Professional Documents
Culture Documents
CNG - Crypt Ne Gen
CNG - Crypt Ne Gen
Purpose
Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be
extensible at many levels and cryptography agnostic in behavior.
Developer audience
CNG is intended for use by developers of applications that will enable users to create and exchange documents and
other data in a secure environment, especially over nonsecure media such as the Internet. Developers should be
familiar with the C and C++ programming languages and the Windows-based programming environment.
Although not required, an understanding of cryptography or security-related subjects is advised.
If you are developing a CNG cryptographic algorithm provider or key storage provider, you must download the
Cryptographic Provider Development Kit from Microsoft.
Run-time requirements
CNG is supported beginning with Windows Server 2008 and Windows Vista. For information about run-time
requirements for a particular programming element, see the Requirements section of the reference page for that
element.
In this section
TO P IC DESC RIP T IO N
Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be
extensible at many levels and cryptography agnostic in behavior.
Features
For information about the features of CNG, see CNG Features.
Cryptographic Primitives
For more information about the cryptographic primitives in CNG, see Cryptographic Primitives.
Cryptographic Agility
One of the key value propositions of CNG is cryptographic agility, sometimes called cryptographic agnosticism.
Converting implementation of protocols like Secure Sockets Layer protocol (SSL) or transport layer security (TLS),
CMS (S/MIME), IPsec, Kerberos, and so on, to CNG, however, was required to make this ability valuable. At the CNG
level, it was necessary to provide substitution and discoverability for all the algorithm types (symmetric,
asymmetric, hash functions), random number generation, and other utility functions. The protocol-level changes
are more significant because in many cases the protocol APIs needed to add algorithm selection and other
flexibility options that did not previously exist.
CNG is first available in Windows Vista and is positioned to replace existing uses of CryptoAPI throughout the
Microsoft software stack. Third-party developers will find lots of new features in CNG, including:
A new crypto configuration system, supporting better cryptographic agility.
Finer-grained abstraction for key storage (and separation of storage from algorithm operations).
Process isolation for operations with long-term keys.
Replaceable random number generators.
Relief from export signing restrictions.
Thread-safety throughout the stack.
Kernel-mode cryptographic API.
In addition, CNG includes support for all required Suite B algorithms, including elliptic curve cryptography (ECC).
Existing CryptoAPI applications will continue to work as CNG becomes available.
Suite B Support
An important feature of CNG is its support for the Suite B algorithms. In February of 2005, the National Security
Agency (NSA) of the United States announced a coordinated set of symmetric encryption, asymmetric secret
agreement (also known as key exchange), digital signature and hash functions for future U.S. government use
called Suite B. The NSA has announced that certified Suite B implementations can and will be used for the
protection of information designated as Top Secret, Secret, and private information that, in the past was described
as Sensitive-But-Unclassified. Because of this, Suite B support is very important to application software vendors
and system integrators as well as to Microsoft.
All Suite B algorithms are publicly known. They have been developed outside the scope of the government secrecy
historically associated with cryptographic algorithm development. In this same time frame, some European
countries and regions have also proposed the same Suite B requirements for protecting their information.
Suite B cryptography recommends use of elliptic curve Diffie-Hellman (ECDH) in many existing protocols such as
the Internet Key Exchange (IKE, mainly used in IPsec), transport layer security (TLS), and Secure MIME (S/MIME).
CNG includes support for Suite B that extends to all required algorithms: AES (all key sizes), the SHA-2 family
(SHA-256, SHA-384 and SHA-512) of hashing algorithms, ECDH, and elliptic curve DSA (ECDSA) over the NIST-
standard prime curves P-256, P-384, and P-521. Binary curves, Koblitz curves, custom prime curves, and elliptic
curve Menezes-Qu-Vanstone (ECMQV) are not supported by the Microsoft algorithm providers included with
Windows Vista.
Legacy Support
CNG provides support for the current set of algorithms in CryptoAPI 1.0. Every algorithm that is currently
supported in CryptoAPI 1.0 will continue to be supported in CNG.
Auditing
To comply with some of the Common Criteria requirements in addition to providing comprehensive security, many
actions that happen in the CNG layer are audited in the Microsoft software key storage provider (KSP). The
Microsoft KSP adheres to the following guidelines to create audit records in the security log:
Key and key-pair generation failures, including self-test failures, must be audited.
Key import and export must be audited.
Key destruction failures must be audited.
Persistent keys need to be audited when they are written to and read from files.
Pair-wise consistency check failures must be audited.
Secret key validation failures, if any, must be audited, for example, parity checks on 3DES keys.
Failures in encryption, decryption, hashing, signature, verification, key exchange, and random number
generation must be audited.
Cryptographic self-tests must be audited.
In general, if a key does not have a name, it is an ephemeral key. An ephemeral key does not persist, and the
Microsoft KSP does not generate audit records for ephemeral keys. The Microsoft KSP generates audit records in
user mode in the LSA process only. No audit record is generated by kernel mode CNG. Administrators need to
configure the audit policy to obtain all KSP audit logs from the security log. An administrator must run the
following command line to configure additional audits generated by KSPs:
auditpol /set /subcategor y:"other system events" /success:enable /failure:enable
Thread Safety
Any functions that modify the same area of memory at the same time (critical sections) when being called from
separate threads are not thread safe.
Mode of Operation
CNG supports three modes of operations that can be used with symmetric block ciphers through the encryption
APIs. These modes and their supportability are listed in the following table. The mode of operation can be changed
by setting the BCRYPT_CHAINING_MODE property for the algorithm provider by using the
BCr yptSetProper ty function.
B C RY P T _C H A IN IN G_M O DE
M O DE O F O P ERAT IO N VA L UE A L GO RIT H M S STA N DA RD
The CNG API provides a set of functions that perform basic cryptographic operations such as creating hashes or
encrypting and decrypting data. For more information about these functions, see CNG Cryptographic Primitive
Functions.
CNG implements numerous cryptographic algorithms. Each algorithm or class of algorithms exposes its own
primitive API. Multiple implementations of a given algorithm can be installed at the same time; however, only one
implementation will be the default at any given time.
Each algorithm class in CNG is represented by a primitive router. Applications using the CNG primitive functions
will link to the router binary file Bcrypt.dll in user mode, or Ksecdd.sys in kernel mode before calling the functions.
Various router routines manage all of the algorithm primitives. These routers track each algorithm implementation
installed on the system and route each function call to the appropriate primitive provider module.
CNG provides primitives for the following classes of algorithms.
Symmetric encryption Algorithms used for symmetric encryption, such as AES, 3DES,
and RC4.
Signature Signature algorithms such as DSA and ECDSA. This class can
also be used with RSA.
The following illustration shows the design and function of the CNG cryptographic primitives.
The header file Bcrypt.h defines the MS_PRIMITIVE_PROVIDER constant as "Microsoft Primitive Provider". To use
the Microsoft Primitive Provider, pass this value to BCr yptOpenAlgorithmProvider .
minutes to read • Edit Online
To comply with common criteria (CC) requirements, the long-lived keys must be isolated so that they are never
present in the application process. CNG currently supports the storage of asymmetric private keys by using the
Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default.
Key isolation is enabled by default in Windows Server 2008 and Windows Vista. The key isolation feature is not
available on platforms prior to these. Also, third party KSPs are not loaded in the key isolation service (LSA
process). Only the Microsoft KSP is loaded in the key isolation service.
The LSA process is used as the key isolation process to maximize performance. All access to private keys goes
through the key storage router, which exposes a comprehensive set of functions for managing and using private
keys.
CNG stores the public portion of the stored key separately from the private portion. The public portion of a key
pair is also maintained in the key isolation service and is accessed by using local remote procedure call (LRPC). The
key storage router uses LRPC when calling into the key isolation process. All access to private keys goes through
the private key router and is audited by CNG.
As described above, a wide range of hardware storage devices can be supported. In each case, the interface to all of
these storage devices is identical. It includes functions to perform various private key operations as well as
functions that pertain to key storage and management.
CNG provides a set of APIs that are used to create, store, and retrieve cryptographic keys. For a list of these APIs,
see CNG Key Storage Functions.
Key Types
CNG supports the following key types:
Diffie-Hellman public and private keys.
Digital Signature Algorithm (DSA, FIPS 186-2) public and private keys.
RSA (PKCS #1) public and private keys.
Several legacy (CryptoAPI) public and private keys.
Elliptic Curve Cryptography public and private keys.
Supported Algorithms
CNG supports the following key algorithms.
A L GO RIT H M K EY / H A SH L EN GT H ( B IT S)
MD2 128
MD4 128
MD5 128
SHA-1 160
SHA-256 256
SHA-384 384
A L GO RIT H M K EY / H A SH L EN GT H ( B IT S)
SHA-512 512
K EY T Y P E DIREC TO RIES
K EY T Y P E DIREC TO RY
The following are some of the differences between the CryptoAPI and CNG key containers.
CNG uses different file names for key files than key files that are created by the Rsaenh.dll and Dssenh.dll legacy
CSPs. The legacy key files also have the .key extension, but CNG key files do not have the .key extension.
CNG fully supports Unicode key container names; CNG uses a hash of the Unicode container name, whereas
CryptoAPI uses a hash of the ANSI container name.
CNG is more flexible with regard to RSA key pairs. For example, CNG supports public exponents larger than 32-
bits in length, and it supports keys in which p and q are different lengths.
In CryptoAPI, the key container file is stored in a directory whose name is the textual equivalent of the user's
SID. This is no longer the case in CNG, which removes the difficulty of moving users from one domain to
another without losing all of their private keys.
The CNG KSP and key names are limited to MAX_PATH Unicode characters. The CryptoAPI CSP and key names
are limited to MAX_PATH ANSI characters.
CNG offers the capability of user-defined key properties. Users can create and associate custom properties with
keys, and have them stored with persisted keys.
When persisting a key, CNG can create two files. The first file contains the private key in the new CNG format and is
always created. This file is not usable by the legacy CryptoAPI CSPs. The second file contains the same private key
in the legacy CryptoAPI key container. The second file conforms to the format and location used by Rsaenh.dll.
Creation of the second file only occurs if the NCRYPT_WRITE_KEY_TO_LEGACY_STORE_FL AG flag is specified
when the NCr yptFinalizeKey function is called to finalize an RSA key. This feature is not supported for DSA and
DH keys.
When an application attempts to open an existing persisted key, CNG first attempts to open the native CNG file. If
this file does not exist, then CNG attempts to locate a matching key in the legacy CryptoAPI key container.
When you move or copy CryptoAPI keys from a source machine to a target machine with Windows User State
Migration Tool (USMT), CNG will fail to access the keys on the target machine. To access such migrated keys, you
must use the CryptoAPI.
minutes to read • Edit Online
You can import and export symmetric keys and asymmetric keys with CNG. And you can use key export and
import functionality to move keys between machines.
Symmetric keys
To import or export symmetric (or session) keys in which the same key is used to encrypt and decrypt some data,
you can use the BCr yptImpor tKey and BCr yptExpor tKey functions. Typically, you first export a key by using the
BCr yptExpor tKey function before importing by using the BCr yptImpor tKey function. The functions are
designed to enable encryption of exported and imported keys by using the hExportKey and hImportKey
parameters; however, the Microsoft implementation of these functions does not support encryption of exported
and imported keys.
Asymmetric keys
To import asymmetric (or public/private) key pairs in which one key is used to encrypt and the other is used to
decrypt some data, you can use either of the BCr yptImpor tKeyPair or NCr yptImpor tKey functions. A CNG
provider must encode the key pair by using a supported key BLOB type. BCr yptExpor tKey can be used to create
the encoded key BLOB. CNG Structures describes the key BLOB types and structures that Microsoft Key Storage
Provider supports.
For BCr yptExpor tKey to create a persisted key pair, the input key BLOB must contain a private key. Public keys are
not persisted.
The key name and export policy are not part of the BLOB structure defined in CNG Structures. However, if a BLOB is
of an opaque BLOB type (such as the memory image of an internal key state), the BLOB might contain the key
name and export-policy properties.
The following procedure describes how to import a persisted private key with its properties.
To impor t a persisted key
1. Create a persisted key by using the NCr yptCreatePersistedKey function.
2. Set any desired properties on the key object by using the NCr yptSetProper ty function.
3. Set the import key BLOB as a property on the key, with the BLOB type as the property name.
4. Finalize the persisted key import by using the NCr yptFinalizeKey function.
minutes to read • Edit Online
Microsoft introduced the data protection application programming interface (DPAPI) in Windows 2000. The API
consists of two functions, Cr yptProtectData and Cr yptUnprotectData . DPAPI is part of CryptoAPI and was
intended for developers who knew very little about using cryptography. The two functions could be used to
encrypt and decrypt static data on a single computer.
Cloud computing, however, often requires that content encrypted on one computer be decrypted on another.
Therefore, beginning with Windows 8, Microsoft extended the idea of using a relatively straightforward API to
encompass cloud scenarios. This new API, called DPAPI-NG, enables you to securely share secrets (keys,
passwords, key material) and messages by protecting them to a set of principals that can be used to unprotect
them on different computers after proper authentication and authorization. The following principals are currently
supported:
A group in an Active Directory forest.
Web credentials.
For more information, see the following topics:
Protection Providers
Protection Descriptors
Protected Data Format
DPAPI-NG is built on top of Cryptography Next Generation (CNG) and includes the following functions:
NCr yptCreateProtectionDescriptor
NCr yptCloseProtectionDescriptor
NCr yptProtectSecret
NCr yptQuer yProtectionDescriptorName
NCr yptRegisterProtectionDescriptorName
NCr yptStreamClose
NCr yptStreamOpenToProtect
NCr yptStreamOpenToUnprotect
NCr yptStreamUpdate
NCr yptUnprotectSecret
minutes to read • Edit Online
Beginning with Windows 8, Microsoft began distributing the providers that enable you to securely share encrypted
secrets and messages across computers. There are currently two key protection providers. The Microsoft Key
Protection provider allows you to protect content to a group in an Active Directory forest. The Microsoft Client Key
Protection provider allows you to protect content to a set of web credentials.
The correct protector to use is automatically chosen for you when the NCr yptCreateProtectionDescriptor
function parses the protection descriptor rule string your provide as input. The Microsoft Key Protection provider is
chosen for rule strings that begin with SID, SDDL, and LOCAL. The Microsoft Client Key Protection provider parses
rule strings that begin with WEBCREDENTIALS. For more information about rule strings, see Protection
Descriptors.
NOTE
Custom providers are not currently allowed.CNG DPAPI
Related topics
C
N
G
D
P
A
P
I
N
C
r
y
p
t
C
r
e
a
t
e
P
r
o
t
e
c
t
i
o
n
D
e
s
c
r
i
p
t
o
r
P
r
o
t
e
c
t
i
o
n
D
e
s
c
r
i
p
t
o
r
s
minutes to read • Edit Online
A protection descriptor rule string contains a sequential list of one or more protectors. There must be at least one
protector. If there is more than one, the protectors must be separated in the string by AND or OR . These values
must be capitalized. The following syntax shows the string format of a protection descriptor.
