PKI

Microsoft PKI Cryptographic Service Providers That Every Organization Should Know About

Read time: 3 minutes, 54 seconds

Cryptographic Service Providers (CSPs) store, access and create cryptographic keys– the building blocks of PKI. In the case of certificates, what type of cryptographic service depends on the provider, different types of keys and key lengths are available with different providers. Different examples include RSA, Elliptical Key or a host of others such as DES, 3DES, etc.

For hardware solutions such as Smart Cards and Hardware Security Modules (HSMs), third party software is sometimes needed for optimal performance. Newer Next Gen KSPs and more standard Microsoft CSPs are listed below for a comparison.

Since there are so many different providers, it’s best to divide into groups based on all around capabilities in every use case. The below tables show different cryptographic methods from modern to legacy. In reviewing this list, the primary things being evaluated are what types of keys can be used, their size, protections, and compatibility.

Modern Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Software Key Storage Provider (CNG)Standard windows software-based RSA and ECC provider.Key Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
OCSP Response Signing (KSP Required, Provider not specific)
Microsoft Smart Card Key Storage Provider (CNG)Supports smart card key creation and useKey Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
None

Legacy Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft RSA SChannel Cryptographic Prodvider (CAPI)Supports hashing, data signing, and signature verification. The algorithm identifier CALG_SSL3_SHAMD5 is used for SSL 3.0 and TLS 1.0 client authentication. This CSP supports key derivation for the SSL2, PCT1, SSL3 and TLS1 protocols.Key ExchangeRSA SHA1CEP Encryption
Computer
Directory Email Replication
Domain Controller
Domain Controller Authentication
IPSec
IPSec (Offline)
Kerberos Authentication
RAS and IAS Server
Router (Offline request)
Web Server
Workstation Authentication
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider (CAPI)Supports Diffie-Hellman key exchange (a 40-bit DES derivative), SHA hashing, DSS data signing, and DSS signature verification. Derived from Base DSS and Diffie-Hellman Cryptographic Provider. Adds support for RC2/4, DES and 3DES encryptionDigital SignatureRSA SHA1Authenticated Session
Basic EFS
CA Exchange
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Key Recovery Agent
Trust List Signing
User
User Signature Only
Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider (CAPI)Supports hashing, data signing with DSS, generating Diffie-Hellman (D-H) keys, exchanging D-H keys, and exporting a D-H key. This CSP supports key derivation for the SSL3 and TLS1 protocols. This CSP supports key derivation for the SSL3 and TLS1 protocols.Key ExchangeRSA SHA1Web Server
Microsoft Base Cryptographic Provider (CAPI)A broad set of basic cryptographic functionality that can be exported to other countries or regions. No 3DES support. RC2/4 limited to 40bits.Digital Signatures
Data Encryption
RSA SHA1Administrator
Authenticated Session
Basic EFS
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Trust List Signing
User
User Signature Only
Microsoft DSS Cryptographic Provider (CAPI)Provides hashing, data signing, and signature verification capability using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Digital SignaturesRSA SHA1Authenticated Session
Code Signing
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Trust List Signing
User Signature Only

Deprecated Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Base Smart Card Crypto Provider (CAPI)Derived from Microsoft Strong Cryptographic Provider. Communicates with Smart Card Modules (minidriver).Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Strong Cryptographic Provider (CAPI)An extension of the Microsoft Base Cryptographic Provider available with Windows XP and later. Default RSA CSP. Cryptographic Provider. Supports all the same key lengths, but lacks configurable Salt length for RC encryption algorithms.Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Enhanced Cryptographic Provider (CAPI)Derived from Base Cryptographic Provider. The Enhanced Provider supports stronger security through longer keys and additional algorithms. Can only generate 128bit RC2/4 keys, can import smallerDigital Signatures
Data Encryption
RSA SHA1None
Microsoft RSA and AES Cryptographic Provider (CAPI) Microsoft Enhanced Cryptographic Provider with support for AES encryption algorithms.Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider (CAPI)A superset of the DSS Cryptographic Provider that also supports Diffie-Hellman key exchange, hashing, data signing, and signature verification using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Diffie Hellman (Key Exchange)
Digital Signatures
RSA SHA1None

Conclusion

In conclusion, Microsoft has a wide range of available cryptographic services, suitable for any application. With these tools, Encryption Consulting has worked with Top 500 companies to secure and update PKI solutions to ensure reliability and availability for cryptographic services.

About the Author

Caedon is a Consultant at Encryption Consulting, working with PKIs, and HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk