The Microsoft Windows platform specific Cryptographic Application Programming Interface (also known variously as CryptoAPI , Microsoft Cryptography API , MS-CAPI or simply CAPI ) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography . It is a set of dynamically linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. The Crypto API was first introduced in Windows NT 4.0 and enhanced in subsequent versions.
44-440: CryptoAPI supports both symmetric key algorithm and public-key cryptography , though persistent symmetric keys are not supported. It includes functionality for encrypting and decrypting data and for authentication using digital certificates . It also includes a cryptographically secure pseudorandom number generator function CryptGenRandom . CryptoAPI works with a number of CSPs ( Cryptographic Service Providers ) installed on
88-421: A block cipher , most of which use a Feistel cipher or Lai–Massey scheme with a reciprocal transformation in each round. Stream cipher A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream ( keystream ). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give
132-419: A synchronous stream cipher. By contrast, self-synchronising stream ciphers update their state based on previous plaintext or ciphertext digits. A system that incorporates the plaintext into the key is also known as an autokey cipher or autoclave cipher. In a synchronous stream cipher a stream of pseudorandom digits is generated independently of the plaintext and ciphertext messages, and then combined with
176-428: A bit in the ciphertext causes the same bit to be flipped in the plaintext. Another approach uses several of the previous N ciphertext digits to compute the keystream. Such schemes are known as self-synchronizing stream ciphers , asynchronous stream ciphers or ciphertext autokey ( CTAK ). The idea of self-synchronization was patented in 1946 and has the advantage that the receiver will automatically synchronise with
220-399: A digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher . In practice, a digit is typically a bit and the combining operation is an exclusive-or (XOR). The pseudorandom keystream is typically generated serially from a random seed value using digital shift registers . The seed value serves as
264-427: A fresh new secret key for each session/conversation (forward secrecy). When used with asymmetric ciphers for key transfer, pseudorandom key generators are nearly always used to generate the symmetric cipher session keys. However, lack of randomness in those generators or in their initialization vectors is disastrous and has led to cryptanalytic breaks in the past. Therefore, it is essential that an implementation use
308-554: A from-scratch solution. CNG also adds support for Dual_EC_DRBG , a pseudorandom number generator defined in NIST SP 800-90A that could expose the user to eavesdropping by the National Security Agency since it contains a kleptographic backdoor, unless the developer remembers to generate new base points with a different cryptographically secure pseudorandom number generator or a true random number generator and then publish
352-424: A higher speed than block ciphers and have lower hardware complexity. However, stream ciphers can be susceptible to security breaches (see stream cipher attacks ); for example, when the same starting state (seed) is used twice. Stream ciphers can be viewed as approximating the action of a proven unbreakable cipher, the one-time pad (OTP). A one-time pad uses a keystream of completely random digits. The keystream
396-425: A message does not guarantee that it will remain unchanged while encrypted. Hence, often a message authentication code is added to a ciphertext to ensure that changes to the ciphertext will be noted by the receiver. Message authentication codes can be constructed from an AEAD cipher (e.g. AES-GCM ). However, symmetric ciphers cannot be used for non-repudiation purposes except by involving additional parties. See
440-486: A message to have the same secret key. All early cryptographic systems required either the sender or the recipient to somehow receive a copy of that secret key over a physically secure channel. Nearly all modern cryptographic systems still use symmetric-key algorithms internally to encrypt the bulk of the messages, but they eliminate the need for a physically secure channel by using Diffie–Hellman key exchange or some other public-key protocol to securely come to agreement on
484-430: A non-linear filtering function . Instead of a linear driving device, one may use a nonlinear update function. For example, Klimov and Shamir proposed triangular functions ( T-functions ) with a single cycle on n-bit words. For a stream cipher to be secure, its keystream must have a large period , and it must be impossible to recover the cipher's key or internal state from the keystream. Cryptographers also demand that
