AspEncrypt is built around the Microsoft Cryptographic Application Programming Interface (CryptoAPI) which is part of the Win32 API. It is therefore important to know the basics of the Microsoft implementation of cryptography in order to understand how AspEncrypt works.

The CryptoAPI architecture is somewhat similar to ODBC in that it consists of an API layer (analogous to ODBC Manager) and a number of cryptographic modules underneath that layer that actually perform cryptographic tasks (analogous to ODBC drivers.) These modules are called Cryptographic Service Providers (CSPs). There is quite a few CSPs currently available on the market. One CSP, the Microsoft Base Cryptographic Provider, is bundled with the CryptoAPI. Another CSP, Microsoft Enhanced Cryptographic Provider is available for free from the Microsoft web site. These two CSPs are sufficient for all functions offered by AspEncrypt.

Read about CryptoAPI at MSDN/Platform SDK/CryptoAPI.

The Microsoft Base Cryptographic Provider 2.0 is a general-purpose provider that supports digital signatures and data encryption. This provider is currently included with the operating system (either Windows NT®, 2000, or Windows® 95/98). It is also provided with Microsoft Internet Explorer, Version 3.0 or later.

When AspEncrypt is used with the Microsoft Base Cryptographic Provider, the following algorithms are available:

Purpose	Name	Key or Hash Size
Hash	MD2	128 bit
Hash	MD4	128 bit
Hash	MD5	128 bit
Hash	SHA	160 bit
Symmetric Encryption	RC2	40 bit
Symmetric Encryption	RC4	40 bit
Public-Key Encryption	RSA	384 - 512 bit
Public-Key Signature	RSA	384 - 16,384 bit 512 bit by default

The Microsoft Enhanced Cryptographic Provider supports the same capabilities as the Microsoft Base Cryptographic Provider, but provides for stronger security through longer keys and additional algorithms. The Enhanced provider is installed on your machine when you apply the Internet Explorer 128-bit security patch available form http://www.microsoft.com/windows/ie/download/128bit/intro.htm.

When AspEncrypt is used with the Microsoft Enhanced Cryptographic Provider, the following algorithms are available:

Purpose	Name	Key or Hash Size
Hash	MD2	128 bit
Hash	MD4	128 bit
Hash	MD5	128 bit
Hash	SHA	160 bit
Symmetric Encryption	RC2	128 bit
Symmetric Encryption	RC4	128 bit
Symmetric Encryption	DES	56 bit
Symmetric Encryption	Triple DES (2 Keys)	112 bit
Symmetric Encryption	Triple DES (3 Keys)	168 bit
Public-Key Encryption	RSA	1,024 bit
Public-Key Signature	RSA	384 - 16,384 bit 1,024 bit by default

The Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype) (Windows XP) and Microsoft Enhanced RSA and AES Cryptographic Provider (Windows 2003) provide support for the Advanced Encryption Standard cipher (also known as Rijndael). The following key lengths are available:

Purpose	Name	Key Size
Symmetric Encryption	AES	128 bit
Symmetric Encryption	AES	192 bit
Symmetric Encryption	AES	256 bit

AES is not supported on Windows NT or 2000. AES is supported on Windows XP and 2003 by the AspEncrypt versions 2.3 and higher.

Microsoft Enhanced RSA and AES Cryptographic Provider on Windows 2003 supports the long (greater than 160 bit) SHA hash functions:

Purpose	Name	Key Size
Hash	SHA-256	256 bit
Hash	SHA-384	384 bit
Hash	SHA-512	512 bit

  Cryptographic Service Provider List in System Registry

The list all Cryptographic Service Providers installed on the current machine can be obtained from the system registry under the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Providers.

The default cryptographic provider for the current user can be found under the key

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Providers\Type 001.

Each CSP has a key database in which it stores its persistent cryptographic keys. Each key database contains one or more key containers, each of which contains all the key pairs belonging to a specific user (or CryptoAPI client). Each key container has a unique name. There are usually two key pairs in each container: a key-exchange key pair and signature key pair. One key pair is used to encrypt session keys and the other to create digital signatures.

In Windows NT, the Microsoft providers store their key containers in two locations of the system registry. One location is under the key HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys. The other is under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryprography\MachineKeys. The former is usually used by a stand-alone application, and the latter by a process running on behalf of a non-interactive user, such as an IIS/ASP application.

In Windows 2000, Microsoft decided to move the key containers from the system registry to file system. They can now be found under the directories \Documents and settings\<username>\Application Data\Microsoft\Crypto\RSA\<user SID> and \Documents and settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys, respectively.

  Cryptographic Context

An application uses cryptographic services provided by a certain CSP by opening a Cryptographic Context which is a handle that connects the CSP with one of its key containers. Every cryptographic operation attempted by an application begins with opening an appropriate cryptographic context. The application must specify the CSP and key container name it wants to use. AspEncrypt always opens a context associated with the default provider and a specified key container name, as shown in the section Manage Cryptographic Providers and Contexts.