Descriptor = [ Protector-or
*( OR-separator Protector-or ) ]
Protector-or = Protector-and
*( AND-separator Protector-and )
OR-separator = "OR"
AND-separator = "AND"
providerName = descr
Protection descriptors can currently be defined for the following types of authorization:
A group in an Active Directory forest.
A set of web credentials.
A certificate in the user's certificate store.
Examples of protection descriptor rule strings for an Active Directory group include the following:
"SID=S-1-5-21-4392301 AND SID=S-1-5-21-3101812"
"SDDL=O:S-1-5-5-0-290724G:SYD:(A;;CCDC;;;S-1-5-5-0-290724)(A;;DC;;;WD)"
"LOCAL=user"
"LOCAL=machine"
Examples of protection descriptor rule strings for a set of web credentials include the following:
"WEBCREDENTIALS=MyPasswordName"
"WEBCREDENTIALS=MyPasswordName,myweb.com"
Examples of protection descriptor rule strings for a certificate include the following:
"CERTIFICATE=HashID:sha1_hash_of_certificate"
"CERTIFICATE=CertBlob:base64String"
The protection descriptor you specify automatically determines which key protection provider is used. For more
information, see Protection Providers.
Note that the left side of the equals sign (=) must be SID , SDDL , LOCAL , WEBCREDENTIALS , or CERTIFICATE .
These values are not case sensitive.
You must specify a rule string (or a display name associated with a rule string) when you call the
NCr yptCreateProtectionDescriptor function. Alternatively, because protection descriptor rule strings are
somewhat cumbersome to use and remember, you can associate a display name with the rule string and register
both by using the NCr yptRegisterProtectionDescriptorName function. Then you can use the display name in
NCr yptCreateProtectionDescriptor .
Related topics
C
N
G
D
P
A
P
I
P
r
o
t
e
c
t
i
o
n
P
r
o
v
i
d
e
r
s
minutes to read • Edit Online
Protected data is stored as an ASN.1 encoded BLOB. The data is formatted as CMS (certificate message syntax)
enveloped content. The digital envelope contains encrypted content, recipient information that contains an
encrypted content encryption key (CEK), and a header that contains information about the content, including the
unencrypted protection descriptor rule string. This is shown by the following diagram.
Related topics
C
N
G
D
P
A
P
I
P
r
o
t
e
c
t
i
o
n
D
e
s
c
r
i
p
t
o
r
s
P
r
o
t
e
c
t
i
o
n
P
r
o
v
i
d
e
r
s
minutes to read • Edit Online
The CNG API provides functions to enumerate and obtain information about registered providers.
Enumerating Providers
Getting Provider Registration Information
Enumerating Providers
You use the BCr yptEnumRegisteredProviders function to enumerate the registered providers. The
BCr yptEnumRegisteredProviders function can be called in one of two ways:
1. The first is to have the BCr yptEnumRegisteredProviders function allocate the memory. This is
accomplished by passing the address of a NULL pointer for the ppBuffer parameter. This code will allocate
the memory required for the CRYPT_PROVIDERS structure and the associated strings. When the
BCr yptEnumRegisteredProviders function is used in this manner, you must free the memory when it is
no longer needed by passing ppBuffer to the BCr yptFreeBuffer function.
The following example shows how to use the BCr yptEnumRegisteredProviders function to allocate the
buffer for you.
#include <windows.h>
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#endif
void EnumProviders1()
{
NTSTATUS status;
ULONG cbBuffer = 0;
PCRYPT_PROVIDERS pBuffer = NULL;
/*
Get the providers, letting the BCryptEnumRegisteredProviders
function allocate the memory.
*/
status = BCryptEnumRegisteredProviders(&cbBuffer, &pBuffer);
if (NT_SUCCESS(status))
{
if (pBuffer != NULL)
{
// Enumerate the providers.
for (ULONG i = 0; i < pBuffer->cProviders; i++)
{
printf("%S\n", pBuffer->rgpszProviders[i]);
}
}
}
else
{
printf("BCryptEnumRegisteredProviders failed with error "
"code 0x%08x\n", status);
}
if (NULL != pBuffer)
{
/*
Free the memory allocated by the
BCryptEnumRegisteredProviders function.
*/
BCryptFreeBuffer(pBuffer);
}
}
2. The second method is to allocate the required memory yourself. This is accomplished by calling the
BCr yptEnumRegisteredProviders function with NULL for the ppBuffer parameter. The
BCr yptEnumRegisteredProviders function will place in the value pointed to by the pcbBuffer parameter,
the required size, in bytes, of the CRYPT_PROVIDERS structure and all strings. You then allocate the
required memory and pass the address of this buffer pointer for the ppBuffer parameter in a second call to
the BCr yptEnumRegisteredProviders function.
The following example shows how to use the BCr yptEnumRegisteredProviders function to allocate and
use your own buffer.
#include <windows.h>
#include <stdio.h>
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#endif
void EnumProviders2()
{
NTSTATUS status;
ULONG cbBuffer = 0;
if (STATUS_BUFFER_TOO_SMALL == status)
{
// Allocate the buffer.
PCRYPT_PROVIDERS pBuffer =
(PCRYPT_PROVIDERS)LocalAlloc(LPTR, cbBuffer);
if (NULL != pBuffer)
{
// Get the providers in the buffer that was allocated.
status = BCryptEnumRegisteredProviders(
&cbBuffer,
&pBuffer);
if (NT_SUCCESS(status))
{
for (ULONG i = 0; i < pBuffer->cProviders; i++)
{
// Enumerate the providers.
printf("%S\n", pBuffer->rgpszProviders[i]);
}
}
BCryptQueryProviderRegistration(
MS_PRIMITIVE_PROVIDER,
CRYPT_UM,
BCRYPT_CIPHER_INTERFACE,
//...
);
Like the BCr yptEnumRegisteredProviders function, the BCr yptQuer yProviderRegistration function can
either allocate memory for you or you can allocate the memory yourself. The process is the same for the two
functions.
minutes to read • Edit Online
The CNG API implements an extensible provider model that lets you load a provider by specifying the required
cryptographic algorithm rather than a particular provider. The advantage is that an algorithm provider can be
replaced or upgraded and you will not have to change your code in any way to use the new provider. Also, if some
algorithm is determined to be unsafe in the future, a more secure version of that algorithm can be installed without
affecting your code. Most of the CNG APIs require a provider or an object created by a provider.
The typical steps involved in using the CNG API for cryptographic primitive operations are as follows:
1. Opening the Algorithm Provider
2. Getting or Setting Algorithm Properties
3. Creating or Importing a Key
4. Performing Cryptographic Operations
5. Closing the Algorithm Provider
For more information, see Programming Examples.
Programming Examples
The following examples describe how to perform specific cryptographic operations using CNG.
Creating a Hash with CNG
Signing Data with CNG
Encrypting Data with CNG
minutes to read • Edit Online
A hash is a one way operation that is performed on a block of data to create a unique hash value that represents
the contents of the data. No matter when the hash is performed, the same hashing algorithm performed on the
same data will always produce the same hash value. If any of the data changes, the hash value will change
appropriately.
Hashes are not useful for encrypting data because they are not intended to be used to reproduce the original data
from the hash value. Hashes are most useful to verify the integrity of the data when used with an asymmetric
signing algorithm. For example, if you hashed a text message, signed the hash, and included the signed hash value
with the original message, the recipient could verify the signed hash, create the hash value for the received
message, and then compare this hash value with the signed hash value included with the original message. If the
two hash values are identical, the recipient can be reasonably sure that the original message has not been
modified.
The size of the hash value is fixed for a particular hashing algorithm. What this means is that no matter how large
or small the data block is, the hash value will always be the same size. As an example, the SHA256 hashing
algorithm has a hash value size of 256 bits.
Creating a Hashing Object
Creating a Reusable Hashing Object
Duplicating a Hash Object
Abstract:
--*/
#include <windows.h>
#include <stdio.h>
#include <bcrypt.h>
UNREFERENCED_PARAMETER(argc);
UNREFERENCED_PARAMETER(wargv);
//create a hash
if(!NT_SUCCESS(status = BCryptCreateHash(
hAlg,
&hHash,
pbHashObject,
cbHashObject,
NULL,
0,
0)))
{
wprintf(L"**** Error 0x%x returned by BCryptCreateHash\n", status);
goto Cleanup;
}
wprintf(L"Success!\n");
Cleanup:
if(hAlg)
{
BCryptCloseAlgorithmProvider(hAlg,0);
}
if (hHash)
{
BCryptDestroyHash(hHash);
}
if(pbHashObject)
{
HeapFree(GetProcessHeap(), 0, pbHashObject);
}
if(pbHash)
{
HeapFree(GetProcessHeap(), 0, pbHash);
}
Data signing does not protect the data. It only to verifies the integrity of the data. The sender hashes that data and
signs (encrypts) the hash by using a private key. The intended recipient performs verification by creating a hash of
the data received, decrypting the signature to obtain the original hash, and comparing the two hashes.
When data is signed, the sender creates a hash value and signs (encrypts) the hash by using a private key. This
signature is then attached to the data and sent in a message to a recipient. The hashing algorithm that was used to
create the signature must be known in advance by the recipient or identified in the message. How this is done is up
to the message protocol.
To verify the signature, the recipient extracts the data and the signature from the message. The recipient then
creates another hash value from the data, decrypts the signed hash by using the sender's public key, and compares
the two hash values. If the values are identical, the signature has been verified and the data is assumed to be
unaltered.
To create a signature by using CNG
1. Create a hash value for the data by using the CNG hashing functions. For more information about creating a
hash, see Creating a Hash With CNG.
2. Create an asymmetric key to sign the hash. You can either create a persistent key with the CNG Key Storage
Functions or an ephemeral key with the CNG Cryptographic Primitive Functions.
3. Use either the NCr yptSignHash or the BCr yptSignHash function to sign (encrypt) the hash value. This
function signs the hash value by using the asymmetric key.
4. Combine the data and signature into a message which can be sent sent to the intended recipient.
To verify a signature by using CNG
1. Extract the data and signature from the message.
2. Create a hash value for the data by using the CNG hashing functions. The hashing algorithm used must be the
same algorithm that was used to sign he hash.
3. Obtain the public portion of the asymmetric key pair that was used to sign the hash. How you obtain this key
depends on how the key was created and persisted. If the key was created or loaded with the CNG Key Storage
Functions, you will use the NCr yptOpenKey function to load the persisted key. If the key is an ephemeral key,
then it would have to have been saved to a key BLOB. You need to pass this key BLOB to either the
BCr yptImpor tKeyPair or the NCr yptImpor tKey function.
4. Pass the new hash value, the signature, and the key handle to either the NCr yptVerifySignature or the
BCr yptVerifySignature function. These functions perform verification by using the public key to decrypt the
signature and comparing the decrypted hash to the hash computed in step 2. The BCr yptVerifySignature
function will return STATUS_SUCCESS if the signature matches the hash or STATUS_INVALID_SIGNATURE if
the signature does not match the hash. The NCr yptVerifySignature function will return STATUS_SUCCESS if
the signature matches the hash or NTE_BAD_SIGNATURE if the signature does not match the hash.
Abstract:
--*/
#include <windows.h>
#include <stdio.h>
#include <bcrypt.h>
#include <ncrypt.h>
UNREFERENCED_PARAMETER(argc);
UNREFERENCED_PARAMETER(wargv);
//create a hash
if(!NT_SUCCESS(status = BCryptCreateHash(
hHashAlg,
&hHash,
pbHashObject,
cbHashObject,
NULL,
0,
0)))
{
wprintf(L"**** Error 0x%x returned by BCryptCreateHash\n", status);
goto Cleanup;
}
if(FAILED(secStatus = NCryptSignHash(
hKey,
NULL,
pbHash,
cbHash,
pbSignature,
cbSignature,
&cbSignature,
0)))
{
wprintf(L"**** Error 0x%x returned by NCryptSignHash\n", secStatus);
goto Cleanup;
}
if(FAILED(secStatus = NCryptExportKey(
hKey,
NULL,
BCRYPT_ECCPUBLIC_BLOB,
NULL,
NULL,
0,
&cbBlob,
0)))
{
wprintf(L"**** Error 0x%x returned by NCryptExportKey\n", secStatus);
goto Cleanup;
}
if(FAILED(secStatus = NCryptExportKey(
hKey,
NULL,
BCRYPT_ECCPUBLIC_BLOB,
NULL,
pbBlob,
cbBlob,
&cbBlob,
0)))
{
wprintf(L"**** Error 0x%x returned by NCryptExportKey\n", secStatus);
goto Cleanup;
}
if(!NT_SUCCESS(status = BCryptImportKeyPair(
hSignAlg,
NULL,
BCRYPT_ECCPUBLIC_BLOB,
&hTmpKey,
pbBlob,
cbBlob,
0)))
{
wprintf(L"**** Error 0x%x returned by BCryptImportKeyPair\n", status);
goto Cleanup;
}
if(!NT_SUCCESS(status = BCryptVerifySignature(
if(!NT_SUCCESS(status = BCryptVerifySignature(
hTmpKey,
NULL,
pbHash,
cbHash,
pbSignature,
cbSignature,
0)))
{
wprintf(L"**** Error 0x%x returned by BCryptVerifySignature\n", status);
goto Cleanup;
}
wprintf(L"Success!\n");
Cleanup:
if(hHashAlg)
{
BCryptCloseAlgorithmProvider(hHashAlg,0);
}
if(hSignAlg)
{
BCryptCloseAlgorithmProvider(hSignAlg,0);
}
if (hHash)
{
BCryptDestroyHash(hHash);
}
if(pbHashObject)
{
HeapFree(GetProcessHeap(), 0, pbHashObject);
}
if(pbHash)
{
HeapFree(GetProcessHeap(), 0, pbHash);
}
if(pbSignature)
{
HeapFree(GetProcessHeap(), 0, pbSignature);
}
if(pbBlob)
{
HeapFree(GetProcessHeap(), 0, pbBlob);
}
if (hTmpKey)
{
BCryptDestroyKey(hTmpKey);
}
if (hKey)
{
NCryptDeleteKey(hKey, 0);
}
if (hProv)
{
NCryptFreeObject(hProv);
}
}
minutes to read • Edit Online
The primary use of any cryptography API is to encrypt and decrypt data. CNG allows you to encrypt data by using
a minimum number of function calls and allows you to perform all of the memory management. While many of
the protocol implementation details are left up to the user, CNG provides the primitives that perform the actual
data encryption and decryption tasks.
