Data Encryption with CryptoAPI (Windows Embedded CE 6.0)

1/6/2010

CryptoAPI provides services that enable application developers to add data encryption/decryption schemes, to authenticate using digital certificates, and to encode/decode to and from ASN.1 to their applications based on Microsoft Win32. Application developers can use the functions in CryptoAPI without detailed knowledge of the underlying implementation. CryptoAPI works with a number of cryptographic service providers (CSPs) that perform the actual cryptographic functions, such as encryption, decryption, and key storage and security.

The three elements of the Microsoft cryptographic system are the operating system, the application, and the CSP. Applications communicate with the operating system through the CryptoAPI layer and the operating system communicates with the CSPs through the cryptographic service provider interface (CSPI). The following illustration shows the concept.

Ee498552.827b0672-b21e-4f7a-a813-43712dbc9d51(en-US,WinEmbedded.60).gif

CSPs are independent modules, usually a DLL, that contain algorithms and perform all cryptographic operations. Ideally, CSPs are written to be independent of a particular application, so that any application will run with a variety of CSPs. In reality, however, some applications have specific requirements that require a customized CSP. EOMs can write their own CSP package and add it to the registry.

The following table shows the predefined CSPs included in Windows Embedded CE.

CSP Description

Microsoft RSA Base Provider

Supports digital signature and data encryption. It is considered to be a general-purpose cryptographic tool.

Microsoft Enhanced Cryptographic Provider

Supports 128-bit key encryption. It provides stronger security through longer keys and additional algorithms.

Microsoft DSS and Diffie-Hellman Cryptographic Provider

Supports Diffie-Hellman (D-H) key exchange, SHA hashing, DSS data signing, and DSS signature verification.

Smart Card CSP

Supports smart cards for Windows. A sample smart card CSP in source code can be found in the %_WINCEROOT%\Public\Common\Sdk\Samples\ directory.

This CSP illustrates how to properly integrate a smart card with the various functions and services provided by CryptoAPI.

Applications can use CryptoAPI functions to:

  • Generate and exchange keys.
  • Encrypt and decrypt data.
  • Encode and decode certificates.
  • Manage and secure certificates.
  • Create and verify digital signatures and compute hash.

The capabilities provided by CryptoAPI 1.0 in Windows Embedded CE are very similar to the Windows 2000 and Windows NT; however, only a subset of CryptoAPI 2.0 is supported. The following capabilities available in CryptoAPI 2.0 are supported in Windows Embedded CE: encoding and decoding digital certificates based on the X.509 standard and certificate management. The following capabilities are not supported: tools to manage certificate revocation lists (CRLs) and certificate trust lists (CTLs), low-level messaging functions, and simplified messaging functions.

Coredll.lib exports CryptoAPI 1.0 functions and Crypto32.lib exports the CryptoAPI 2.0 functions; all these functions are defined in the Wincrypt.h header file.

See Also

Concepts

Cryptography Security

Other Resources

Enhancing the Security of a Device
Cryptography
Certificates