Writing Secure Code for Windows Vista (Best Practices (Microsoft))
Overview
All versions of Windows add new cryptographic capabilities, but in most cases it’s a few new APIs or new algorithms. Windows Vista is different because Microsoft added a modern cryp-tographic infrastructure, called Cryptography API: Next Generation (CNG), that supports new APIs and offers kernel and user mode support, better support for crypto-agility, new cipher suites [most notably Suite B (NSA 2005)], and improved auditing.
Microsoft also improved Secure Sockets Layer and Transport Layer Security (SSL/TLS) with new cryptographic algorithms and support for Suite B. In this chapter we will explain all these subjects and more.
| Important | We want to point out that this chapter will not explain how cryptographic algorithms work, and this chapter will most certainly not turn you into a cryptographer! |
Windows Vista supports the following user mode cryptographic interfaces:
-
CNG
-
Cryptographic API 1.0 (CAPI 1.0)
-
Cryptographic API 2.0 (CAPI 2.0)
-
.NET Framework Cryptography
New cryptographic innovation will occur in CNG and .NET, and CAPI 1.0 will eventually be phased out. CAPI 2.0 will be supported because it is not a superset of CAPI 1.0. One could argue that CAPI 2.0 is named badly. It is! CAPI 2.0 is a different functionality than CAPI 1.0, CAPI 2.0 exists to manage and generate X.509 certificates and related standards; it does not support low-level cryptographic primitives like CAPI 1.0 and CNG do.