SECTION 10
#1733084697392528-614: A number of bits and encrypt them in a single unit, padding the plaintext to achieve a multiple of the block size. The Advanced Encryption Standard (AES) algorithm, approved by NIST in December 2001, uses 128-bit blocks. Examples of popular symmetric-key algorithms include Twofish , Serpent , AES (Rijndael), Camellia , Salsa20 , ChaCha20 , Blowfish , CAST5 , Kuznyechik , RC4 , DES , 3DES , Skipjack , Safer , and IDEA . Symmetric ciphers are commonly used to achieve other cryptographic primitives than just encryption. Encrypting
572-510: A number of newer algorithms that are part of the National Security Agency (NSA) Suite B . It is also flexible, featuring support for plugging custom cryptographic APIs into the CNG runtime. However, CNG Key Storage Providers still do not support symmetric keys. CNG works in both user and kernel mode , and also supports all of the algorithms from the CryptoAPI. The Microsoft provider that implements CNG
616-462: A practical concern. For example, 64-bit block ciphers like DES can be used to generate a keystream in output feedback (OFB) mode. However, when not using full feedback, the resulting stream has a period of around 2 blocks on average; for many applications, the period is far too low. For example, if encryption is being performed at a rate of 8 megabytes per second, a stream of period 2 blocks will repeat after about an hour. Some applications using
660-485: A private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric -key encryption, in comparison to public-key encryption (also known as asymmetric-key encryption). However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption
704-418: A reciprocal cipher, a mathematical involution on each typed-in letter. Instead of designing two kinds of machines, one for encrypting and one for decrypting, all the machines can be identical and can be set up (keyed) the same way. Examples of reciprocal ciphers include: The majority of all modern ciphers can be classified as either a stream cipher , most of which use a reciprocal XOR cipher combiner, or
748-416: A secure wireless connection. If a block cipher (not operating in a stream cipher mode) were to be used in this type of application, the designer would need to choose either transmission efficiency or implementation complexity, since block ciphers cannot directly work on blocks shorter than their block size. For example, if a 128-bit block cipher received separate 32-bit bursts of plaintext, three quarters of
792-405: A source of high entropy for its initialization. A reciprocal cipher is a cipher where, just as one enters the plaintext into the cryptography system to get the ciphertext , one could enter the ciphertext into the same place in the system to get the plaintext. A reciprocal cipher is also sometimes referred as self-reciprocal cipher . Practically all mechanical cipher machines implement
836-399: Is a 1, otherwise it repeats its previous output. This output is then (in some versions) combined with the output of a third LFSR clocked at a regular rate. The shrinking generator takes a different approach. Two LFSRs are used, both clocked regularly. If the output of the first LFSR is 1, the output of the second LFSR becomes the output of the generator. If the first LFSR outputs 0, however,
880-436: Is combined with the plaintext digits one at a time to form the ciphertext. This system was proven to be secure by Claude E. Shannon in 1949. However, the keystream must be generated completely at random with at least the same length as the plaintext and cannot be used more than once. This makes the system cumbersome to implement in many practical applications, and as a result the one-time pad has not been widely used, except for
924-503: Is housed in Bcrypt.dll. CNG also supports elliptic curve cryptography which, because it uses shorter keys for the same expected level of security , is more efficient than RSA. The CNG API integrates with the smart card subsystem by including a Base Smart Card Cryptographic Service Provider (Base CSP) module which encapsulates the smart card API. Smart card manufacturers just have to make their devices compatible with this, rather than provide
SECTION 20
#1733084697392968-404: Is insufficient to provide good security. Various schemes have been proposed to increase the security of LFSRs. Because LFSRs are inherently linear, one technique for removing the linearity is to feed the outputs of several parallel LFSRs into a non-linear Boolean function to form a combination generator . Various properties of such a combining function are critical for ensuring the security of
1012-407: Is not truly random. The proof of security associated with the one-time pad no longer holds. It is quite possible for a stream cipher to be completely insecure. A stream cipher generates successive elements of the keystream based on an internal state. This state is updated in essentially two ways: if the state changes independently of the plaintext or ciphertext messages, the cipher is classified as
1056-426: Is often used to exchange the secret key for symmetric-key encryption. Symmetric-key encryption can use either stream ciphers or block ciphers . Stream ciphers encrypt the digits (typically bytes ), or letters (in substitution ciphers) of a message one at a time. An example is ChaCha20 . Substitution ciphers are well-known ciphers, but can be easily decrypted using a frequency table . Block ciphers take
1100-636: The ISO/IEC 13888-2 standard . Another application is to build hash functions from block ciphers. See one-way compression function for descriptions of several such methods. Many modern block ciphers are based on a construction proposed by Horst Feistel . Feistel's construction makes it possible to build invertible functions from other functions that are themselves not invertible. Symmetric ciphers have historically been susceptible to known-plaintext attacks , chosen-plaintext attacks , differential cryptanalysis and linear cryptanalysis . Careful construction of
1144-441: The cryptographic key for decrypting the ciphertext stream. Stream ciphers represent a different approach to symmetric encryption from block ciphers . Block ciphers operate on large blocks of digits with a fixed, unvarying transformation. This distinction is not always clear-cut: in some modes of operation , a block cipher primitive is used in such a way that it acts effectively as a stream cipher. Stream ciphers typically execute at
1188-489: The cipher but indicate that the cipher might have other weaknesses. Securely using a secure synchronous stream cipher requires that one never reuse the same keystream twice. That generally means a different nonce or key must be supplied to each invocation of the cipher. Application designers must also recognize that most stream ciphers provide not authenticity but privacy : encrypted messages may still have been modified in transit. Short periods for stream ciphers have been
1232-403: The data transmitted would be padding . Block ciphers must be used in ciphertext stealing or residual block termination mode to avoid padding, while stream ciphers eliminate this issue by naturally operating on the smallest unit that can be transmitted (usually bytes). Another advantage of stream ciphers in military cryptography is that the cipher stream can be generated in a separate box that
1276-432: The functions for each round can greatly reduce the chances of a successful attack. It is also possible to increase the key length or the rounds in the encryption process to better protect against attack. This, however, tends to increase the processing power and decrease the speed at which the process runs due to the amount of operations the system needs to do. Most modern symmetric-key algorithms appear to be resistant to
1320-521: The generated seed in order to remove the NSA backdoor. It is also very slow. It is only used when called for explicitly. CNG also replaces the default PRNG with CTR_DRBG using AES as the block cipher, because the earlier RNG which is defined in the now superseded FIPS 186-2 is based on either DES or SHA-1 , both which have been broken. CTR_DRBG is one of the two algorithms in NIST SP 800-90 endorsed by Schneier ,
1364-522: The keystream be free of even subtle biases that would let attackers distinguish a stream from random noise, and free of detectable relationships between keystreams that correspond to related keys or related cryptographic nonces . That should be true for all keys (there should be no weak keys ), even if the attacker can know or choose some plaintext or ciphertext . As with other attacks in cryptography, stream cipher attacks can be certificational so they are not necessarily practical ways to break
Microsoft CryptoAPI - Misplaced Pages Continue
1408-569: The keystream generator after receiving N ciphertext digits, making it easier to recover if digits are dropped or added to the message stream. Single-digit errors are limited in their effect, affecting only up to N plaintext digits. An example of a self-synchronising stream cipher is a block cipher in cipher feedback (CFB) mode . Binary stream ciphers are often constructed using linear-feedback shift registers (LFSRs) because they can be easily implemented in hardware and can be readily analysed mathematically. The use of LFSRs on their own, however,
1452-485: The machine. CSPs are the modules that do the actual work of encoding and decoding data by performing the cryptographic functions. Vendors of HSMs may supply a CSP which works with their hardware. Windows Vista features an update to the Crypto API known as Cryptography API: Next Generation ( CNG ). It has better API factoring to allow the same functions to work using a wide range of cryptographic algorithms, and includes
