Identifies the certification authority (CA) that issues server and client authentication certificates to the servers and clients that request these certificates. Because it contains a public key used in digital signatures, it is also referred to as a signature certificate. If the CA is a root authority, the CA certificate may be referred to as a root certificate. Also sometimes known as a site certificate.
A certification authority (CA) hierarchy contains multiple CAs. It is organized such that each CA is certified by another CA in a higher level of the hierarchy until the top of the hierarchy, also known as the root authority, is reached.
The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of ephemeral keys.
The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of store-and-forward keys.
The CryptoAPI algorithm identifier for the hash-based Message Authentication Code algorithm.
The CryptoAPI algorithm identifier for the Message Authentication Code algorithm.
The CryptoAPI algorithm identifier for the MD2 hash algorithm.
The CryptoAPI algorithm identifier for the MD5 hash algorithm.
The CryptoAPI algorithm identifier for the RC2 block cipher algorithm.
The CryptoAPI algorithm identifier for the RC4 stream cipher algorithm.
The CryptoAPI algorithm identifier for the RSA public key algorithm when used for key exchange.
The CryptoAPI algorithm identifier for the RSA public key algorithm when used to generate digital signatures.
The CryptoAPI algorithm identifier for the Secure Hash Algorithm (SHA-1).
A family of DES-like symmetric block ciphers developed by C. M. Adams and S. E. Tavares. PROV_MS_EXCHANGE provider types specify a particular CAST algorithm that uses a 64-bit block size.
A digitally signed statement that contains information about an entity and the entity`s public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a certification authority (CA) after the CA has verified that the entity is who it says it is.
Certificates can contain different types of data. For example, an X.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA`s signature.
A BLOB that contains the certificate data.
A certificate BLOB is created by calls to CryptEncodeObject. The process is complete when the output of the call contains all the certificate data.
A CERT_CONTEXT structure that contains a handle to a certificate store, a pointer to the original encoded certificate BLOB, a pointer to a CERT_INFO structure, and an encoding type member. It is the CERT_INFO structure that contains most of the certificate information.
Functions that manage the translation of certificates and related material into standard, binary formats that can be used in different environments.
Defines how the certificate is encoded. The certificate encoding type is stored in the low-order word of the encoding type (DWORD) structure.
An encoded representation of the name information that is included in certificates. Each name BLOB is mapped to a CERT_NAME_BLOB structure.
For example, the issuer and subject information referenced by a CERT_INFO structure is stored in two CERT_NAME_BLOB structures.
A named set of rules that indicate the applicability of certificates for a specific class of applications with common security requirements. Such a policy might, for example, limit certain certificates to electronic data interchange transactions within given price limits.
A specially formatted electronic message (sent to a CA) used to request a certificate. The request must contain the information required by the CA to authenticate the request, plus the public key of the entity requesting the certificate.
All the information necessary to create the request is mapped to a CERT_REQUEST_INFO structure.
(CRL) A document maintained and published by a certification authority (CA) that lists certificates issued by the CA that are no longer valid.
A server that issues certificates for a particular CA. The certificate server software provides customizable services for issuing and managing certificates used in security systems that employ public key cryptography.
A software service that issues certificates for a particular certification authority (CA). It provides customizable services for issuing and managing certificates for the enterprise. Certificates can be used to provide authentication support, including secure e-mail, Web-based authentication, and smart card authentication.
Typically, a permanent storage where certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs) are stored. It is possible, however, to create and open a certificate store solely in memory when working with certificates that do not need to be put in permanent storage.
The certificate store is central to much of the certificate functionality in CryptoAPI.
Functions that manage the storage and retrieval data such as certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs). These functions can be separated into common certificate functions, certificate revocation list functions, and certificate trust list functions.
A Windows construct that profiles certificates (that is, it prespecifies the format and content) based on their intended usage. When requesting a certificate from a Windows enterprise certification authority (CA), certificate requesters are, depending on their access rights, able to select from a variety of certificate types that are based on certificate templates, such as User and Code Signing.
(CTL) A predefined list of items that have been signed by a trusted entity. A CTL can be anything, such as a list of hashes of certificates, or a list of file names. All the items in the list are authenticated (approved) by the signing entity.
(CA) An entity entrusted to issue certificates that assert that the recipient individual, computer, or organization requesting the certificate fulfills the conditions of an established policy.
A block cipher mode that introduces feedback by combining ciphertext and plaintext.
A cryptographic algorithm used to encrypt data; that is, to transform plaintext into ciphertext using a predefined key.
(CBC) A method of operating a symmetric block cipher that uses feedback to combine previously generated ciphertext with new plaintext. Each plaintext block is combined with the ciphertext of the previous block by a bitwise-XOR operation before it is encrypted. Combining ciphertext and plaintext ensures that even if the plaintext contains many identical blocks, they will each encrypt to a different ciphertext block. When the Microsoft Base Cryptographic Provider is used, CBC is the default cipher mode.
