LyncBufferError.png?ssl=1' alt='Microsoft Cryptoapi And Cryptographic Service Providers' title='Microsoft Cryptoapi And Cryptographic Service Providers' />Rng Validation List. This list identifies implementations that have been validated as conforming to the various Random Number Generators RNG as specified in Federal. Www. thalesesecurity. Shield Connect and netHSM User Guide for Windows nShield Connect and netHSM User Guide for Windows 2. Crypt. Gen. Key function WindowsAn. ALGID value that identifies the algorithm for which the key is to be generated. Values for this parameter vary depending on the CSP used. For ALGID values to use with the Microsoft Base Cryptographic Provider, see. Base Provider Algorithms. For ALGID values to use with the Microsoft Strong Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, see. Microsoft Cryptoapi And Cryptographic Service Providers' title='Microsoft Cryptoapi And Cryptographic Service Providers' />Enhanced Provider Algorithms. For a Diffie Hellman CSP, use one of the following values. Value. Meaning. CALGDHEPHEMSpecifies an Ephemeral Diffie Hellman key. CALGDHSFSpecifies a Store and Forward Diffie Hellman key. In addition to generating session keys for symmetric algorithms, this function can also generate publicprivate key pairs. Each Crypto. API client generally possesses two publicprivate key pairs. To generate one of these key pairs, set the Algid parameter to one of the following values. Value. Meaning. ATKEYEXCHANGEKey exchange. ATSIGNATUREDigital signature. Note  When key specifications ATKEYEXCHANGE and ATSIGNATURE are specified, the algorithm identifiers that are used to generate the key depend on the provider used. As a result, for these key specifications, the values returned from. Crypt. Get. Key. Param when the KPALGID parameter is specified depend on the provider used. To determine which algorithm identifier is used by the different providers for the key specs ATKEYEXCHANGE and ATSIGNATURE, see. ALGID. Specifies the type of key generated. The sizes of a session key, RSA signature key, and RSA key exchange keys can be set when the key is generated. The key size, representing the length of the key modulus in bits, is set with the upper 1. Thus, if a 2,0. 48 bit RSA signature key is to be generated, the value 0x. Flags predefined value with a bitwise OR operation. The upper 1. 6 bits of 0x. The RSA1. 02. 4BITKEY value can be used to specify a 1. RSA key. Due to changing export control restrictions, the default CSP and default key length may change between operating system versions. It is important that both the encryption and decryption use the same CSP and that the key length be explicitly set using the dw. Flags parameter to ensure interoperability on different operating system platforms. In particular, the default RSA Full Cryptographic Service Provider is the Microsoft RSA Strong Cryptographic Provider. The default DSS Signature Diffie Hellman Cryptographic Service Provider is the Microsoft Enhanced DSS Diffie Hellman Cryptographic Provider. Each of these CSPs has a default 1. RC2 and RC4 and a 1,0. Home Depot Free Installation Of Flooring on this page. If the upper 1. 6 bits is zero, the default key size is generated. If a key larger than the maximum or smaller than the minimum is specified, the call fails with the ERRORINVALIDPARAMETER code. The following table lists minimum, default, and maximum signature and exchange key lengths beginning with Windows XP. Key type and provider. Minimum length. Default length. Maximum length. RSA Base Provider. Signature and Exchange. Keys. 38. 45. 12. RSA Strong and Enhanced Providers. Signature and Exchange Keys. DSS Base Providers. Signature Keys. 51. DSS Base Providers. Exchange Keys. Not applicable. Not applicable. Not applicable. DSSDH Base Providers. Signature Keys. 51. DSSDH Base Providers. Exchange Keys. 51. DSSDH Enhanced Providers. Signature Keys. 51. DSSDH Enhanced Providers. Exchange Keys. 51. For session key lengths, see Crypt. Derive. Key. For more information about keys generated using Microsoft providers, see. Microsoft Cryptographic Service Providers. The lower 1. 6 bits of this parameter can be zero or a combination of one or more of the following values. Value. Meaning. CRYPTARCHIVABLEIf this flag is set, the key can be exported until its handle is closed by a call to Crypt. Destroy. Key. This allows newly generated keys to be exported upon creation for archiving or key recovery. After the handle is closed, the key is no longer exportable. CRYPTCREATEIVThis flag is not used. CRYPTCREATESALTIf this flag is set, then the key is assigned a random salt value automatically. You can retrieve this salt value by using the. Crypt. Get. Key. Param function with the dw. Param parameter set to KPSALT. If this flag is not set, then the key is given a salt value of zero. When keys with nonzero salt values are exported through. Crypt. Export. Key, then the salt value must also be obtained and kept with the key BLOB. CRYPTDATAKEYThis flag is not used. CRYPTEXPORTABLEIf this flag is set, then the key can be transferred out of the CSP into a key BLOB by using the. Crypt. Export. Key function. Because session keys generally must be exportable, this flag should usually be set when they are created. If this flag is not set, then the key is not exportable. For a session key, this means that the key is available only within the current session and only the application that created it will be able to use it. For a publicprivate key pair, this means that the private key cannot be transported or backed up. This flag applies only to session key and private key BLOBs. It does not apply to public keys, which are always exportable. CRYPTFORCEKEYPROTECTIONHIGHThis flag specifies strong key protection. When this flag is set, the user is prompted to enter a password for the key when the key is created. The user will be prompted to enter the password whenever this key is used. This flag is only used by the CSPs that are provided by Microsoft. Third party CSPs will define their own behavior for strong key protection. Specifying this flag causes the same result as calling this function with the CRYPTUSERPROTECTED flag when strong key protection is specified in the system registry. If this flag is specified and the provider handle in the h. Prov parameter was created by using the CRYPTVERIFYCONTEXT or CRYPTSILENT flag, this function will set the last error to NTESILENTCONTEXT and return zero. Windows Server 2. Windows XP  This flag is not supported. CRYPTKEKThis flag is not used. CRYPTINITIATORThis flag is not used. CRYPTNOSALTThis flag specifies that a no salt value gets allocated for a forty bit symmetric key. For more information, see. Salt Value Functionality. CRYPTONLINEThis flag is not used. CRYPTPREGENThis flag specifies an initial Diffie Hellman or DSS key generation. This flag is useful only with Diffie Hellman and DSS CSPs. When