Encrypting Data
Encrypting Data Example
Decrypting Data
Encrypting Data
To encrypt data, perform the following steps:
1. Open an algorithm provider that supports encryption, such as BCRYPT_DES_ALGORITHM .
2. Create a key to encrypt the data with. A key can be created by using any of the following functions:
BCr yptGenerateKeyPair or BCr yptImpor tKeyPair for asymmetric providers.
BCr yptGenerateSymmetricKey or BCr yptImpor tKey for symmetric providers.
NOTE
Data encryption and decryption with an asymmetric key is computationally intensive compared to symmetric key
encryption. If you need to encrypt data with an asymmetric key, you should encrypt the data with a symmetric key,
encrypt the symmetric key with an asymmetric key, and include the encrypted symmetric key with the message. The
recipient can then decrypt the symmetric key and use the symmetric key to decrypt the data.
3. Obtain the size of the encrypted data. This is based on the encryption algorithm, the padding scheme (if
any), and the size of the data to be encrypted. You can obtain the encrypted data size by using the
BCr yptEncr ypt function, passing NULL for the pbOutput parameter. All other parameters must be the
same as when the data is actually encrypted except for the pbInput parameter, which is not used in this case.
4. You can either encrypt the data in place with the same buffer or encrypt the data into a separate buffer.
If you want to encrypt the data in place, pass the plaintext buffer pointer for both the pbInput and pbOutput
parameters in the BCr yptEncr ypt function. It is possible that the encrypted data size will be larger than the
unencrypted data size, so the plaintext buffer must be large enough to hold the encrypted data, not just the
plaintext. You can use the size obtained in step 3 to allocate the plaintext buffer.
If you want to encrypt the data into a separate buffer, allocate a memory buffer for the encrypted data by
using the size obtained in step 3.
5. Call the BCr yptEncr ypt function to encrypt the data. This function will write the encrypted data to the
location provided in the pbOutput parameter.
6. Persist the encrypted data as needed.
7. Repeat steps 5 and 6 until all of the data has been encrypted.
Encrypting Data Example
The following example shows how to encrypt data with CNG by using the advanced encryption standard
symmetric encryption algorithm.
Abstract:
Sample program for AES-CBC encryption using CNG
--*/
#include <windows.h>
#include <stdio.h>
#include <bcrypt.h>
void PrintBytes(
IN BYTE *pbPrintData,
IN DWORD cbDataLen)
{
DWORD dwCount = 0;
UNREFERENCED_PARAMETER(argc);
UNREFERENCED_PARAMETER(wargv);
// Allocate a buffer for the IV. The buffer is consumed during the
// encrypt/decrypt process.
pbIV= (PBYTE) HeapAlloc (GetProcessHeap (), 0, cbBlockLen);
if(NULL == pbIV)
{
wprintf(L"**** memory allocation failed\n");
goto Cleanup;
}
if(!NT_SUCCESS(status = BCryptSetProperty(
hAesAlg,
BCRYPT_CHAINING_MODE,
(PBYTE)BCRYPT_CHAIN_MODE_CBC,
sizeof(BCRYPT_CHAIN_MODE_CBC),
0)))
{
wprintf(L"**** Error 0x%x returned by BCryptSetProperty\n", status);
goto Cleanup;
}
if(!NT_SUCCESS(status = BCryptExportKey(
hKey,
NULL,
BCRYPT_OPAQUE_KEY_BLOB,
BCRYPT_OPAQUE_KEY_BLOB,
pbBlob,
cbBlob,
&cbBlob,
0)))
{
wprintf(L"**** Error 0x%x returned by BCryptExportKey\n", status);
goto Cleanup;
}
cbPlainText = sizeof(rgbPlaintext);
pbPlainText = (PBYTE)HeapAlloc (GetProcessHeap (), 0, cbPlainText);
if(NULL == pbPlainText)
{
wprintf(L"**** memory allocation failed\n");
goto Cleanup;
}
//
// Get the output buffer size.
//
if(!NT_SUCCESS(status = BCryptEncrypt(
hKey,
pbPlainText,
cbPlainText,
NULL,
pbIV,
cbBlockLen,
NULL,
0,
&cbCipherText,
BCRYPT_BLOCK_PADDING)))
{
wprintf(L"**** Error 0x%x returned by BCryptEncrypt\n", status);
goto Cleanup;
}
if(pbPlainText)
{
HeapFree(GetProcessHeap(), 0, pbPlainText);
}
pbPlainText = NULL;
if(!NT_SUCCESS(status = BCryptImportKey(
hAesAlg,
NULL,
BCRYPT_OPAQUE_KEY_BLOB,
&hKey,
pbKeyObject,
cbKeyObject,
pbBlob,
cbBlob,
0)))
{
wprintf(L"**** Error 0x%x returned by BCryptGenerateSymmetricKey\n", status);
goto Cleanup;
}
//
// Get the output buffer size.
//
if(!NT_SUCCESS(status = BCryptDecrypt(
hKey,
pbCipherText,
cbCipherText,
NULL,
pbIV,
cbBlockLen,
NULL,
0,
&cbPlainText,
BCRYPT_BLOCK_PADDING)))
{
wprintf(L"**** Error 0x%x returned by BCryptDecrypt\n", status);
goto Cleanup;
}
if(!NT_SUCCESS(status = BCryptDecrypt(
hKey,
pbCipherText,
cbCipherText,
NULL,
pbIV,
cbBlockLen,
pbPlainText,
cbPlainText,
&cbPlainText,
&cbPlainText,
BCRYPT_BLOCK_PADDING)))
{
wprintf(L"**** Error 0x%x returned by BCryptDecrypt\n", status);
goto Cleanup;
}
wprintf(L"Success!\n");
Cleanup:
if(hAesAlg)
{
BCryptCloseAlgorithmProvider(hAesAlg,0);
}
if (hKey)
{
BCryptDestroyKey(hKey);
}
if(pbCipherText)
{
HeapFree(GetProcessHeap(), 0, pbCipherText);
}
if(pbPlainText)
{
HeapFree(GetProcessHeap(), 0, pbPlainText);
}
if(pbKeyObject)
{
HeapFree(GetProcessHeap(), 0, pbKeyObject);
}
if(pbIV)
{
HeapFree(GetProcessHeap(), 0, pbIV);
}
Decrypting Data
To decrypt data, perform the following steps:
1. Open an algorithm provider that supports encryption, such as BCRYPT_DES_ALGORITHM .
2. Obtain the key that the data was encrypted with, and use that key to obtain a handle for the key.
3. Obtain the size of the decrypted data. This is based on the encryption algorithm, the padding scheme (if
any), and the size of the data to be decrypted. You can obtain the encrypted data size by using the
BCr yptDecr ypt function, passing NULL for the pbOutput parameter. The parameters that specify the
padding scheme and initialization vector (IV) must be the same as when the data was encrypted except for
the pbInput parameter, which is not used in this case.
4. Allocate a memory buffer for the decrypted data.
5. You can either decrypt the data in place by using the same buffer, or decrypt the data into a separate buffer.
If you want to decrypt the data in place, pass the ciphertext buffer pointer for both the pbInput and
pbOutput parameters in the BCr yptDecr ypt function.
If you want to decrypt the data into a separate buffer, allocate a memory buffer for the decrypted data by
using the size obtained in step 3.
6. Call the BCr yptDecr ypt function to decrypt the data. The parameters that specify the padding scheme and
IV must be the same as when the data was encrypted. This function will write the decrypted data to the
location provided in the pbOutput parameter.
7. Persist the decrypted data as needed.
8. Repeat steps 5 and 6 until all of the data has been decrypted.
minutes to read • Edit Online
The Cryptographic Next Generation (CNG) reference pages contain detailed descriptions of the CNG programming
elements. These pages include reference descriptions of the API for working with CNG.
Reference pages are divided into the following groups:
CNG Constants
CNG Cryptographic Configuration Functions
CNG Cryptographic Primitive Functions
CNG DPAPI Functions
CNG Helper Functions
CNG Key Storage Functions
CNG SSL Provider Functions
CNG Token Binding Functions
CNG Structures
CNG Enumerations
minutes to read • Edit Online
Beginning in Windows 10, CNG provides support for the following named elliptic curves (ANSI X9.62, X9.63, FIPS
186-2).
**BCRYPT\_ECC\_CURVE\_25519**
Nc
a u
mr
e v
e
2
5
5
1
9
S C
t u
a r
n v
d e
a 2
r 5
d 5
1
9
K 2
e 5
y 5
s
i
z
e
(
b
i
t
s
)
T
L
S
c
a
p
a
b
l
e
ON
b o
j n
e e
c
t
i
d
e
n
t
i
f
i
e
r
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP160R1**
Nb
a r
ma
e i
n
p
o
o
l
P
1
6
0
r
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 1
e 6
y 0
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
1
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP160T1**
Nb
a r
ma
e i
n
p
o
o
l
P
1
6
0
t
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 1
e 6
y 0
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
2
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP192R1**
Nb
a r
ma
e i
n
p
o
o
l
P
1
9
2
r
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
3
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP192T1**
Nb
a r
ma
e i
n
p
o
o
l
P
1
9
2
t
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
4
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP224R1**
Nb
a r
ma
e i
n
p
o
o
l
P
2
2
4
r
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 2
e 2
y 4
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
5
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP224T1**
Nb
a r
ma
e i
n
p
o
o
l
P
2
2
4
t
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 2
e 2
y 4
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
6
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP256R1**
Nb
a r
ma
e i
n
p
o
o
l
P
2
5
6
r
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 2
e 5
y 6
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
7
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP256T1**
Nb
a r
ma
e i
n
p
o
o
l
P
2
5
6
t
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 2
e 5
y 6
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
8
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP320R1**
Nb
a r
ma
e i
n
p
o
o
l
P
3
2
0
r
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 3
e 2
y 0
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
9
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP32
0T1**
Nb
a r
ma
e i
n
p
o
o
l
P
3
2
0
t
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 3
e 2
y 0
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
1
0
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP384R1**
Nb
a r
ma
e i
n
p
o
o
l
P
3
8
4
r
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 3
e 8
y 4
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
1
1
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP384T1**
Nb
a r
ma
e i
n
p
o
o
l
P
3
8
4
t
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 3
e 8
y 4
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
1
2
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP512R1**
Nb
a r
ma
e i
n
p
o
o
l
P
5
1
2
r
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 5
e 1
y 2
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
1
3
**BCRYPT\_ECC\_CURVE\_BRAINPOOLP512T1**
Nb
a r
ma
e i
n
p
o
o
l
P
5
1
2
t
1
S E
t C
a C
n B
d r
a a
r i
d n
p
o
o
l
S
t
a
n
d
a
r
d
C
u
r
v
e
s
a
n
d
C
u
r
v
e
G
e
n
e
r
a
t
i
o
n
K 5
e 1
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 3
t 6
i .
d 3
e .
n 3
t .
i 2
f .
i 8
e .
r 1
.
1
.
1
4
**BCRYPT\_ECC\_CURVE\_EC192WAPI**
Ne
a c
m1
e 9
2
w
a
p
i
S C
t h
a i
n n
d e
a s
r e
d N
a
t
i
o
n
a
l
S
t
a
n
d
a
r
d
f
o
r
W
i
r
e
l
e
s
s
L
A
N
s
(
G
B
1
5
6
2
9
.
1
1
-
2
0
0
3
)
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 1
t 5
i 6
d .
e 1
n 1
t 2
i 3
f 5
i .
e 1
r .
1
.
2
.
1
**BCRYPT\_ECC\_CURVE\_NISTP192**
Nn
a i
ms
e t
P
1
9
2
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
s
f
o
r
F
e
d
e
r
a
l
G
o
v
e
r
n
m
e
n
t
U
s
e
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
1
**BCRYPT\_ECC\_CURVE\_NISTP224**
Nn
a i
ms
e t
P
2
2
4
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
s
f
o
r
F
e
d
e
r
a
l
G
o
v
e
r
n
m
e
n
t
U
s
e
K 2
e 2
y 4
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 3
f
i
e
r
**BCRYPT\_ECC\_CURVE\_NISTP256**
Nn
a i
ms
e t
P
2
5
6
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
s
f
o
r
F
e
d
e
r
a
l
G
o
v
e
r
n
m
e
n
t
U
s
e
K 2
e 5
y 6
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
7
**BCRYPT\_ECC\_CURVE\_NISTP384**
Nn
a i
ms
e t
P
3
8
4
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
s
f
o
r
F
e
d
e
r
a
l
G
o
v
e
r
n
m
e
n
t
U
s
e
K 3
e 8
y 4
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 4
f
i
e
r
**BCRYPT\_ECC\_CURVE\_NISTP521**
Nn
a i
ms
e t
P
5
2
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
s
f
o
r
F
e
d
e
r
a
l
G
o
v
e
r
n
m
e
n
t
U
s
e
K 5
e 2
y 1
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 5
f
i
e
r
**BCRYPT\_ECC\_CURVE\_NUMSP256T1**
Nn
a u
mm
e s
P
2
5
6
t
1
S S
t p
a e
n c
d i
a f
r i
d c
a
t
i
o
n
o
f
C
u
r
v
v
e
S
e
l
e
c
t
i
o
n
a
n
d
S
u
p
p
o
r
t
e
d
C
u
r
v
e
P
a
r
a
m
e
t
e
r
s
i
n
M
S
R
E
C
C
L
i
b
K 2
e 5
y 6
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
ON
b o
j n
e e
c
t
i
d
e
n
t
i
f
i
e
r
**BCRYPT\_ECC\_CURVE\_NUMSP384T1**
Nn
a u
mm
e s
P
3
8
4
t
1
S S
t p
a e
n c
d i
a f
r i
d c
a
t
i
o
n
o
f
C
u
r
v
v
e
S
e
l
e
c
t
i
o
n
a
n
d
S
u
p
p
o
r
t
e
d
C
u
r
v
e
P
a
r
a
m
e
t
e
r
s
i
n
M
S
R
E
C
C
L
i
b
K 3
e 8
y 4
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
ON
b o
j n
e e
c
t
i
d
e
n
t
i
f
i
e
r
**BCRYPT\_ECC\_CURVE\_NUMSP512T1**
Nn
a u
mm
e s
P
5
1
2
t
1
S S
t p
a e
n c
d i
a f
r i
d c
a
t
i
o
n
o
f
C
u
r
v
v
e
S
e
l
e
c
t
i
o
n
a
n
d
S
u
p
p
o
r
t
e
d
C
u
r
v
e
P
a
r
a
m
e
t
e
r
s
i
n
M
S
R
E
C
C
L
i
b
K 5
e 1
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
ON
b o
j n
e e
c
t
i
d
e
n
t
i
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP160K1**
Ns
a e
mc
e P
1
6
0
k
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 1
e 6
y 0
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 9
i
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP160R1**
Ns
a e
mc
e P
1
6
0
r
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 1
e 6
y 0
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 8
i
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP160R1**
Ns
a e
mc
e P
1
6
0
r
2
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 1
e 6
y 0
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 0
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP192K1**
Ns
a e
mc
e P
1
9
2
k
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 1
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP192R1**
Ns
a e
mc
e P
1
9
2
r
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
1
**BCRYPT\_ECC\_CURVE\_SECP224K1**
Ns
a e
mc
e P
2
2
4
k
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 2
e 2
y 4
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 2
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP224R1**
Ns
a e
mc
e P
2
2
4
r
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 2
e 2
y 4
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 3
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP256K1**
Ns
a e
mc
e P
2
5
6
k
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 2
e 5
y 6
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 1
i 0
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP256R1**
Ns
a e
mc
e P
2
5
6
r
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 2
e 5
y 6
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
7
**BCRYPT\_ECC\_CURVE\_SECP384R1**
Ns
a e
mc
e P
3
8
4
r
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 3
e 8
y 4
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 4
f
i
e
r
**BCRYPT\_ECC\_CURVE\_SECP521R1**
Ns
a e
mc
e P
5
2
1
r
1
S R
t e
a c
n o
d m
a m
r e
d n
d
e
d
E
l
l
i
p
t
i
c
C
u
r
v
e
D
o
m
a
i
n
P
a
r
a
m
e
t
e
r
s
K 5
e 2
y 1
s
i
z
e
(
b
i
t
s
)
T Y
L e
S s
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 5
f
i
e
r
**BCRYPT\_ECC\_CURVE\_WTLS12**
Nw
a t
ml
e s
1
2
S W
t T
a L
n S
d
a
r
d
K 2
e 2
y 4
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 3
f
i
e
r
**BCRYPT\_ECC\_CURVE\_WTLS7**
Nw
a t
ml
e s
7
S W
t T
a L
n S
d
a
r
d
K 1
e 6
y 0
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 3
e .
