C

CA

See Certification Authority.

CALG_DH_EPHEM

The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of ephemeral keys.

See also Diffie-Hellman (ephemeral) key-exchange algorithm.

CALG_DH_SF

The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of store-and-forward keys.

See also Diffie-Hellman (store and forward) key-exchange algorithm.

CALG_HMAC

The CryptoAPI algorithm identifier for the Hash-Based Message Authentication Code algorithm.

See also HMAC.

CALG_MAC

The CryptoAPI algorithm identifier for the Message Authentication Code algorithm.

See also Message Authentication Code algorithm.

CALG_MD2

The CryptoAPI algorithm identifier for the MD2 hash algorithm.

See also MD2 algorithm.

CALG_MD5

The CryptoAPI algorithm identifier for the MD5 hash algorithm.

See also MD5 algorithm.

CALG_RC2

The CryptoAPI algorithm identifier for the RC2 block cipher algorithm.

See also RC2 block algorithm.

CALG_RC4

The CryptoAPI algorithm identifier for the RC4 stream cipher algorithm.

See also RC4 stream algorithm.

CALG_RSA_KEYX

The CryptoAPI algorithm identifier for the RSA public-key algorithm when used for key exchange.

See also RSA public-key algorithm.

CALG_RSA_SIGN

The CryptoAPI algorithm identifier for the RSA public-key algorithm when used to generate digital signatures. See also RSA public-key algorithm.

CALG_SHA

The CryptoAPI algorithm identifier for the Secure Hash Algorithm (SHA-1).

See also Secure Hash Algorithm.

CAST

A family of DES-like symmetric block ciphers developed by C. M. Adams and S. E. Tavares.

PROV_MS_EXCHANGE provider types specify a particular CAST algorithm that uses a 64-bit block size.

CBC

See Cipher Block Chaining.

certificate

A digitally signed statement that contains information about an entity and the entity's public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a Certification Authority (CA) after the CA has verified that the entity is who it says it is.

Certificates can contain different types of data. For example, an X.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA's signature.

Certification Authority

(CA) A trusted organization or entity that issues certificates for authentication purposes. Before issuing the certificate the CA first authenticates the entity requesting the certificate, then issues a certificate that includes information about the requester, including the requester's public key.

certificate blob

A blob containing the certificate data.

A certificate blob is created by calls to CryptEncodeObject. The process is complete when the output of the call contains all the certificate data.

certificate context

A CERT_CONTEXT structure that contains a handle to a certificate store, a pointer to the original encoded certificate blob, a pointer to a CERT_INFO structure, and an encoding type member. It is the CERT_INFO structure that contains most of the certificate information.

certificate encode/decode functions

Functions that manage the translation of certificates and related material into standard, binary formats that can be used in different environments.

certificate encoding type

Defines how the certificate is encoded. The certificate encoding type is stored in the low-order word of the encoding type (DWORD) structure.

certificate name blob

An encoded representation of the name information that is included in certificates. Each name blob is mapped to a CERT_NAME_BOLB structure.

For example, the issuer and subject information referenced by a CERT_INFO structure is stored in two CERT_NAME_BLOB structures.

certificate request

A specially formatted electronic message (sent to a CA) used to request a certificate. The request must contain the information required by the CA to authenticate the request, plus the public key of the entity requesting the certificate.

All the information necessary to create the request is mapped to a CERT_REQUEST_INFO structure.

Certificate Revocation List

(CRL) A list maintained and published by a CA that contains those certificates that have been revoked by the CA.

Certificate Server

A server that issues certificates for a particular CA. The certificate server software provides customizable services for issuing and managing certificates used in security systems employing public-key cryptography.

Microsoft Certificate Server performs a central role in the management of software security systems to enable secure communications across the Internet, corporate intranets, and other networks that are not secure.

certificate store

Typically, a permanent storage where certificates, certificate request lists (CRLs), and certificate trust lists (CTLs) are stored. It is possible, however, to create and open a certificate store solely in memory when working with certificates that do not need to be put in permanent storage.

The certificate store is central to much of the certificate functionality in the CryptoAPI.

certificate store functions

Functions that manage the storage and retrieval data such as certificates, certificate request lists (CRLs), and certificate trust lists (CTLs).

These functions can be separated into common certificate functions, certificate revocation list functions, and certificate trust list functions.

certificate trust list

(CTL) A predefined list of items that have been signed by a trusted entity. A CTL can be anything, such as a list of hashes of certificates, or a list of file names. All the items in the list are authenticated (approved) by the signing entity.

CFB

See Cipher Feedback.

chaining mode

A block cipher mode that introduces feedback by combining ciphertext and plaintext.

See also Cipher Block Chaining.

cipher

A cryptographic algorithm used to encrypt data, to transform plaintext into ciphertext using a predefined key.

Cipher Block Chaining

(CBC) A method of operating a symmetric block cipher that uses feedback to combine previously generated ciphertext with new plaintext.

Each plaintext block is combined with the ciphertext of the previous block by a bitwise XOR before it is encrypted. Combining ciphertext and plaintext ensures that even if the plaintext contains many identical blocks, they will each encrypt to a different ciphertext block.

When the Microsoft Base Cryptographic Provider is used, CBC is the default cipher mode.

Cipher Block Chaining (CBC) MAC

A block cipher method that encrypts the base data with a block cipher and then uses the last encrypted block as the hash value. The encryption algorithm used to build the MAC is the one that was specified when the session key was created.

Cipher Feedback

(CFB) A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.

This mode uses a shift register that is one block size in length and divided into sections. For example, if the block size is 64 bits with eight bits processed at a time, then the shift register would be divided into eight sections.

cipher mode

A block cipher mode (each block is encrypted individually) that can be specified via the CryptSetKeyParam function. If the application does not explicitly specify one of these modes, then the cipher block chaining (CBC) cipher mode is used.

ECB: A block cipher mode that uses no feedback.

CBC: A block cipher mode that introduces feedback by combining ciphertext and plaintext.

CFB: A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.

OFB: A block cipher mode that uses feedback similar to CFB.

ciphertext

A message that has been encrypted.

client

The application, rather than the server application, that initiates a connection to a server.

Compare with server.

cleartext

See plaintext.

communication protocol

The method in which data is serialized (converted to a string of ones and zeros) and deserialized. The protocol is controlled by both software and data-transmission hardware.

Typically discussed in terms of layers, a simplified communication protocol might consist of an application layer, encode/decode layer, and hardware layer.

context function

Functions used to connect to a cryptographic service provider (CSP). These functions enable applications to choose a specific CSP by name, or get one with a needed class of functionality.

countersignature

A signature added to an existing signature in a message. A countersignature is used to sign an existing signature's encrypted hash or time stamp a message.

A countersignature is added by calling CryptMsgCountersign or CryptCountersignEncoded.

CRL

See Certificate Revocation List.

CRYPT_ASN_ENCODING

Specifies certificate encoding. Certificate encoding types are stored in the low-order word of a DWORD (value is: 0x00000001).

Functionally the same as X509_ASN_ENCODING.

cryptoanalysis

Cryptoanalysis is the art and science of breaking ciphertext. In contrast, the art and science of keeping messages secure is cryptography.

Cryptographic API

The Microsoft® Cryptographic API (CryptoAPI) enables application developers to add authentication, encoding, and encryption to their Win32®-based applications. Application developers can use functions in the CryptoAPI without knowing anything about the underlying implementation, in much the same way as they can use a graphics library without knowing anything about the particular graphics hardware configuration.

cryptographic algorithm

A mathematical function used for encryption and decryption. Most cryptographic algorithms are based on a substitution cipher, a transposition cipher, or a combination of both.

cryptographic key

The session (symmetric) key used during the encryption and decryption processes, and the public and private keys used during the authentication process. Of these three keys, the session key and private key must always remain secret.

cryptographic service provider

(CSP) An independent software module that contains cryptography algorithms or services that are integrated into the CryptoAPI. At a minimum, a CSP consists of a dynamic-link library (DLL) and a signature file.

Many CSPs are Microsoft® Win32® application programming interface (API) service programs, managed by the Win32 service control manager.

cryptography

The art and science of keeping messages secure. In contrast, cryptoanalysis is the art and science of breaking a secure message.

cryptology

The branch of mathematics that encompasses both cryptography and cryptoanalysis.

CSP

See cryptographic service provider.

CSP family

A unique group of CSPs that use the same set of data formats and perform their function in the same way. Even when two CSP families use the same algorithm (for example, the RC2 block cipher), their different padding schemes, keys lengths, or default modes make each group distinct.

The CryptoAPI has been designed so that each CSP type represents a particular family.

CSP name

The textual name of the CSP. If the CSP has been signed by Microsoft, this name must exactly match the CSP name that was specified in the Export Compliance Certificate (ECC).

CSP type

Indicates the CSP family associated with a provider. When an application connects to a CSP of a particular type, each of the CryptoAPI functions will, by default, operate in a way prescribed by the family that corresponds to that CSP type.

CTL

See certificate trust list.