1496-431: The message during transmission, synchronisation is lost. To restore synchronisation, various offsets can be tried systematically to obtain the correct decryption. Another approach is to tag the ciphertext with markers at regular points in the output. If, however, a digit is corrupted in transmission, rather than added or lost, only a single digit in the plaintext is affected and the error does not propagate to other parts of
1540-430: The message. This property is useful when the transmission error rate is high; however, it makes it less likely the error would be detected without further mechanisms. Moreover, because of this property, synchronous stream ciphers are very susceptible to active attacks : if an attacker can change a digit in the ciphertext, they might be able to make predictable changes to the corresponding plaintext bit; for example, flipping
1584-419: The most critical applications. Key generation, distribution and management are critical for those applications. A stream cipher makes use of a much smaller and more convenient key such as 128 bits. Based on this key, it generates a pseudorandom keystream which can be combined with the plaintext digits in a similar fashion to the one-time pad. However, this comes at a cost. The keystream is now pseudorandom and so
1628-444: The other being Hash_DRBG. Symmetric key algorithm Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext . The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain
1672-399: The output of the second is discarded, and no bit is output by the generator. This mechanism suffers from timing attacks on the second generator, since the speed of the output is variable in a manner that depends on the second generator's state. This can be alleviated by buffering the output. Another approach to improving the security of an LFSR is to pass the entire state of a single LFSR into
1716-408: The plaintext (to encrypt) or the ciphertext (to decrypt). In the most common form, binary digits are used ( bits ), and the keystream is combined with the plaintext using the exclusive or operation (XOR). This is termed a binary additive stream cipher . In a synchronous stream cipher, the sender and receiver must be exactly in step for decryption to be successful. If digits are added or removed from
1760-407: The registers decides which of the other two is to be used; for instance, if LFSR2 outputs a 0, LFSR0 is clocked, and if it outputs a 1, LFSR1 is clocked instead. The output is the exclusive OR of the last bit produced by LFSR0 and LFSR1. The initial state of the three LFSRs is the key. The stop-and-go generator (Beth and Piper, 1984) consists of two LFSRs. One LFSR is clocked if the output of a second
1804-543: The resultant scheme, for example, in order to avoid correlation attacks . Normally LFSRs are stepped regularly. One approach to introducing non-linearity is to have the LFSR clocked irregularly, controlled by the output of a second LFSR. Such generators include the stop-and-go generator , the alternating step generator and the shrinking generator . An alternating step generator comprises three LFSRs, which we will call LFSR0, LFSR1 and LFSR2 for convenience. The output of one of
Microsoft CryptoAPI - Misplaced Pages Continue
1848-708: The stream cipher RC4 are attackable because of weaknesses in RC4's key setup routine; new applications should either avoid RC4 or make sure all keys are unique and ideally unrelated (such as generated by a well-seeded CSPRNG or a cryptographic hash function ) and that the first bytes of the keystream are discarded. The elements of stream ciphers are often much simpler to understand than block ciphers and are thus less likely to hide any accidental or malicious weaknesses. Stream ciphers are often used for their speed and simplicity of implementation in hardware, and in applications where plaintext comes in quantities of unknowable length like
1892-437: The threat of post-quantum cryptography . Quantum computers would exponentially increase the speed at which these ciphers can be decoded; notably, Grover's algorithm would take the square-root of the time traditionally required for a brute-force attack , although these vulnerabilities can be compensated for by doubling key length. For example, a 128 bit AES cipher would not be secure against such an attack as it would reduce
1936-415: The time required to test all possible iterations from over 10 quintillion years to about six months. By contrast, it would still take a quantum computer the same amount of time to decode a 256 bit AES cipher as it would a conventional computer to decode a 128 bit AES cipher. For this reason, AES-256 is believed to be "quantum resistant". Symmetric-key algorithms require both the sender and the recipient of
#391608