The Microsoft® CryptoAPI provides privacy through the use of simplified message functions, low-level message functions, and base cryptographic functions. These functions provide a way for applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private-key data.
Authentication through the use of certificates is supported in the CryptoAPI by certificate encode/decode functions, and certificate store functions. A certificate is a data set that uniquely describes a particular entity, and usually incorporates that entity's public key. A certificate is issued by a Certification Authority (CA), after it has determined the authenticity of the entity. More detailed information about public keys and certificates is provided in Generating Cryptographic Keys, and Authentication Using Certificates.
The CryptoAPI programming model can be compared to the Windows GDI model in that Cryptographic Service Providers (CSP) are analogous to graphics device drivers, and the cryptographic hardware (optional) is analogous to graphics hardware. Just as well-behaved applications are not allowed to communicate directly with graphics device drivers and hardware, well-behaved applications cannot directly access the CSPs and cryptographic hardware.