used, a default key length will be used unless a key length is specified in the upper 1. Flags parameter. If parameters that involve key lengths are set on a PREGEN Diffie Hellman or DSS key using Crypt. Set. Key. Param, the key lengths must be compatible with the key length set here. CRYPTRECIPIENTThis flag is not used. CRYPTSFThis flag is not used. CRYPTSGCKEYThis flag is not used. CRYPTUSERPROTECTEDIf this flag is set, the user is notified through a dialog box or another method when certain actions are attempting to use this key. The precise behavior is specified by the CSP being used. If the provider context was opened with the CRYPTSILENT flag set, using this flag causes a failure and the last error is set to NTESILENTCONTEXT. CRYPTVOLATILEThis flag is not used. Smart Card Architecture Windows 1. Applies To Windows 1. Windows Server 2. This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter. In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses a key only the user knows such as with public key cryptography, or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt. Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable. For smart cards, Windows supports a provider architecture that meets the secure authentication requirements and is extensible so that you can include custom credential providers. This topic includes information about Credential provider architecture. The following table lists the components that are included in the interactive sign in architecture of the Windows Server and Windows operating systems. Component. Description. Winlogon. Provides an interactive sign in infrastructure. Logon UIProvides interactive UI rendering. Credential providers password and smart cardDescribes credential information and serializing credentials. Local Security Authority LSAProcesses sign in credentials. Authentication packages. Includes NTLM and the Kerberos protocol. Communicates with server authentication packages to authenticate users. Interactive sign in in Windows begins when the user presses CTRLALTDEL. The CTRLALTDEL key combination is called a secure attention sequence SAS. To keep other programs and processes from using it, Winlogon registers this sequence during the boot process. After receiving the SAS, the UI then generates the sign in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system. Figure 1  Credential provider architecture. Typically, a user who signs in to a computer by using a local account or a domain account must enter a user name and password. These credentials are used to verify the users identity. For smart card sign in, a users credentials are contained on the smart cards security chip. A smart card reader lets the computer interact with the security chip on the smart card. When users sign in with a smart card, they enter a personal identification number PIN instead of a user name and password. Credential providers are in process COM objects that run on the local system and are used to collect credentials. The Logon UI provides interactive UI rendering, Winlogon provides interactive sign in infrastructure, and credential providers work with both of these components to help gather and process credentials. Winlogon instructs the Logon UI to display credential provider tiles after it receives an SAS event. The Logon UI queries each credential provider for the number of credentials it wants to enumerate. Credential providers have the option of specifying one of these tiles as the default. After all providers have enumerated their tiles, the Logon UI displays them to the user. The user interacts with a tile to supply the proper credentials. The Logon UI submits these credentials for authentication. Combined with supporting hardware, credential providers can extend the Windows operating system to enable users to sign in by using biometrics for example, fingerprint, retinal, or voice recognition, password, PIN, smart card certificate, or any custom authentication package. Enterprises and IT professionals can develop and deploy custom authentication mechanisms for all domain users, and they may explicitly require users to use this custom sign in mechanism. Note  Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security. Credential providers can be designed to support single sign in SSO. In this process, they authenticate users to a secure network access point by using RADIUS and other technologies for signing in to the computer. Credential providers are also designed to support application specific credential gathering, and they can be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control UAC. Multiple credential providers can coexist on a computer. Credential providers must be registered on a computer running Windows, and they are responsible for Describing the credential information that is required for authentication. Handling communication and logic with external authentication authorities. Packaging credentials for interactive and network sign in. Note  The Credential Provider API does not render the UI. It describes what needs to be rendered. Only the password credential provider is available in safe mode. The smart card credential provider is available in safe mode during networking. Smart card subsystem architecture. Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the Personal ComputerSmart Card PCSC standard. Each smart card must have a Credential Service Provider CSP that uses the Crypto. API interfaces to enable cryptographic operations, and the Win. SCard APIs to enable communications with smart card hardware. Base CSP and smart card minidriver architecture. Figure 2 illustrates the relationship between the Crypto. API, CSPs, the Smart Card Base Cryptographic Service Provider Base CSP, and smart card minidrivers. Figure 2  Base CSP and smart card minidriver architecture. Caching with Base CSP and smart card KSPSmart card architecture uses caching mechanisms to assist in streamlining operations and to improve a users access to a PIN. Data caching The data cache provides for a single process to minimize smart card IO operations. PIN caching The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated. Data caching. Each CSP implements the current smart card data cache separately. The Base CSP implements a robust caching mechanism that allows a single process to minimize smart card IO operations. The existing global cache works as follows The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card. The CSP checks its cache for the item. If the item is not found in the cache, or if the item is cached but is not up to date, the item is read from the smart card. After any item has been read from the smart card, it is added to the cache. Any existing out of date copy of that item is replaced. Three types of objects or data are cached by the CSP pins for more information, see PIN caching, certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations.