Persits Software, Inc. Web Site
Main Menu:  Home |  News |  Manual |  Tasks |  Object Reference |  Crypto 101 |  FAQ |  Download & Buy |  Clients |  Live Demo |  Contact
 Navigator:  Home |  Tasks |  Learn about Windows Cryptography
Start Using AspEncrypt
  Learn About Windows Cryptography
AspEncrypt is built around the Microsoft Cryptographic Application Programming Interface (CryptoAPI) which is part of the Win32 API. It is therefore important to know the basics of the Microsoft implementation of cryptography in order to understand how AspEncrypt works.

The CryptoAPI architecture is somewhat similar to ODBC in that it consists of an API layer (analogous to ODBC Manager) and a number of cryptographic modules underneath that layer that actually perform cryptographic tasks (analogous to ODBC drivers.) These modules are called Cryptographic Service Providers (CSPs). There is quite a few CSPs currently available on the market. One CSP, the Microsoft Base Cryptographic Provider, is bundled with the CryptoAPI. Another CSP, Microsoft Enhanced Cryptographic Provider is available for free from the Microsoft web site. These two CSPs are sufficient for all functions offered by AspEncrypt.

Read about CryptoAPI at MSDN/Platform SDK/CryptoAPI.

  Microsoft Cryptographic Service Providers: Overview
The Microsoft Base Cryptographic Provider 2.0 is a general-purpose provider that supports digital signatures and data encryption. This provider is currently included with the operating system (either Windows NT®, 2000, or Windows® 95/98). It is also provided with Microsoft Internet Explorer, Version 3.0 or later.

When AspEncrypt is used with the Microsoft Base Cryptographic Provider, the following algorithms are available:

PurposeNameKey or Hash Size
HashMD2128 bit
HashMD4128 bit
HashMD5128 bit
HashSHA160 bit
Symmetric EncryptionRC240 bit
Symmetric EncryptionRC440 bit
Public-Key EncryptionRSA384 - 512 bit
Public-Key SignatureRSA384 - 16,384 bit
512 bit by default

The Microsoft Enhanced Cryptographic Provider supports the same capabilities as the Microsoft Base Cryptographic Provider, but provides for stronger security through longer keys and additional algorithms. The Enhanced provider is installed on your machine when you apply the Internet Explorer 128-bit security patch available form

When AspEncrypt is used with the Microsoft Enhanced Cryptographic Provider, the following algorithms are available:

PurposeNameKey or Hash Size
HashMD2128 bit
HashMD4128 bit
HashMD5128 bit
HashSHA160 bit
Symmetric EncryptionRC2128 bit
Symmetric EncryptionRC4128 bit
Symmetric EncryptionDES56 bit
Symmetric EncryptionTriple DES (2 Keys)112 bit
Symmetric EncryptionTriple DES (3 Keys)168 bit
Public-Key EncryptionRSA1,024 bit
Public-Key SignatureRSA384 - 16,384 bit
1,024 bit by default

The Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype) (Windows XP) and Microsoft Enhanced RSA and AES Cryptographic Provider (Windows 2003) provide support for the Advanced Encryption Standard cipher (also known as Rijndael). The following key lengths are available:

PurposeNameKey Size
Symmetric EncryptionAES128 bit
Symmetric EncryptionAES192 bit
Symmetric EncryptionAES256 bit

AES is not supported on Windows NT or 2000. AES is supported on Windows XP and 2003 by the AspEncrypt versions 2.3 and higher.

Microsoft Enhanced RSA and AES Cryptographic Provider on Windows 2003 supports the long (greater than 160 bit) SHA hash functions:

PurposeNameKey Size
HashSHA-256256 bit
HashSHA-384384 bit
HashSHA-512512 bit

  Cryptographic Service Provider List in System Registry

The list all Cryptographic Service Providers installed on the current machine can be obtained from the system registry under the key


The default cryptographic provider for the current user can be found under the key

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Providers\Type 001.

  Key Databases
Each CSP has a key database in which it stores its persistent cryptographic keys. Each key database contains one or more key containers, each of which contains all the key pairs belonging to a specific user (or CryptoAPI client). Each key container has a unique name. There are usually two key pairs in each container: a key-exchange key pair and signature key pair. One key pair is used to encrypt session keys and the other to create digital signatures.

In Windows NT, the Microsoft providers store their key containers in two locations of the system registry. One location is under the key HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys. The other is under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryprography\MachineKeys. The former is usually used by a stand-alone application, and the latter by a process running on behalf of a non-interactive user, such as an IIS/ASP application.

In Windows 2000, Microsoft decided to move the key containers from the system registry to file system. They can now be found under the directories \Documents and settings\<username>\Application Data\Microsoft\Crypto\RSA\<user SID> and \Documents and settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys, respectively.

  Cryptographic Context

An application uses cryptographic services provided by a certain CSP by opening a Cryptographic Context which is a handle that connects the CSP with one of its key containers. Every cryptographic operation attempted by an application begins with opening an appropriate cryptographic context. The application must specify the CSP and key container name it wants to use. AspEncrypt always opens a context associated with the default provider and a specified key container name, as shown in the section Manage Cryptographic Providers and Contexts.

Start Using AspEncrypt

Search this Site
  This site is owned and maintained by Persits Software, Inc. Copyright © 2000 - 2010. All Rights Reserved.