c 1
t 3
i 2
d .
e 0
n .
t 3
i 0
f
i
e
r
**BCRYPT\_ECC\_CURVE\_WTLS9**
Nw
a t
ml
e s
9
S W
t T
a L
n S
d
a
r
d
K 1
e 6
y 0
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O2
b .
j 2
e 3
c .
t 4
i 3
d .
e 1
n .
t 4
i .
f 9
i
e
r
**BCRYPT\_ECC\_CURVE\_X962P192V1**
Nx
a 9
m6
e 2
P
1
9
2
v
1
S A
t N
a S
n I
d X
a 9
r .
d 6
2
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
1
**BCRYPT\_ECC\_CURVE\_X962P192V2**
Nx
a 9
m6
e 2
P
1
9
2
v
2
S A
t N
a S
n I
d X
a 9
r .
d 6
2
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
2
**BCRYPT\_ECC\_CURVE\_X962P192V3**
Nx
a 9
m6
e 2
P
1
9
2
v
3
S A
t N
a S
n I
d X
a 9
r .
d 6
2
K 1
e 9
y 2
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
3
**BCRYPT\_ECC\_CURVE\_X962P239V1**
Nx
a 9
m6
e 2
P
2
3
9
v
1
S A
t N
a S
n I
d X
a 9
r .
d 6
2
K 2
e 3
y 9
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
4
**BCRYPT\_ECC\_CURVE\_X962P239V2**
Nx
a 9
m6
e 2
P
2
3
9
v
2
S A
t N
a S
n I
d X
a 9
r .
d 6
2
K 2
e 3
y 9
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
5
**BCRYPT\_ECC\_CURVE\_X962P239V3**
Nx
a 9
m6
e 2
P
2
3
9
v
3
S A
t N
a S
n I
d X
a 9
r .
d 6
2
K 2
e 3
y 9
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
6
**BCRYPT\_ECC\_CURVE\_X962P256V1**
Nx
a 9
m6
e 2
P
2
5
6
v
1
S A
t N
a S
n I
d X
a 9
r .
d 6
2
K 2
e 5
y 6
s
i
z
e
(
b
i
t
s
)
T N
L o
S
c
a
p
a
b
l
e
O1
b .
j 2
e .
c 8
t 4
i 0
d .
e 1
n 0
t 0
i 4
f 5
i .
e 3
r .
1
.
7
Remarks
To use a named curve, call BCr yptOpenAlgorithmProvider using either the BCRYPT_ECDSA_ALGORITHM or
the BCRYPT_ECDH_ALGORITHM as the algorithm ID. Then, call BCr yptSetProper ty and set the
BCRYPT_ECC_CURVE_NAME property to one of the above curves or any named curves registered on the
computer as shown by the certutil -displaytEccCurve command.
Requirements
Header
Bcry
pt.h
See also
B
C
r
y
p
t
O
p
e
n
A
l
g
o
r
i
t
h
m
P
r
o
v
i
d
e
r
N
C
r
y
p
t
C
r
e
a
t
e
P
e
r
s
i
s
t
e
d
K
e
y
minutes to read • Edit Online
Beginning in Windows 10, CNG provides pre-defined algorithm handles for many algorithms. You can use these
handles in any situation that requires an algorithm handle.
BCRYPT_MD2_ALG_HANDLE A handle for the MD2 hash algorithm. Standard: RFC 1319.
BCRYPT_MD4_ALG_HANDLE A handle for the MD4 hash algorithm. Standard: RFC 1320.
BCRYPT_MD5_ALG_HANDLE A handle for the MD5 hash algorithm. Standard: RFC 1321.
BCRYPT_SHA1_ALG_HANDLE A handle for the 160-bit secure hash algorithm. Standard: FIPS
180-2, FIPS 198.
BCRYPT_SHA256_ALG_HANDLE A handle for the 256-bit secure hash algorithm. Standard: FIPS
180-2, FIPS 198.
BCRYPT_SHA384_ALG_HANDLE A handle for the 384-bit secure hash algorithm. Standard: FIPS
180-2, FIPS 198.
BCRYPT_SHA512_ALG_HANDLE A handle for the 512-bit secure hash algorithm. Standard: FIPS
180-2, FIPS 198.
Asymmetric Algorithms
C O N STA N T DESC RIP T IO N
BCRYPT_RSA_ALG_HANDLE A handle for the RSA public key algorithm Standard: PKCS #1
v1.5 and v2.0.
Remarks
Beginning in Windows 10, CNG provides pre-defined algorithm handles for many algorithms. You can use these
handles in any situation that requires an algorithm handle. However, any call to BCr yptSetProper ty fails as the
algorithm handle is shared and cannot be modified. In addition, these handles cannot be used at IRQL=DISPATCH in
kernel mode.
Related topics
B
C
r
y
p
t
O
p
e
n
A
l
g
o
r
i
t
h
m
P
r
o
v
i
d
e
r
N
C
r
y
p
t
C
r
e
a
t
e
P
e
r
s
i
s
t
e
d
K
e
y
minutes to read • Edit Online
The following identifiers are used to identify standard encryption algorithms in various CNG functions and
structures, such as the CRYPT_INTERFACE_REG structure. Third party providers may have additional algorithms
that they support.
Remarks
To use BCRYPT_ECDSA_ALGORITM or BCRYPT_ECDH_ALGORITHM , call BCr yptOpenAlgorithmProvider
with either BCRYPT_ECDSA_ALGORITHM or BCRYPT_ECDH_ALGORITHM as the pszAlgId. Then use
BCr yptSetProper ty to set the BCRYPT_ECC_CURVE_NAME property to a named algorithm listed in CNG
Named Curves.
To provider user-defined elliptic curve parameters directly, use BCr yptSetProper ty to set the
BCRYPT_ECC_PARAMETERS property. Download the Windows 10 Cryptographic Provider Developer Kit (CPDK)
for more information.
Requirements
Header
Bcry
pt.h
See also
B
C
r
y
p
t
O
p
e
n
A
l
g
o
r
i
t
h
m
P
r
o
v
i
d
e
r
N
C
r
y
p
t
C
r
e
a
t
e
P
e
r
s
i
s
t
e
d
K
e
y
minutes to read • Edit Online
The following constants are used by the CNG Data Protection API.
N
C L
R "
Y A
P N
T D
_ "
D C
E a
S n
C b
R e
_ u
D s
E e
L d
I t
M o
I t
T e
E s
R t
_ a
A p
N r
D o
t
e
c
t
i
o
n
d
e
s
c
r
i
p
t
o
r
s
t
r
i
n
g
f
o
r
a
n
A
N
D
d
e
l
i
m
i
t
e
r.
N
C L
R "
Y =
P "
T C
_ a
D n
E b
S e
C u
R s
_ e
E d
Q t
U o
A t
L e
s
t
a
p
r
o
t
e
c
t
i
o
n
d
e
s
c
r
i
p
t
o
r
s
t
r
i
n
g
f
o
r
a
n
e
q
u
a
l
s
s
i
g
n
.
N
C L
R "
Y O
P R
T "
_ C
D a
E n
S b
C e
R u
_ s
D e
E d
L
I t
M o
I t
T e
E s
R t
_ a
O p
R r
o
t
e
c
t
i
o
n
d
e
s
c
r
i
p
t
o
r
s
t
r
i
n
g
f
o
r
a
n
O
R
d
e
l
i
m
i
t
e
r.
N
C "
R L
Y O
P C
T A
_ L
K "
E
Y T
_ h
P e
R L
O O
T C
E A
C L
T p
I r
O o
N t
_ e
A c
L t
G i
O o
R n
I d
T e
H s
M c
_ r
L i
O p
C t
A o
L r
p
r
o
t
e
c
t
s
c
o
n
t
e
n
t
t
o
t
h
e
l
o
g
o
n
s
e
s
s
i
o
n
,
t
h
e
c
u
r
r
e
n
t
u
s
e
r,
o
r
t
h
e
l
o
c
a
l
m
a
c
h
i
n
e
a
s
i
d
e
n
t
i
f
i
e
d
b
y
t
h
e
f
o
l
l
o
w
i
n
g
c
o
n
s
t
a
n
t
s
:
NCRYPT_KEY
NCRYPT_KEY
NCRYPT_KEY
N
C "
R S
Y D
P D
T L
_ "
K P
E r
Y o
_ t
P e
R c
O t
T s
E
C c
T o
I n
O t
N e
_ n
A t
L t
G o
O a
R n
I S
T D
H D
M L
_ (
S S
D e
D c
L u
r
i
t
y
D
e
s
c
r
i
p
t
o
r
D
e
f
i
n
i
t
i
o
n
L
a
n
g
u
a
g
e
)
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
s
e
c
u
r
i
t
y
d
e
s
c
r
i
p
t
o
r
i
n
f
o
r
m
a
t
i
o
n
.
N
C "
R S
Y I
P D
T "
_
K T
E h
Y e
_ S
P I
R D
O p
T r
E o
C t
T e
I c
O t
N i
_ o
A n
L d
G e
O s
R c
I r
T i
H p
M t
_ o
S r
I c
D o
n
t
a
i
n
s
a
g
r
o
u
p
o
r
p
r
i
n
c
i
p
a
l
i
d
e
n
t
i
t
y
.
N
C "
R W
Y E
P B
T C
_ R
K E
E D
Y E
_ N
P T
R I
O A
T L
E S
C "
T P
I r
O o
N t
_ e
A c
L t
G s
O t
R o
I a
T u
H s
M e
_ r
W '
E s
B w
C e
R b
E
D a
E c
N c
T o
I u
A n
L t
S c
r
e
d
e
n
t
i
a
l
s
.
N
C "
R l
Y o
P g
T o
_ n
K "
E P
Y r
_ o
P t
R e
O c
T t
E s
C c
T o
I n
O t
N e
_ n
L t
O t
C o
A t
L h
_ e
L c
O u
G r
O
N r
e
n
t
l
o
g
o
n
s
e
s
s
i
o
n
.
U
s
e
r
s
w
i
l
l
n
o
t
b
e
a
b
l
e
t
o
d
e
c
r
y
p
t
t
h
e
p
r
o
t
e
c
t
e
d
c
o
n
t
e
n
t
a
f
t
e
r
l
o
g
o
f
f
o
r
r
e
b
o
o
t
.
N
C "
R m
Y a
P c
T h
_ i
K n
E e
Y "
_ P
P r
R o
O t
T e
E c
C t
T s
I c
O
N o
_ n
L t
O e
C n
A t
L t
_ o
M t
A h
C e
H l
I o
N c
E a
l
c
o
m
p
u
t
e
r.
A
l
l
u
s
e
r
s
o
n
t
h
e
l
o
c
a
l
c
o
m
p
u
t
e
r
c
a
n
d
e
c
r
y
p
t
t
h
e
p
r
o
t
e
c
t
e
d
c
o
n
t
e
n
t
.
N
C "
R u
Y s
P e
T r
_ "
K P
E r
Y o
_ t
P e
R c
O t
T s
E c
C o
T n
I t
O e
N n
_ t
L
O t
C o
A t
L h
_ e
U c
S u
E r
R r
e
n
t
u
s
e
r
s
e
s
s
i
o
n
.
O
n
l
y
t
h
i
s
u
s
e
r
o
n
t
h
e
l
o
c
a
l
c
o
m
p
u
t
e
r
w
i
l
l
b
e
a
b
l
e
t
o
d
e
c
r
y
p
t
t
h
e
p
r
o
t
e
c
t
e
d
c
o
n
t
e
n
t
.
M
S "
_ M
K i
E c
Y r
_ o
P s
R o
O f
T t
E K
C e
T y
I P
O r
N o
_ t
P e
R c
O t
V i
I o
D n
E P
R r
o
v
i
d
e
r
"
R
e
p
r
e
s
e
n
t
s
t
h
e
M
i
c
r
o
s
o
f
t
k
e
y
p
r
o
t
e
c
t
i
o
n
p
r
o
v
i
d
e
r
w
h
i
c
h
s
u
p
p
o
r
t
s
f
o
r
m
a
t
s
r
e
p
r
e
s
e
n
t
e
d
b
y
t
h
e
f
o
l
l
o
w
i
n
g
c
o
n
s
t
a
n
t
s
:
NCRYPT_KEY
NCRYPT_KEY
NCRYPT_KEY
W
I "
N W
D i
O n
W d
S o
_ w
C s
L C
I l
E i
N e
T n
_ t
K K
E e
Y y
_ P
P r
R o
O t
T e
E c
C t
T i
I o
O n
N P
_ r
P o
R v
O i
V d
I e
D r
E "
R
R
e
p
r
e
s
e
n
t
s
t
h
e
M
i
c
r
o
s
o
f
t
k
e
y
p
r
o
t
e
c
t
i
o
n
p
r
o
v
i
d
e
r
t
h
a
t
i
s
a
v
a
i
l
a
b
l
e
o
n
l
y
o
n
t
h
e
c
l
i
e
n
t
a
n
d
w
h
i
c
h
s
u
p
p
o
r
t
s
f
o
r
m
a
t
s
r
e
p
r
e
s
e
n
t
e
d
b
y
t
h
e
f
o
l
l
o
w
i
n
g
c
o
n
s
t
a
n
t
s
:
NCRYPT_KEY
Requirements
Header
NCr
yptp
rote
ct.h
minutes to read • Edit Online
The following identifiers are used to identify a CNG cryptographic interface. In CNG, an interface identifies the type
of cryptographic behavior that a provider supports. For example, a provider may be a random number generator
or it may be a hashing provider.
