How Microsoft CryptoAPI Helps Your Code

How Microsoft CryptoAPI Helps Your Code

The Microsoft CryptoAPI provides developers with a fast, clean method of incorporating cryptographic functionality into applications without having to write their own cryptographic algorithms and operations.

Tom Johnston, lead product planner for Microsoft’s Internet Security Product Unit, and Keith Vogel, lead software design engineer, provide some questions—and answers—about using CryptoAPI.

Q & A with the designers

Tom: What is Microsoft CryptoAPI?

Keith: CryptoAPI is an application programming interface (API) that provides core cryptographic functionality to developers. When building applications, developers can use CryptoAPI to incorporate public-key–based operations, such as key generation, key management, key exchange, encryption, decryption, hashing, digital signatures, and verification of signatures.

The new beta version, CryptoAPI 2.0, also includes certificate-based functionality, so developers can use certificates with public-key operations and perform the necessary encapsulations and encoding to make the certificates work. For example, someone using CryptoAPI could sign a document, attach his or her certificate to the document, encrypt it, and then send it to someone else. The recipient would then use CryptoAPI’s signature verification algorithm to decrypt the document and verify that it came from the sender.

Tom: Why would developers want to use CryptoAPI?

Keith: Developers using CryptoAPI don’t have to write their own cryptographic algorithms and operations, which are difficult to write and require special expertise. It is much easier for developers to use the cryptographic functionality provided by Microsoft through CryptoAPI.

Exportability is another reason. CryptoAPI includes a service provider model in which the actual cryptography is provided by Cryptographic Service Providers (CSPs). Developers can write applications that are CSP-independent, so CSPs of different strengths and types can be plugged in without changing the application code. This makes applications potentially easier to export, because the same version of an application can use strong cryptography domestically and export-level cryptography worldwide.

Tom: What standards does CryptoAPI support?

Keith: CryptoAPI supports X.509 v3 certificate formats, ASN.1 encoding, as well as PKCS #7, #10 for encapsulation. This allows applications that use CryptoAPI to interoperate with other certificate-based systems that adhere to these standards.

Tom: How can developers get CryptoAPI?

Keith: CryptoAPI 1.0 is provided through Microsoft Windows NT 4.0 and Microsoft Internet Explorer 3.0 and later. CryptoAPI 1.0 will also ship with the Windows 95 update. The beta version of CryptoAPI 2.0 is available on the Microsoft Web site (http://www.microsoft.com/intdev/security/misf6_6.htm). Developers can quickly download and install the API, and it will provide the appropriate DLLs.

Tom: Is this a cross-platform solution?

Keith: Yes. Microsoft recently licensed CryptoAPI to RSA Data Security, Inc., enabling RSA to port CryptoAPI to other platforms. Microsoft will also provide cryptographic functionality for all versions of Internet Explorer.

Tom: Are there any export issues associated with CryptoAPI?

Keith: Both CryptoAPI and the default RSA Base CSP are exportable worldwide. If an application writes only to CryptoAPI and provides no other encryption itself, the export review process should be fairly straightforward for that application. However, the same encryption requirements that currently apply to cryptographic algorithms are also in effect for CryptoAPI.

Tom: How much does CryptoAPI cost?

Keith: CryptoAPI is free and currently bundled with the Windows operating system. Developers using Windows NT 4.0 or Internet Explorer 3.0 won’t pay anything for it.

Tom: What tools can developers use to write to CryptoAPI?

Keith: Developers can write to CryptoAPI using C or C++. CryptoAPI 2.0 can be called from Visual Basic, Visual Basic Scripting Edition (VBScript), and Java using ActiveX security controls. Typelibs are also available, so Visual Basic developers can use core-encryption technology through CryptoAPI 1.0. Developers can access this source code as well as the CryptoAPI Application Programmer's Guide (http://www.microsoft.com/intdev/security/misf6_2.htm) on the Microsoft Web site.