACP can be used for a wide variety of cryptographic features including key exchange, encryption, digital signature, digital certificates to name a few.

Table 1 shows basic comparison of the various schemes

Algorithm Base Provider key length Strong Provider key length AES Provider key length
RSA public key signature algorithm 512 bits 1,024 bits 1,024 bits
RSA public key exchange algorithm 512 bits 1,024 bits 1,024 bits
RC2 block encryption algorithm 40 bits 128 bits 128 bitsSalt length can be set.
RC4 stream encryption algorithm 40 bits 128 bits 128 bitsSalt length can be set.
DES 56 bits 56 bits 56 bits
Triple DES (2 key) Not supported 112 bits 112 bits
Triple DES (3 key) Not supported 168 bits 168 bits

The DSS Cryptographic Provider or digital signature standards provides essential support for hashing, digital signature and signature verification using the Secure Hashing Algorithm (SHA) and the Digital Signature Standard (DSS) algorithms. The DSS is not an encryption provider and its key lenght maximum is limited to 256 bit.

The Base DSS and Diffie-Hellman Cryptographic Provider is an enhancement over the DSS and includes the DH key exchange algorithm. It also support up to 512 bit of SHA.

The Enhanced DSS and Diffie-Hellman Cryptographic Provider is as its name implies an enhancement over The BDDHCP. Beyond everything thet BDDHCP does, it also supports additional algorithms including MD-5 (Message Digest 5), CYLINK message encryption, Store and Foreward DH key exchange, and DH ephemeral, all with higher grade symmetrical (for the symmetrical agorithms) and asymmetrical (for the public key algorithms) schemes. This is an FIPS 140-2 verified scheme.

The DSS and Diffie-Hellman/Schannel Cryptographic Provider while supporting many high grade schemes ad can be used for SSL3 and TLS1 purposes can also be exported. It supports DH key exchange, DH key generation, signing, hashing and exporting of DH keys.

The RSA/Schannel Cryptographic Provider is another implementation of the SCHANEL scheme, but an RSA implementation and can be used for signing and hashing. Like the previous SCHANNEL scheme, this scheme can also be exported and also supports both SSL 3 and TLS 1 client authentication while also supporting key derivation for the SSL2, PCT1, SSL3, and TLS.

The RSA Signature Cryptographic Provider is an RSA based scheme for data signing and signature verification.

In all, all these cryptographic providers create immense opportunity for vendors to implement relatively strong and robust cryptographic schemes without having to re-invent the wheel. As we observe, Microsoft supports schemes that include the Diffie-Helman (including Eliptic Curve Implementations), RSA, RC2 and RC4, SCHANNEL, SHA-1, MD-5, DSS, AES (Rinjdael), DES and DES3. While these represent less than 10% of the known encryption echemes and algorithms, they however represents a large proportion of the US government supported schemes which are generally deeemed to be superior (at least at some point in the past or have been supported or initiated by NIST).

However, the fact that a vendor claims support or even that Microsoft claims support is not as important as the fact that their claim can be verified as being FIPS certified(the current FIPS version). Even that does not guarantee ultimate security. DES has been broken for years and there are claims that DES 3 and others with weak keys or short keys can also be easily broken.

An encryption scheme is said to be broken when there is a scheme, other than brute force attack, that can defeat it in less time than brute force attack.

Brute force attack involves attempting all possible key combinations in order to break a scheme and in many cases can also be run in parallel to shorten the required attack time. The attack time is a function of the number of steps required for decryption, machine processing speed (and algorithm speed) and the key space. A 5 bit key has 32  key spaces while a 10 bit key has 1024 spaces. Algorithm keys as we noted earlier, usually starts from 40 bits (2^40 key spaces) for symmetrical key and 512 (2^512) for asymmetric or public key.

Resources :

MIcrosoft CryptoAPI

Microsoft Cryptographic Providers

Microsoft CE Cryptographic Providers Whitepaper

Post to Twitter Tweet This Post Post to Plurk Plurk This Post Post to Yahoo Buzz Buzz This Post Post to Delicious Delicious Post to Digg Digg This Post Post to Facebook Facebook Post to MySpace MySpace Post to Ping.fm Ping This Post Post to Reddit Reddit Post to StumbleUpon Stumble This Post

Sorry, the comment form is closed at this time.

  • © 2010 LAGBAJA (sombody) - akowe Suffusion WordPress theme by Sayontan Sinha
    This blog is monetized using Are-PayPal WP Plugin SEO Powered by Platinum SEO from Techblissonline