Requirements
Header
Bcry
pt.h;
Ncry
pt.h
minutes to read • Edit Online
The following values are used with the BCr yptGetProper ty and BCr yptSetProper ty functions to identify a
property.
B
C L
R "
Y A
P l
T g
_ o
A r
L i
G t
O h
R m
I N
T a
H m
M e
_ "
N A
A n
M u
E l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
n
a
m
e
o
f
t
h
e
a
l
g
o
r
i
t
h
m
.
B
C L
R "
Y A
P u
T t
_ h
A T
U a
T g
H L
_ e
T n
A g
G t
_ h
L "
E
N T
G h
T e
H a
u
t
h
e
n
t
i
c
a
t
i
o
n
t
a
g
l
e
n
g
t
h
s
t
h
a
t
a
r
e
s
u
p
p
o
r
t
e
d
b
y
t
h
e
a
l
g
o
r
i
t
h
m
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
a
B
C
R
Y
P
T
_
A
U
T
H
_
T
A
G
_
L
E
N
G
T
H
S
_
S
T
R
U
C
T
s
t
r
u
c
t
u
r
e
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
a
l
g
o
r
i
t
h
m
s
.
B
C L
R "
Y B
P l
T o
_ c
B k
L L
O e
C n
K g
_ t
L h
E "
N
G T
T h
H e
s
i
z
e
,
i
n
b
y
t
e
s
,
o
f
a
c
i
p
h
e
r
b
l
o
c
k
f
o
r
t
h
e
a
l
g
o
r
i
t
h
m
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
b
l
o
c
k
c
i
p
h
e
r
a
l
g
o
r
i
t
h
m
s
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
B
C L
R "
Y B
P l
T o
_ c
B k
L S
O i
C z
K e
_ L
S i
I s
Z t
E "
_ A
L l
I i
S s
T t
o
f
t
h
e
b
l
o
c
k
l
e
n
g
t
h
s
s
u
p
p
o
r
t
e
d
b
y
a
n
e
n
c
r
y
p
t
i
o
n
a
l
g
o
r
i
t
h
m
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
n
a
r
r
a
y
o
f
D
W
O
R
D
s
.
T
h
e
n
u
m
b
e
r
o
f
e
l
e
m
e
n
t
s
i
n
t
h
e
a
r
r
a
y
c
a
n
b
e
d
e
t
e
r
m
i
n
e
d
b
y
d
i
v
i
d
i
n
g
t
h
e
n
u
m
b
e
r
o
f
b
y
t
e
s
r
e
t
r
i
e
v
e
d
b
y
t
h
e
s
i
z
e
o
f
a
s
i
n
g
l
e
D
W
O
R
D
.
B
C L
R "
Y C
P h
T a
_ i
C n
H i
A n
I g
N M
I o
N d
G e
_ "
M A
O p
D o
E i
n
t
e
r
t
o
a
n
u
l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
r
e
p
r
e
s
e
n
t
s
t
h
e
c
h
a
i
n
i
n
g
m
o
d
e
o
f
t
h
e
e
n
c
r
y
p
t
i
o
n
a
l
g
o
r
i
t
h
m
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
b
e
s
e
t
o
n
a
n
a
l
g
o
r
i
t
h
m
h
a
n
d
l
e
o
r
a
k
e
y
h
a
n
d
l
e
t
o
o
n
e
o
f
t
h
e
f
o
l
l
o
w
i
n
g
v
a
l
u
e
s
.
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
BL
C"
RC
Yh
Pa
Ti
_n
Ci
Hn
Ag
IM
No
_d
Me
OC
DB
EC
_"
C
B
C
BL
C"
RI C
Yh
D
EP a
N
Ti
T
_I nV
FC Ai
IHLn
EA U
g
RE
IM
No
_d
Me
OC
DC
EM
_"
C
C
M
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
BL
C"
RC
Yh
Pa
Ti
_n
Ci
Hn
Ag
IM
No
_d
Me
OC
DF
EB
_"
C
F
B
I
D
E
N
T
I V
FA
I L
EU
RE
BL
C"
RC
Yh
Pa
Ti
_n
Ci
Hn
Ag
IM
No
_d
Me
OE
DC
EB
_"
E
C
B
BL
C"
RC
YI h
Pa
D
ET i
N
_n
T
CI iV
FHAn
IA Lg
EI U
M
RE
No
_d
Me
OG
DC
EM
_"
G
C
M
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
BL
C"
RC
Yh
Pa
Ti
_n
Ci
Hn
Ag
IM
No
_d
Me
ON
D/
EA
_"
N
A
B
C L
R "
Y D
P H
T P
_ a
D r
H a
_ m
P e
A t
R e
r
A s
M "
E
T S
E p
R e
S c
i
f
i
e
s
p
a
r
a
m
e
t
e
r
s
t
o
u
s
e
w
i
t
h
a
D
i
f
f
i
e
-
H
e
l
l
m
a
n
k
e
y
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
p
o
i
n
t
e
r
t
o
a
B
C
R
Y
P
T
_
D
H
_
P
A
R
A
M
E
T
E
R
_
H
E
A
D
E
R
s
t
r
u
c
t
u
r
e
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
s
e
t
a
n
d
m
u
s
t
b
e
s
e
t
f
o
r
t
h
e
k
e
y
b
e
f
o
r
e
t
h
e
k
e
y
i
s
c
o
m
p
l
e
t
e
d
.
B
C L
R "
Y D
P S
T A
_ P
D a
S r
A a
_ m
P e
A t
R e
A r
M s
E "
T S
E p
R e
S c
i
f
i
e
s
p
a
r
a
m
e
t
e
r
s
t
o
u
s
e
w
i
t
h
a
D
S
A
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
a
B
C
R
Y
P
T
_
D
S
A
_
P
A
R
A
M
E
T
E
R
_
H
E
A
D
E
R
o
r
a
B
C
R
Y
P
T
_
D
S
A
_
P
A
R
A
M
E
T
E
R
_
H
E
A
D
E
R
_
V
2
s
t
r
u
c
t
u
r
e
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
s
e
t
a
n
d
m
u
s
t
b
e
s
e
t
f
o
r
t
h
e
k
e
y
b
e
f
o
r
e
t
h
e
k
e
y
i
s
c
o
m
p
l
e
t
e
d
.
W
i
n
d
o
w
s
8
:
B
e
g
i
n
n
i
n
g
w
i
t
h
W
i
n
d
o
w
s
8
,
t
h
i
s
p
r
o
p
e
r
t
y
c
a
n
b
e
a
B
C
R
Y
P
T
_
D
S
A
_
P
A
R
A
M
E
T
E
R
_
H
E
A
D
E
R
_
V
2
s
t
r
u
c
t
u
r
e
.
U
s
e
t
h
i
s
s
t
r
u
c
t
u
r
e
i
f
t
h
e
k
e
y
s
i
z
e
e
x
c
e
e
d
s
1
0
2
4
b
i
t
s
a
n
d
i
s
l
e
s
s
t
h
a
n
o
r
e
q
u
a
l
t
o
3
0
7
2
b
i
t
s
.
I
f
t
h
e
k
e
y
s
i
z
e
i
s
g
r
e
a
t
e
r
t
h
a
n
o
r
e
q
u
a
l
t
o
5
1
2
b
u
t
l
e
s
s
t
h
a
n
o
r
e
q
u
a
l
t
o
1
0
2
4
b
i
t
s
,
u
s
e
t
h
e
B
C
R
Y
P
T
_
D
S
A
_
P
A
R
A
M
E
T
E
R
_
H
E
A
D
E
R
s
t
r
u
c
t
u
r
e
.
B
C L
R "
Y E
P f
T f
_ e
E c
F t
F i
E v
C e
T K
I e
V y
E L
_ e
K n
E g
Y t
_ h
L "
E
N T
G h
T e
H s
i
z
e
,
i
n
b
i
t
s
,
o
f
t
h
e
e
f
f
e
c
t
i
v
e
l
e
n
g
t
h
o
f
a
n
R
C
2
k
e
y
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
B
C L
R "
Y H
P a
T s
_ h
H B
A l
S o
H c
_ k
B L
L e
O n
C g
K t
_ h
L "
E T
N h
G e
T s
H i
z
e
,
i
n
b
y
t
e
s
,
o
f
t
h
e
b
l
o
c
k
f
o
r
a
h
a
s
h
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
h
a
s
h
a
l
g
o
r
i
t
h
m
s
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
B
C L
R "
Y H
P a
T s
_ h
H D
A i
S g
H e
_ s
L t
E L
N e
G n
T g
H t
h
"
T
h
e
s
i
z
e
,
i
n
b
y
t
e
s
,
o
f
t
h
e
h
a
s
h
v
a
l
u
e
o
f
a
h
a
s
h
p
r
o
v
i
d
e
r.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
B
C L
R "
Y H
P a
T s
_ h
H O
A I
S D
H L
_ i
O s
I t
D "
_ T
L h
I e
S l
T i
s
t
o
f
D
E
R
-
e
n
c
o
d
e
d
h
a
s
h
i
n
g
o
b
j
e
c
t
i
d
e
n
t
i
f
i
e
r
s
(
O
I
D
s
)
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
a
B
C
R
Y
P
T
_
O
I
D
_
L
I
S
T
s
t
r
u
c
t
u
r
e
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
r
e
a
d
.
B
C L
R "
Y I
P V
T "
_ C
I o
N n
I t
T a
I i
A n
L s
I t
Z h
A e
T i
I n
O i
N t
_ i
V a
E l
C i
T z
O a
R t
i
o
n
v
e
c
t
o
r
(
I
V
)
f
o
r
a
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
B
C L
R "
Y K
P e
T y
_ L
K e
E n
Y g
_ t
L h
E "
N T
G h
T e
H s
i
z
e
,
i
n
b
i
t
s
,
o
f
t
h
e
k
e
y
v
a
l
u
e
o
f
a
s
y
m
m
e
t
r
i
c
k
e
y
p
r
o
v
i
d
e
r.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
B
C L
R "
Y K
P e
T y
_ L
K e
E n
Y g
_ t
L h
E s
N "
G T
T h
H e
S k
e
y
l
e
n
g
t
h
s
t
h
a
t
a
r
e
s
u
p
p
o
r
t
e
d
b
y
t
h
e
a
l
g
o
r
i
t
h
m
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
a
B
C
R
Y
P
T
_
K
E
Y
_
L
E
N
G
T
H
S
_
S
T
R
U
C
T
s
t
r
u
c
t
u
r
e
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
a
l
g
o
r
i
t
h
m
s
.
B
C L
R "
Y K
P e
T y
_ O
K b
E j
Y e
_ c
O t
B L
J e
E n
C g
T t
_ h
L "
E T
N h
G i
T s
H p
r
o
p
e
r
t
y
i
s
n
o
t
u
s
e
d
.
T
h
e
B
C
R
Y
P
T
_
O
B
J
E
C
T
_
L
E
N
G
T
H
p
r
o
p
e
r
t
y
i
s
u
s
e
d
t
o
o
b
t
a
i
n
t
h
i
s
i
n
f
o
r
m
a
t
i
o
n
.
B
C L
R "
Y K
P e
T y
_ S
K t
E r
Y e
_ n
S g
T t
R h
E "
N T
G h
T e
H n
u
m
b
e
r
o
f
b
i
t
s
i
n
t
h
e
k
e
y
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
B
C L
R "
Y M
P e
T s
_ s
M a
E g
S e
S B
A l
G o
E c
_ k
B L
L e
O n
C g
K t
_ h
L "
E
N T
G h
T i
H s
c
a
n
b
e
s
e
t
o
n
a
n
y
k
e
y
h
a
n
d
l
e
t
h
a
t
h
a
s
t
h
e
C
F
B
c
h
a
i
n
i
n
g
m
o
d
e
s
e
t
.
B
y
d
e
f
a
u
l
t
,
t
h
i
s
p
r
o
p
e
r
t
y
i
s
s
e
t
t
o
1
f
o
r
8
-
b
i
t
C
F
B
.
S
e
t
t
i
n
g
i
t
t
o
t
h
e
b
l
o
c
k
s
i
z
e
i
n
b
y
t
e
s
c
a
u
s
e
s
f
u
l
l
-
b
l
o
c
k
C
F
B
t
o
b
e
u
s
e
d
.
F
o
r
X
T
S
k
e
y
s
i
t
i
s
u
s
e
d
t
o
s
e
t
t
h
e
s
i
z
e
,
i
n
b
y
t
e
s
,
o
f
t
h
e
X
T
S
D
a
t
a
U
n
i
t
(
c
o
m
m
o
n
l
y
5
1
2
o
r
4
0
9
6
)
.
B
C L
R "
Y M
P u
T l
_ t
M i
U O
L b
T j
I e
_ c
O t
B L
J e
E n
C g
T t
_ h
L "
E
N T
G h
T i
H s
p
r
o
p
e
r
t
y
r
e
t
u
r
n
s
a
B
C
R
Y
P
T
_
M
U
L
T
I
_
O
B
J
E
C
T
_
L
E
N
G
T
H
_
S
T
R
U
C
T
,
w
h
i
c
h
c
o
n
t
a
i
n
s
i
n
f
o
r
m
a
t
i
o
n
n
e
c
e
s
s
a
r
y
t
o
c
a
l
c
u
l
a
t
e
t
h
e
s
i
z
e
o
f
a
n
o
b
j
e
c
t
b
u
f
f
e
r.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
o
n
l
y
s
u
p
p
o
r
t
e
d
o
n
o
p
e
r
a
t
i
n
g
s
y
s
t
e
m
v
e
r
s
i
o
n
s
t
h
a
t
s
u
p
p
o
r
t
t
h
e
B
C
r
y
p
t
C
r
e
a
t
e
M
u
l
t
i
H
a
s
h
f
u
n
c
t
i
o
n
.
B
C L
R "
Y O
P b
T j
_ e
O c
B t
J L
E e
C n
T g
_ t
L h
E "
N T
G h
T e
H s
i
z
e
,
i
n
b
y
t
e
s
,
o
f
t
h
e
s
u
b
o
b
j
e
c
t
o
f
a
p
r
o
v
i
d
e
r.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
C
u
r
r
e
n
t
l
y
,
t
h
e
h
a
s
h
a
n
d
s
y
m
m
e
t
r
i
c
c
i
p
h
e
r
a
l
g
o
r
i
t
h
m
p
r
o
v
i
d
e
r
s
u
s
e
c
a
l
l
e
r
-
a
l
l
o
c
a
t
e
d
b
u
f
f
e
r
s
t
o
s
t
o
r
e
t
h
e
i
r
s
u
b
o
b
j
e
c
t
s
.
F
o
r
e
x
a
m
p
l
e
,
t
h
e
h
a
s
h
p
r
o
v
i
d
e
r
r
e
q
u
i
r
e
s
y
o
u
t
o
a
l
l
o
c
a
t
e
m
e
m
o
r
y
f
o
r
t
h
e
h
a
s
h
o
b
j
e
c
t
o
b
t
a
i
n
e
d
w
i
t
h
t
h
e
B
C
r
y
p
t
C
r
e
a
t
e
H
a
s
h
f
u
n
c
t
i
o
n
.
T
h
i
s
p
r
o
p
e
r
t
y
p
r
o
v
i
d
e
s
t
h
e
b
u
f
f
e
r
s
i
z
e
f
o
r
a
p
r
o
v
i
d
e
r
'
s
o
b
j
e
c
t
s
o
y
o
u
c
a
n
a
l
l
o
c
a
t
e
m
e
m
o
r
y
f
o
r
t
h
e
o
b
j
e
c
t
c
r
e
a
t
e
d
b
y
t
h
e
p
r
o
v
i
d
e
r.
B
C L
R "
Y P
P a
T d
_ d
P i
A n
D g
D S
I c
N h
G e
_ m
S e
C s
H "
E
M R
E e
S p
r
e
s
e
n
t
s
t
h
e
p
a
d
d
i
n
g
s
c
h
e
m
e
o
f
t
h
e
R
S
A
a
l
g
o
r
i
t
h
m
p
r
o
v
i
d
e
r.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
T
h
i
s
c
a
n
b
e
o
n
e
o
f
t
h
e
f
o
l
l
o
w
i
n
g
v
a
l
u
e
s
.
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
B0
Cx
R0
Y0
P0
T0
_0
S0
U0
P1
P
O
R
T
E
D
_
P
A
D
_
R
O
U
T
E
R
I
D
E
N
T
I V
FA
I L
EU
RE
B0
Cx
R0
Y0
P0
T0
_0
S0
U0
P2
P
O
R
T
E
D
_
P
A
D
_
P
K
C
S
1
_
E
N
C
I
D
E
N
T
I V
FA
I L
EU
RE
B0
Cx
R0
Y0
P0
T0
_0
S0
U0
P4
P
O
R
T
E
D
_
P
A
D
_
P
K
C
S
1
_
S
I
G
I
D
E
N
T
I V
FA
I L
EU
RE
B0
Cx
R0
Y0
P0
T0
_0
S0
U0
P8
P
O
R
T
E
D
_
P
A
D
_
O
A
E
P
I
D
E
N
T
I V
FA
I L
EU
RE
B0
Cx
R0
Y0
P0
T0
_0
S0
U1
P0
P
O
R
T
E
D
_
P
A
D
_
P
S
S
B
C L
R "
Y P
P r
T o
_ v
P i
R d
O e
V r
I H
D a
E n
R d
_ l
H e
A "
N
D T
L h
E e
h
a
n
d
l
e
o
f
t
h
e
C
N
G
p
r
o
v
i
d
e
r
t
h
a
t
c
r
e
a
t
e
d
t
h
e
o
b
j
e
c
t
p
a
s
s
e
d
i
n
t
h
e
h
O
b
j
e
c
t
p
a
r
a
m
e
t
e
r.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
B
C
R
Y
P
T
_
A
L
G
_
H
A
N
D
L
E
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
r
e
t
r
i
e
v
e
d
;
i
t
c
a
n
n
o
t
b
e
s
e
t
.
B
C L
R "
Y S
P i
T g
_ n
S a
I t
G u
N r
A e
T L
U e
R n
E g
_ t
L h
E "
N T
G h
T e
H s
i
z
e
,
i
n
b
y
t
e
s
,
o
f
t
h
e
l
e
n
g
t
h
o
f
a
s
i
g
n
a
t
u
r
e
f
o
r
a
k
e
y
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
D
W
O
R
D
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
r
e
t
r
i
e
v
e
d
;
i
t
c
a
n
n
o
t
b
e
s
e
t
.
Requirements
Header
Bcry
pt.h
minutes to read • Edit Online
N
C L
R "
Y A
P l
T g
_ o
A r
L i
G t
O h
R m
I G
T r
H o
M u
_ p
G "
R A
O n
U u
P l
_ l
P -
R t
O e
P r
E m
R i
T n
Y a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
n
a
m
e
o
f
t
h
e
o
b
j
e
c
t
'
s
a
l
g
o
r
i
t
h
m
g
r
o
u
p
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
T
h
e
f
o
l
l
o
w
i
n
g
i
d
e
n
t
i
f
i
e
r
s
a
r
e
r
e
t
u
r
n
e
d
b
y
t
h
e
M
i
c
r
o
s
o
f
t
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r.
I
D
E
N
T
I V
FA
I L
EU
RE
N"
CR
RS
YA
P"
T
_
R
S
A
_
A
L
G
O
R
I
T
H
M
_
G
R
O
U
P
I
D
E
N
T
I V
FA
I L
EU
RE
N"
CD
RH
Y"
P
T
_
D
H
_
A
L
G
O
R
I
T
H
M
_
G
R
O
U
P
I
D
E
N
T
I V
FA
I L
EU
RE
N"
CD
RS
YA
P"
T
_
D
S
A
_
A
L
G
O
R
I
T
H
M
_
G
R
O
U
P
I
D
E
N
T
I V
FA
I L
EU
RE
N"
CE
RC
YD
PS
TA
_"
E
C
D
S
A
_
A
L
G
O
R
I
T
H
M
_
G
R
O
U
P
I
D
E
N
T
I V
FA
I L
EU
RE
N"
CE
RC
YD
PH
T"
_
E
C
D
H
_
A
L
G
O
R
I
T
H
M
_
G
R
O
U
P
N
C L
R "
Y A
P l
g
T o
_ r
A i
L t
G h
O m
R N
I a
T m
H e
M "
_
P A
R n
O u
P l
E l
R -
T t
Y e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
n
a
m
e
o
f
t
h
e
o
b
j
e
c
t
'
s
a
l
g
o
r
i
t
h
m
.
T
h
i
s
c
a
n
b
e
o
n
e
o
f
t
h
e
p
r
e
d
e
f
i
n
e
d
C
N
G
A
l
g
o
r
i
t
h
m
I
d
e
n
t
i
f
i
e
r
s
o
r
a
n
o
t
h
e
r
r
e
g
i
s
t
e
r
e
d
a
l
g
o
r
i
t
h
m
i
d
e
n
t
i
f
i
e
r.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
N
C L
R "
Y S
P m
T a
_ r
A t
S C
S a
O r
C d
I A
A s
T s
E o
D c
_ i
E a
C t
D e
H d
_ E
K C
E D
Y H
K
e
y
"
A
n
L
P
W
S
T
R
v
a
l
u
e
t
h
a
t
i
n
d
i
c
a
t
e
s
t
h
e
c
o
n
t
a
i
n
e
r
n
a
m
e
o
f
t
h
e
E
l
l
i
p
t
i
c
C
u
r
v
e
D
i
f
f
i
e
-
H
e
l
l
m
a
n
(
E
C
D
H
)
k
e
y
t
o
u
s
e
d
u
r
i
n
g
l
o
g
o
n
f
o
r
a
g
i
v
e
n
h
a
n
d
l
e
t
o
a
n
E
l
l
i
p
t
i
c
C
u
r
v
e
D
i
g
i
t
a
l
S
i
g
n
a
t
u
r
e
A
l
g
o
r
i
t
h
m
(
E
C
D
S
A
)
k
e
y
.
I
f
t
h
e
r
e
a
r
e
n
o
E
C
D
H
k
e
y
s
o
n
t
h
e
c
a
r
d
,
t
h
e
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
(
K
S
P
)
r
e
t
u
r
n
s
N
T
E
_
N
O
T
_
F
O
U
N
D
.
T
h
i
s
p
r
o
p
e
r
t
y
a
p
p
l
i
e
s
t
o
E
C
D
S
A
k
e
y
s
f
o
r
l
o
g
o
n
w
i
t
h
s
m
a
r
t
c
a
r
d
s
.
T
h
e
p
r
o
p
e
r
t
y
i
s
s
u
p
p
o
r
t
e
d
b
y
t
h
e
M
i
c
r
o
s
o
f
t
S
m
a
r
t
C
a
r
d
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
a
n
d
n
o
t
b
y
t
h
e
M
i
c
r
o
s
o
f
t
S
o
f
t
w
a
r
e
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r.
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
a
n
d
W
i
n
d
o
w
s
V
i
s
t
a
:
T
h
i
s
v
a
l
u
e
i
s
n
o
t
s
u
p
p
o
r
t
e
d
.
N
C L
R "
Y B
P l
T o
_ c
B k
L L
O e
C n
K g
_ t
L h
E "
N A
G D
T W
H O
_ R
P D
R t
O h
P a
E t
R c
T o
Y n
t
a
i
n
s
t
h
e
l
e
n
g
t
h
,
i
n
b
y
t
e
s
,
o
f
t
h
e
e
n
c
r
y
p
t
i
o
n
b
l
o
c
k
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
t
h
a
t
s
u
p
p
o
r
t
e
n
c
r
y
p
t
i
o
n
.
N
C L
R "
Y S
P m
T a
_ r
C t
E C
R a
T r
I d
F K
I e
C y
A C
T e
E r
_ t
P i
R f
O i
P c
E a
R t
T e
Y "
A
B
L
O
B
t
h
a
t
c
o
n
t
a
i
n
s
a
n
X
.
5
0
9
c
e
r
t
i
f
i
c
a
t
e
t
h
a
t
i
s
a
s
s
o
c
i
a
t
e
d
w
i
t
h
t
h
e
k
e
y
.
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
R
2
,
W
i
n
d
o
w
s
7
,
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
a
n
d
W
i
n
d
o
w
s
V
i
s
t
a
:
A
B
L
O
B
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
s
m
a
r
t
c
a
r
d
k
e
y
c
e
r
t
i
f
i
c
a
t
e
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
n
o
t
s
u
p
p
o
r
t
e
d
b
y
t
h
e
M
i
c
r
o
s
o
f
t
S
o
f
t
w
a
r
e
K
e
y
S
t
o
r
a
g
e
P
r
o
v
i
d
e
r.
N
C L
R "
Y D
P H
T P
_ a
D r
H a
_ m
P e
A t
R e
A r
M s
E "
T
E S
R p
S e
_ c
P i
R f
O i
P e
E s
R p
T a
Y r
a
m
e
t
e
r
s
t
o
u
s
e
w
i
t
h
a
D
i
f
f
i
e
-
H
e
l
l
m
a
n
k
e
y
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
p
o
i
n
t
e
r
t
o
a
B
C
R
Y
P
T
_
D
H
_
P
A
R
A
M
E
T
E
R
_
H
E
A
D
E
R
s
t
r
u
c
t
u
r
e
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
s
e
t
a
n
d
m
u
s
t
b
e
s
e
t
f
o
r
t
h
e
k
e
y
b
e
f
o
r
e
t
h
e
k
e
y
i
s
c
o
m
p
l
e
t
e
d
.
N
C L
R "
Y E
P x
T p
_ o
E r
X t
P P
O o
R l
T i
_ c
P y
O "
L A
I
C D
Y W
_ O
P R
R D
O t
P h
E a
R t
T c
Y o
n
t
a
i
n
s
a
s
e
t
o
f
f
l
a
g
s
t
h
a
t
s
p
e
c
i
f
y
t
h
e
e
x
p
o
r
t
p
o
l
i
c
y
f
o
r
a
p
e
r
s
i
s
t
e
d
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
T
h
i
s
c
a
n
c
o
n
t
a
i
n
z
e
r
o
o
r
a
c
o
m
b
i
n
a
t
i
o
n
o
f
o
n
e
o
r
m
o
r
e
o
f
t
h
e
f
o
l
l
o
w
i
n
g
v
a
l
u
e
s
.
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
A0
L0
L1
O
W
_
E
X
P
O
R
T
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
A0
L0
L2
O
W
_
P
L
A
I
N
T
E
X
T
_
E
X
P
O
R
T
_
F
L
A
G
N0
Cx
R0
Y0
P0
T0
_0
A0
L0
L4
O
W
_I
AD
RE
N
C
T
H
I V
IF A
VI L
EI U
RE
N
G
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
A0
L0
L8
O
W
_
P
L
A
I
N
T
E
X
T
_
A
R
C
H
I
V
I
N
G
_
F
L
A
G
G
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
I
D
E
N
T
I V
FA
I L
EU
RE
N
C L
R "
Y I
P m
T p
_ l
I T
M y
P p
L e
_ "
T A
Y D
P W
E O
_ R
P D
R t
O h
P a
E t
R c
T o
Y n
t
a
i
n
s
a
s
e
t
o
f
f
l
a
g
s
t
h
a
t
d
e
f
i
n
e
i
m
p
l
e
m
e
n
t
a
t
i
o
n
d
e
t
a
i
l
s
o
f
t
h
e
p
r
o
v
i
d
e
r.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
s
.
T
h
i
s
c
a
n
c
o
n
t
a
i
n
z
e
r
o
o
r
a
c
o
m
b
i
n
a
t
i
o
n
o
f
o
n
e
o
r
m
o
r
e
o
f
t
h
e
f
o
l
l
o
w
i
n
g
v
a
l
u
e
s
.
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
I0
M0
P1
L
_
H
A
R
D
W
A
R
E
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
I0
M0
P2
L
_
S
O
F
T
W
A
R
E
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
I0
M0
P8
L
_
R
E
M
O
V
A
B
L
E
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
I0
M1
P0
L
_
H
A
R
D
W
A
R
E
_
R
N
G
_
F
L
A
G
N
C L
R "
Y K
P e
T y
_ T
K y
E p
Y e
_ "
T
Y A
P D
E W
_ O
P R
R D
O t
P h
E a
R t
T c
Y o
n
t
a
i
n
s
a
s
e
t
o
f
f
l
a
g
s
t
h
a
t
d
e
f
i
n
e
t
h
e
k
e
y
t
y
p
e
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
T
h
i
s
c
a
n
c
o
n
t
a
i
n
z
e
r
o
o
r
t
h
e
f
o
l
l
o
w
i
n
g
v
a
l
u
e
.
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
M0
A0
C1
H
I
N
E
_
K
E
Y
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N
L
C "
R K
Y e
P y
T U
_ s
K a
E g
Y e
_ "
U
S A
A D
G W
E O
_ R
P D
R t
O h
P a
E t
R c
T o
Y n
t
a
i
n
s
a
s
e
t
o
f
f
l
a
g
s
t
h
a
t
d
e
f
i
n
e
t
h
e
u
s
a
g
e
d
e
t
a
i
l
s
f
o
r
a
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
T
h
i
s
c
a
n
c
o
n
t
a
i
n
z
e
r
o
o
r
a
c
o
m
b
i
n
a
t
i
o
n
o
f
o
n
e
o
r
m
o
r
e
o
f
t
h
e
f
o
l
l
o
w
i
n
g
v
a
l
u
e
s
.
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
A0
L0
L1
O
W
_
D
E
C
R
Y
P
T
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
A0
L0
L2
O
W
_
S
I
G
N
I
N
G
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
P0
T0
_0
A0
L0
L4
O
W
_
K
E
Y
_
A
G
R
E
E
M
E
N
T
_
F
L
A
G
I
D
E
N
T
I V
FA
I L
EU
RE
N0
Cx
R0
Y0
Pf
Tf
_f
Af
Lf
Lf
O
W
_
A
L
L
_
U
S
A
G
E
S
N
C L
R "
Y M
P o
T d
_ i
L f
A i
S e
T d
_ "
M I
O n
D d
I i
F c
I a
E t
D e
_ s
P w
R h
O e
P n
E t
R h
T e
Y k
e
y
w
a
s
l
a
s
t
m
o
d
i
f
i
e
d
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
p
o
i
n
t
e
r
t
o
a
F
I
L
E
T
I
M
E
s
t
r
u
c
t
u
r
e
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
p
e
r
s
i
s
t
e
d
k
e
y
s
.
N
C L
R "
Y L
P e
T n
_ g
L t
E h
N "
G A
T D
H W
_ O
P R
R D
O t
P h
E a
R t
T c
Y o
n
t
a
i
n
s
t
h
e
l
e
n
g
t
h
,
i
n
b
i
t
s
,
o
f
t
h
e
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
N
C L
R "
Y L
P e
T n
_ g
L t
E h
N s
G "
T
H I
S n
_ d
P i
R c
O a
P t
E e
R s
T t
Y h
e
k
e
y
s
i
z
e
s
t
h
a
t
a
r
e
s
u
p
p
o
r
t
e
d
b
y
t
h
e
k
e
y
.
T
h
i
s
d
a
t
a
t
y
p
e
i
s
a
p
o
i
n
t
e
r
t
o
a
n
N
C
R
Y
P
T
_
S
U
P
P
O
R
T
E
D
_
L
E
N
G
T
H
S
s
t
r
u
c
t
u
r
e
t
h
a
t
c
o
n
t
a
i
n
s
t
h
i
s
i
n
f
o
r
m
a
t
i
o
n
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
k
e
y
s
.
N
C L
R "
Y M
P a
T x
_ N
M a
A m
X e
_ L
N e
A n
M g
E t
_ h
L "
E A
N D
G W
T O
H R
_ D
P t
R h
O a
P t
E c
R o
T n
Y t
a
i
n
s
t
h
e
m
a
x
i
m
u
m
l
e
n
g
t
h
,
i
n
c
h
a
r
a
c
t
e
r
s
,
o
f
t
h
e
n
a
m
e
o
f
a
p
e
r
s
i
s
t
e
n
t
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
a
p
r
o
v
i
d
e
r.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
p
r
i
m
a
r
i
l
y
i
n
t
e
n
d
e
d
t
o
b
e
u
s
e
d
b
y
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
s
t
h
a
t
s
t
o
r
e
t
h
e
i
r
k
e
y
s
o
n
a
d
e
v
i
c
e
t
h
a
t
h
a
s
a
l
i
m
i
t
e
d
a
m
o
u
n
t
o
f
a
v
a
i
l
a
b
l
e
m
e
m
o
r
y
,
s
u
c
h
a
s
a
s
m
a
r
t
c
a
r
d
.
N
C L
R "
Y N
P a
T m
_ e
N "
A A
M p
E o
_ i
P n
R t
O e
P r
E t
R o
T a
Y n
u
l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
n
a
m
e
o
f
t
h
e
o
b
j
e
c
t
.
N
C L
R "
Y S
P m
T a
_ r
P t
I C
N a
_ r
P d
R P
O i
M n
P P
T r
_ o
P m
R p
O t
P "
E
R T
T h
Y i
s
v
a
l
u
e
i
s
n
o
t
s
u
p
p
o
r
t
e
d
.
N
C L
R "
Y S
P m
T a
_ r
P t
I C
N a
_ r
P d
R P
O i
P n
E "
R
T A
Y p
o
i
n
t
e
r
t
o
a
n
u
l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
P
I
N
.
T
h
e
P
I
N
i
s
u
s
e
d
f
o
r
a
s
m
a
r
t
c
a
r
d
k
e
y
o
r
t
h
e
p
a
s
s
w
o
r
d
f
o
r
a
p
a
s
s
w
o
r
d
-
p
r
o
t
e
c
t
e
d
k
e
y
s
t
o
r
e
d
i
n
a
s
o
f
t
w
a
r
e
-
b
a
s
e
d
K
S
P
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
s
e
t
.
M
i
c
r
o
s
o
f
t
K
S
P
s
w
i
l
l
c
a
c
h
e
t
h
i
s
v
a
l
u
e
s
o
t
h
a
t
t
h
e
u
s
e
r
i
s
o
n
l
y
p
r
o
m
p
t
e
d
o
n
c
e
p
e
r
p
r
o
c
e
s
s
.
N
C L
R "
Y P
P r
T o
_ v
P i
R d
O e
V r
I H
D a
E n
R d
_ l
H e
A "
N
D A
L n
E N
_ C
P R
R Y
O P
P T
E _
R P
T R
Y O
V
_
H
A
N
D
L
E
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
h
a
n
d
l
e
o
f
t
h
e
C
N
G
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r.
W
h
e
n
y
o
u
a
r
e
f
i
n
i
s
h
e
d
u
s
i
n
g
t
h
e
h
a
n
d
l
e
,
y
o
u
m
u
s
t
c
a
l
l
N
C
r
y
p
t
F
r
e
e
O
b
j
e
c
t
t
o
r
e
l
e
a
s
e
i
t
.
N
C L
R "
Y S
P m
T a
_ r
R t
E C
A a
D r
E d
R R
_ e
P a
R d
O e
P r
E "
R A
T p
Y o
i
n
t
e
r
t
o
a
n
u
l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
n
a
m
e
o
f
t
h
e
s
m
a
r
t
c
a
r
d
r
e
a
d
e
r.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
s
e
t
.
N
C L
R "
Y S
P m
T a
_ r
R t
O c
O a
T r
_ d
C R
E o
R o
T t
S C
T e
O r
R t
E S
_ t
P o
R r
O e
P "
E A
R n
T H
Y
C
E
R
T
S
T
O
R
E
t
h
a
t
r
e
p
r
e
s
e
n
t
s
t
h
e
s
m
a
r
t
c
a
r
d
r
o
o
t
c
e
r
t
i
f
i
c
a
t
e
s
t
o
r
e
.
N
C L
R "
Y S
P m
T a
_ r
S t
C C
A a
R r
D d
_ P
P i
I n
N I
_ d
I "
D A
p
o
i
n
t
e
r
t
o
t
h
e
P
I
N
_
I
D
v
a
l
u
e
a
s
s
o
c
i
a
t
e
d
w
i
t
h
a
g
i
v
e
n
c
r
y
p
t
o
g
r
a
p
h
i
c
k
e
y
o
n
a
s
m
a
r
t
c
a
r
d
.
T
h
i
s
i
s
a
r
e
a
d
-
o
n
l
y
p
r
o
p
e
r
t
y
.
T
h
e
P
I
N
_
I
D
d
a
t
a
t
y
p
e
i
s
d
e
f
i
n
e
d
i
n
C
a
r
d
m
o
d
.
h
.
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
a
n
d
W
i
n
d
o
w
s
V
i
s
t
a
:
T
h
i
s
v
a
l
u
e
i
s
n
o
t
s
u
p
p
o
r
t
e
d
.
N
C L
R "
Y S
P m
T a
_ r
S t
C C
A a
R r
D d
_ P
P i
I n
N I
_ n
I f
N o
F "
O A
p
o
i
n
t
e
r
t
o
P
I
N
_
I
N
F
O
s
t
r
u
c
t
u
r
e
o
f
t
h
e
P
I
N
a
s
s
o
c
i
a
t
e
d
w
i
t
h
a
g
i
v
e
n
c
r
y
p
t
o
g
r
a
p
h
i
c
k
e
y
o
n
t
h
e
s
m
a
r
t
c
a
r
d
.
T
h
e
c
a
l
l
e
r
p
r
o
v
i
d
e
s
t
h
e
k
e
y
h
a
n
d
l
e
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
a
r
e
a
d
-
o
n
l
y
p
r
o
p
e
r
t
y
.
T
h
e
P
I
N
_
I
N
F
O
s
t
r
u
c
t
u
r
e
i
s
d
e
f
i
n
e
d
i
n
C
a
r
d
m
o
d
.
h
.
W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
8
a
n
d
W
i
n
d
o
w
s
V
i
s
t
a
:
T
h
i
s
v
a
l
u
e
i
s
n
o
t
s
u
p
p
o
r
t
e
d
.
N
C L
R "
Y S
P m
T a
_ r
S t
E C
C a
U r
R d
E S
_ e
P c
I u
N r
_ e
P P
R i
O n
P "
E A
R p
T o
Y i
n
t
e
r
t
o
a
n
u
l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
s
m
a
r
t
c
a
r
d
s
e
s
s
i
o
n
P
I
N
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
s
e
t
.
W
i
n
d
o
w
s
V
i
s
t
a
:
T
h
i
s
p
r
o
p
e
r
t
y
i
s
n
o
t
s
u
p
p
o
r
t
e
d
.
N
C L
R "
Y S
P e
T c
_ u
S r
E i
C t
U y
R D
I e
T s
Y c
_ r
D "
E A
S p
C o
R i
_ n
P
R t
O e
P r
E t
R o
T a
Y S
E
C
U
R
I
T
Y
_
D
E
S
C
R
I
P
T
O
R
s
t
r
u
c
t
u
r
e
t
h
a
t
c
o
n
t
a
i
n
s
a
c
c
e
s
s
c
o
n
t
r
o
l
i
n
f
o
r
m
a
t
i
o
n
f
o
r
t
h
e
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
p
e
r
s
i
s
t
e
n
t
k
e
y
s
.
T
h
e
d
w
F
l
a
g
s
p
a
r
a
m
e
t
e
r
o
f
t
h
e
N
C
r
y
p
t
G
e
t
P
r
o
p
e
r
t
y
o
r
N
C
r
y
p
t
S
e
t
P
r
o
p
e
r
t
y
f
u
n
c
t
i
o
n
i
d
e
n
t
i
f
i
e
s
t
h
e
p
a
r
t
o
f
t
h
e
s
e
c
u
r
i
t
y
d
e
s
c
r
i
p
t
o
r
t
o
g
e
t
o
r
s
e
t
.
N
C L
R "
Y S
P e
T c
_ u
S r
E i
C t
U y
R D
I e
T s
Y c
_ r
D S
E u
S p
C p
R o
_ r
S t
U "
P
P I
O n
R d
T i
_ c
P a
R t
O e
P s
E w
R h
T e
Y t
h
e
r
t
h
e
p
r
o
v
i
d
e
r
s
u
p
p
o
r
t
s
s
e
c
u
r
i
t
y
d
e
s
c
r
i
p
t
o
r
s
f
o
r
k
e
y
s
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
a
D
W
O
R
D
t
h
a
t
c
o
n
t
a
i
n
s
1
i
f
t
h
e
p
r
o
v
i
d
e
r
s
u
p
p
o
r
t
s
s
e
c
u
r
i
t
y
d
e
s
c
r
i
p
t
o
r
s
f
o
r
k
e
y
s
.
I
f
t
h
i
s
p
r
o
p
e
r
t
y
c
o
n
t
a
i
n
s
a
n
y
o
t
h
e
r
v
a
l
u
e
,
o
r
i
f
t
h
e
N
C
r
y
p
t
G
e
t
P
r
o
p
e
r
t
y
f
u
n
c
t
i
o
n
r
e
t
u
r
n
s
N
T
E
_
N
O
T
_
S
U
P
P
O
R
T
E
D
,
t
h
e
n
t
h
e
p
r
o
v
i
d
e
r
d
o
e
s
n
o
t
s
u
p
p
o
r
t
s
e
c
u
r
i
t
y
d
e
s
c
r
i
p
t
o
r
s
f
o
r
k
e
y
s
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
p
r
o
v
i
d
e
r
s
.
N
C L
R "
Y S
P m
T a
_ r
S t
M C
A a
R r
T d
C G
A u
R i
D d
_ "
G A
U B
I L
D O
_ B
P t
R h
O a
P t
E c
R o
T n
Y t
a
i
n
s
t
h
e
i
d
e
n
t
i
f
i
e
r
o
f
t
h
e
s
m
a
r
t
c
a
r
d
.
N
C L
R "
Y U
P I
T P
_ o
U l
I i
_ c
P y
O "
L I
I f
C u
Y s
_ e
P d
R
O w
P i
E t
R h
T t
Y h
e
N
C
r
y
p
t
S
e
t
P
r
o
p
e
r
t
y
o
r
N
C
r
y
p
t
G
e
t
P
r
o
p
e
r
t
y
f
u
n
c
t
i
o
n
,
t
h
i
s
i
s
a
p
o
i
n
t
e
r
t
o
a
n
N
C
R
Y
P
T
_
U
I
_
P
O
L
I
C
Y
s
t
r
u
c
t
u
r
e
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
s
t
r
o
n
g
k
e
y
u
s
e
r
i
n
t
e
r
f
a
c
e
p
o
l
i
c
y
f
o
r
t
h
e
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
p
e
r
s
i
s
t
e
n
t
k
e
y
s
.
T
h
i
s
p
r
o
p
e
r
t
y
c
a
n
o
n
l
y
b
e
s
e
t
w
h
e
n
t
h
e
k
e
y
i
s
b
e
i
n
g
g
e
n
e
r
a
t
e
d
.
O
n
c
e
t
h
e
N
C
r
y
p
t
F
i
n
a
l
i
z
e
K
e
y
f
u
n
c
t
i
o
n
h
a
s
b
e
e
n
c
a
l
l
e
d
f
o
r
t
h
i
s
k
e
y
,
t
h
i
s
p
r
o
p
e
r
t
y
b
e
c
o
m
e
s
r
e
a
d
-
o
n
l
y
.
A
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
c
a
n
r
e
c
e
i
v
e
t
h
i
s
p
a
r
a
m
e
t
e
r
t
h
r
o
u
g
h
a
n
N
C
r
y
p
t
S
e
t
P
r
o
p
e
r
t
y
F
n
c
a
l
l
b
a
c
k
f
u
n
c
t
i
o
n
.