A block cipher method that encrypts the base data with a block cipher and then uses the last encrypted block as the hash value. The encryption algorithm used to build the Message Authentication Code (MAC) is the one that was specified when the session key was created.
(CFB) A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.
This mode uses a shift register that is one block size in length and divided into sections. For example, if the block size is 64 bits with eight bits processed at a time, then the shift register would be divided into eight sections.
A block cipher mode (each block is encrypted individually) that can be specified by using the CryptSetKeyParam function. If the application does not explicitly specify one of these modes, then the cipher block chaining (CBC) cipher mode is used.
ECB: A block cipher mode that uses no feedback.
CBC: A block cipher mode that introduces feedback by combining ciphertext and plaintext.
CFB: A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.
OFB: A block cipher mode that uses feedback similar to CFB.
A message that has been encrypted.
The application, rather than the server application, that initiates a connection to a server.
Refers to a certificate used for client authentication, such as authenticating a Web browser on a Web server. When a Web browser client attempts to access a secured Web server, the client sends its certificate to the server to allow it to verify the client`s identity.
Certificate management protocol using cryptographic message syntax.
The method in which data is serialized (converted to a string of ones and zeros) and deserialized. The protocol is controlled by both software and data-transmission hardware.
Typically discussed in terms of layers, a simplified communication protocol might consist of an application layer, encode/decode layer, and hardware layer.
Behavior that allows the server to forward requests on behalf of the client only to a specified list of services.
Windows XP, Windows 2000, and Windows NT: Constrained delegation is not supported.
The security data relevant to a connection. A context contains information such as a session key and duration of the session.
Functions used to connect to a cryptographic service provider (CSP). These functions enable applications to choose a specific CSP by name or get one with a needed class of functionality.
A signature of an existing signature and message or a signature of an existing signature. A countersignature is used to sign the encrypted hash of an existing signature or to time stamp a message.
Previously authenticated logon data used by a security principal to establish its own identity, such as a password, or a Kerberos protocol ticket.
Encoding type that specifies certificate encoding. Certificate encoding types are stored in the low-order word of a DWORD (value is: 0x00000001). This encoding type is functionally the same as the X509_ASN_ENCODING encoding type.
Cryptanalysis is the art and science of breaking ciphertext. In contrast, the art and science of keeping messages secure is cryptography.
Application programming interface that enables application developers to add authentication, encoding, and encryption to Windows-based applications.
A mathematical function used for encryption and decryption. Most cryptographic algorithms are based on a substitution cipher, a transposition cipher, or a combination of both.
A one-way hash function that takes a variable-length input string and converts it to a fixed-length output string (called a cryptographic digest.) This fixed-length output string is probabilistically unique for every different input string and thus can act as a fingerprint of a file. When a file with a cryptographic digest is downloaded, the receiver recomputes the digest. If the output string matches the digest contained in the file, the receiver has proof that the received file was not tampered with and is identical to the file originally sent.
The session (symmetric) key used during the encryption and decryption processes, and the public and private keys used during the authentication process. Of these three keys, the session key and private key must always remain secret.
(CSP) An independent software module that actually performs cryptography algorithms for authentication, encoding, and encryption.
The art and science of information security. It includes information confidentiality, data integrity, entity authentication, and data origin authentication.
(CNG) The second generation of the CryptoAPI. CNG allows you to replace existing algorithm providers with your own providers and add new algorithms as they become available. CNG also allows the same APIs to be used from user and kernel mode applications.
The branch of mathematics that encompasses both cryptography and cryptanalysis.
The system program interface used with a cryptographic service provider (CSP).
A unique group of CSPs that use the same set of data formats and perform their function in the same way. Even when two CSP families use the same algorithm (for example, the RC2 block cipher), their different padding schemes, keys lengths, or default modes make each group distinct. CryptoAPI has been designed so that each CSP type represents a particular family.
The textual name of the CSP. If the CSP has been signed by Microsoft, this name must exactly match the CSP name that was specified in the Export Compliance Certificate (ECC).
Indicates the CSP family associated with a provider. When an application connects to a CSP of a particular type, each of the CryptoAPI functions will, by default, operate in a way prescribed by the family that corresponds to that CSP type.
An encryption algorithm that uses a 40-bit variant of a DES key where 16 bits of the 56-bit DES key are set to zero. This algorithm is implemented as specified in the IETF Draft specification for 40-bit DES. The draft specification, at the time of this writing can be found at ftp://ftp.ietf.org/internet-drafts/draft-hoffman-des40-02.txt. This algorithm is used with the ALG_ID value CALG_CYLINK_MEK.