T
h
e
p
a
r
a
m
e
t
e
r
v
a
l
u
e
i
s
a
n
N
C
R
Y
P
T
_
U
I
_
P
O
L
I
C
Y
_
B
L
O
B
s
t
r
u
c
t
u
r
e
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
s
a
m
e
i
n
f
o
r
m
a
t
i
o
n
.
S
i
m
i
l
a
r
l
y
,
w
h
e
n
a
n
a
p
p
l
i
c
a
t
i
o
n
m
a
k
e
s
a
r
e
q
u
e
s
t
t
h
r
o
u
g
h
N
C
r
y
p
t
S
e
t
P
r
o
p
e
r
t
y
F
n
t
o
t
h
e
p
r
o
v
i
d
e
r
t
o
r
e
t
u
r
n
t
h
i
s
p
r
o
p
e
r
t
y
,
t
h
e
p
r
o
v
i
d
e
r
i
s
e
x
p
e
c
t
e
d
t
o
r
e
t
u
r
n
a
n
N
C
R
Y
P
T
_
U
I
_
P
O
L
I
C
Y
_
B
L
O
B
s
t
r
u
c
t
u
r
e
.
N
C L
R "
Y U
P n
T i
_ q
U u
N e
I N
Q a
U m
E e
_ "
N A
A p
M o
E i
_
P n
R t
O e
P r
E t
R o
T a
Y n
u
l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
u
n
i
q
u
e
n
a
m
e
o
f
t
h
e
o
b
j
e
c
t
.
T
h
i
s
i
s
a
n
a
l
t
e
r
n
a
t
e
n
a
m
e
t
h
a
t
c
a
n
b
e
u
s
e
d
w
h
e
n
a
c
c
e
s
s
i
n
g
t
h
e
k
e
y
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
u
s
e
d
w
h
e
n
i
t
i
s
t
h
o
u
g
h
t
t
h
a
t
t
h
e
k
e
y
n
a
m
e
o
r
i
g
i
n
a
l
l
y
p
a
s
s
e
d
t
o
N
C
r
y
p
t
C
r
e
a
t
e
P
e
r
s
i
s
t
e
d
K
e
y
i
s
n
o
t
u
n
i
q
u
e
e
n
o
u
g
h
t
o
r
e
l
i
a
b
l
y
i
d
e
n
t
i
f
y
t
h
e
p
e
r
s
i
s
t
e
d
k
e
y
.
T
h
e
M
i
c
r
o
s
o
f
t
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
w
i
l
l
r
e
t
u
r
n
t
h
e
f
i
l
e
n
a
m
e
o
f
t
h
e
k
e
y
a
s
t
h
i
s
p
r
o
p
e
r
t
y
.
N
C L
R "
Y U
P s
T e
_ C
U o
S n
E t
_ e
C x
O t
N "
T A
E p
X o
T i
_ n
P t
R e
O r
P
E t
R o
T a
Y n
u
l
l
-
t
e
r
m
i
n
a
t
e
d
U
n
i
c
o
d
e
s
t
r
i
n
g
t
h
a
t
d
e
s
c
r
i
b
e
s
t
h
e
c
o
n
t
e
x
t
o
f
t
h
e
o
p
e
r
a
t
i
o
n
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
n
o
t
p
e
r
s
i
s
t
e
n
t
a
n
d
c
a
n
b
e
s
e
t
o
n
e
i
t
h
e
r
a
p
r
o
v
i
d
e
r
o
r
a
k
e
y
.
A
k
e
y
d
o
e
s
n
o
t
h
a
v
e
a
c
c
e
s
s
t
o
t
h
e
N
C
R
Y
P
T
_
U
S
E
_
C
O
N
T
E
X
T
_
P
R
O
P
E
R
T
Y
p
r
o
p
e
r
t
y
o
f
t
h
e
p
r
o
v
i
d
e
r
b
e
c
a
u
s
e
t
h
e
p
r
o
p
e
r
t
y
i
s
s
p
e
c
i
f
i
c
o
n
l
y
t
o
t
h
e
h
a
n
d
l
e
i
t
i
s
s
e
t
f
o
r.
A
n
e
x
a
m
p
l
e
w
h
e
r
e
t
h
i
s
p
r
o
p
e
r
t
y
w
o
u
l
d
b
e
u
s
e
d
i
n
t
h
e
c
o
n
t
e
x
t
o
f
a
p
r
o
v
i
d
e
r
i
s
a
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
t
h
a
t
n
e
e
d
s
t
o
p
r
o
m
p
t
t
h
e
u
s
e
r
d
u
r
i
n
g
a
c
a
l
l
t
o
N
C
r
y
p
t
O
p
e
n
K
e
y
(
f
o
r
e
x
a
m
p
l
e
,
"
I
n
s
e
r
t
y
o
u
r
s
m
a
r
t
c
a
r
d
i
n
t
h
e
r
e
a
d
e
r.
"
)
.
B
e
c
a
u
s
e
t
h
e
k
e
y
h
a
n
d
l
e
i
s
n
o
t
a
v
a
i
l
a
b
l
e
u
n
t
i
l
a
f
t
e
r
N
C
r
y
p
t
O
p
e
n
K
e
y
r
e
t
u
r
n
s
,
t
h
e
a
p
p
l
i
c
a
t
i
o
n
s
h
o
u
l
d
s
e
t
t
h
i
s
p
r
o
p
e
r
t
y
o
n
t
h
e
p
r
o
v
i
d
e
r
h
a
n
d
l
e
p
r
i
o
r
t
o
c
a
l
l
i
n
g
N
C
r
y
p
t
O
p
e
n
K
e
y
.
A
n
e
x
a
m
p
l
e
w
h
e
r
e
t
h
i
s
p
r
o
p
e
r
t
y
w
o
u
l
d
b
e
u
s
e
d
i
n
t
h
e
c
o
n
t
e
x
t
o
f
a
k
e
y
h
a
n
d
l
e
i
s
a
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
t
h
a
t
n
e
e
d
s
t
o
p
r
o
m
p
t
t
h
e
u
s
e
r
d
u
r
i
n
g
a
n
o
p
e
r
a
t
i
o
n
u
s
i
n
g
t
h
e
k
e
y
(
f
o
r
e
x
a
m
p
l
e
,
"
T
h
i
s
a
p
p
l
i
c
a
t
i
o
n
n
e
e
d
s
t
o
u
s
e
t
h
i
s
k
e
y
t
o
s
i
g
n
a
d
o
c
u
m
e
n
t
.
"
)
.
T
h
e
p
r
o
v
i
d
e
r
c
o
u
l
d
t
h
e
n
r
e
l
a
y
t
h
i
s
c
o
n
t
e
x
t
i
n
f
o
r
m
a
t
i
o
n
t
o
t
h
e
u
s
e
r
i
n
a
n
y
u
s
e
r
i
n
t
e
r
f
a
c
e
s
h
o
w
n
d
u
r
i
n
g
t
h
e
o
p
e
r
a
t
i
o
n
.
N
C L
R "
Y E
P n
T a
_ b
U l
S e
E d
_ U
C s
O e
U C
N o
T u
_ n
E t
N "
A
B I
L n
E d
D i
_ c
P a
R t
O e
P s
E w
R h
T e
Y t
h
e
r
t
h
e
p
r
o
v
i
d
e
r
s
u
p
p
o
r
t
s
u
s
a
g
e
c
o
u
n
t
i
n
g
f
o
r
k
e
y
s
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
a
D
W
O
R
D
t
h
a
t
c
o
n
t
a
i
n
s
1
i
f
t
h
e
p
r
o
v
i
d
e
r
s
u
p
p
o
r
t
s
u
s
a
g
e
c
o
u
n
t
i
n
g
f
o
r
k
e
y
s
.
I
f
t
h
i
s
p
r
o
p
e
r
t
y
c
o
n
t
a
i
n
s
a
n
y
o
t
h
e
r
v
a
l
u
e
,
o
r
i
f
t
h
e
N
C
r
y
p
t
G
e
t
P
r
o
p
e
r
t
y
f
u
n
c
t
i
o
n
r
e
t
u
r
n
s
N
T
E
_
N
O
T
_
S
U
P
P
O
R
T
E
D
,
t
h
e
n
t
h
e
p
r
o
v
i
d
e
r
d
o
e
s
n
o
t
s
u
p
p
o
r
t
u
s
a
g
e
c
o
u
n
t
i
n
g
f
o
r
k
e
y
s
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
p
r
o
v
i
d
e
r
s
.
N
C L
R "
Y U
P s
T e
_ C
U o
S u
E n
_ t
C "
O A
U U
N L
T A
_ R
P G
R E
O _
P I
E N
R T
T E
Y G
E
R
v
a
r
i
a
b
l
e
t
h
a
t
c
o
n
t
a
i
n
s
t
h
e
n
u
m
b
e
r
o
f
o
p
e
r
a
t
i
o
n
s
t
h
a
t
t
h
e
s
p
e
c
i
f
i
e
d
p
r
i
v
a
t
e
k
e
y
h
a
s
p
e
r
f
o
r
m
e
d
.
T
h
i
s
p
r
o
p
e
r
t
y
i
s
o
p
t
i
o
n
a
l
a
n
d
m
a
y
n
o
t
b
e
s
u
p
p
o
r
t
e
d
b
y
a
l
l
p
r
o
v
i
d
e
r
s
.
P
r
o
v
i
d
e
r
s
t
h
a
t
s
u
p
p
o
r
t
t
h
i
s
p
r
o
p
e
r
t
y
o
n
k
e
y
s
s
h
o
u
l
d
a
l
s
o
s
u
p
p
o
r
t
t
h
e
N
C
R
Y
P
T
_
U
S
E
_
C
O
U
N
T
_
E
N
A
B
L
E
D
_
P
R
O
P
E
R
T
Y
p
r
o
p
e
r
t
y
o
n
t
h
e
p
r
o
v
i
d
e
r
h
a
n
d
l
e
.
T
h
e
M
i
c
r
o
s
o
f
t
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
d
o
e
s
n
o
t
s
u
p
p
o
r
t
t
h
i
s
p
r
o
p
e
r
t
y
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
p
e
r
s
i
s
t
e
n
t
k
e
y
s
.
N
C L
R "
Y S
P m
T a
_ r
U t
S C
E a
R r
_ d
C U
E s
R e
T r
S C
T e
O r
R t
E S
_ t
P o
R r
O e
P "
E
R A
T n
Y H
C
E
R
T
S
T
O
R
E
t
h
a
t
r
e
p
r
e
s
e
n
t
s
t
h
e
s
m
a
r
t
c
a
r
d
u
s
e
r
c
e
r
t
i
f
i
c
a
t
e
s
t
o
r
e
.
N
C L
R "
Y V
P e
T r
_ s
V i
E o
R n
S "
I A
O D
N W
_ O
P R
R D
O t
P h
E a
R t
T c
Y o
n
t
a
i
n
s
t
h
e
s
o
f
t
w
a
r
e
v
e
r
s
i
o
n
o
f
t
h
e
p
r
o
v
i
d
e
r.
T
h
e
h
i
g
h
w
o
r
d
c
o
n
t
a
i
n
s
t
h
e
m
a
j
o
r
v
e
r
s
i
o
n
a
n
d
t
h
e
l
o
w
w
o
r
d
c
o
n
t
a
i
n
s
t
h
e
m
i
n
o
r
v
e
r
s
i
o
n
.
F
o
r
e
x
a
m
p
l
e
,
0
x
0
0
0
3
0
0
3
3
=
3
.
5
1
.
T
h
i
s
p
r
o
p
e
r
t
y
o
n
l
y
a
p
p
l
i
e
s
t
o
p
r
o
v
i
d
e
r
s
.
N
C L
R "
Y H
P W
T N
_ D
W H
I a
N n
D d
O l
W e
_ "
H A
A p
N o
D i
L n
E t
_ e
P r
R t
O o
P t
E h
R e
T w
Y i
n
d
o
w
h
a
n
d
l
e
(
H
W
N
D
)
t
o
b
e
u
s
e
d
a
s
t
h
e
p
a
r
e
n
t
o
f
a
n
y
u
s
e
r
i
n
t
e
r
f
a
c
e
t
h
a
t
i
s
d
i
s
p
l
a
y
e
d
.
B
e
c
a
u
s
e
u
n
d
e
s
i
r
a
b
l
e
b
e
h
a
v
i
o
r
c
a
n
h
a
p
p
e
n
w
h
e
n
a
u
s
e
r
i
n
t
e
r
f
a
c
e
i
s
s
h
o
w
n
b
y
u
s
i
n
g
a
N
U
L
L
w
i
n
d
o
w
h
a
n
d
l
e
f
o
r
t
h
e
p
a
r
e
n
t
,
w
e
s
t
r
o
n
g
l
y
r
e
c
o
m
m
e
n
d
t
h
a
t
a
k
e
y
s
t
o
r
a
g
e
p
r
o
v
i
d
e
r
n
o
t
d
i
s
p
l
a
y
a
u
s
e
r
i
n
t
e
r
f
a
c
e
u
n
l
e
s
s
t
h
i
s
p
r
o
p
e
r
t
y
i
s
s
e
t
.
Requirements
Header
Ncry
pt.h
See also
N
C
r
y
p
t
G
e
t
P
r
o
p
e
r
t
y
N
C
r
y
p
t
S
e
t
P
r
o
p
e
r
t
y
minutes to read • Edit Online
Cryptography API: Next Generation (CNG) defines the following functions that are used with the CNG
cryptographic configuration system.
BCr yptAddContextFunction
BCr yptConfigureContext
BCr yptConfigureContextFunction
BCr yptCreateContext
BCr yptDeleteContext
BCr yptEnumAlgorithms
BCr yptEnumContextFunctionProviders
BCr yptEnumContextFunctions
BCr yptEnumContexts
BCr yptEnumProviders
BCr yptEnumRegisteredProviders
BCr yptGetFipsAlgorithmMode
BCr yptQuer yContextConfiguration
BCr yptQuer yContextFunctionConfiguration
BCr yptQuer yContextFunctionProper ty
BCr yptQuer yProviderRegistration
BCr yptRegisterConfigChangeNotify(HANDLE*)
BCr yptRegisterConfigChangeNotify(PRKEVENT)
BCr yptRemoveContextFunction
BCr yptResolveProviders
BCr yptSetContextFunctionProper ty
BCr yptUnregisterConfigChangeNotify(HANDLE)
BCr yptUnregisterConfigChangeNotify(PRKEVENT)
minutes to read • Edit Online
Cryptography API: Next Generation (CNG) defines the following functions that are used for performing
cryptographic operations.
BCr yptCloseAlgorithmProvider
BCr yptCreateHash
BCr yptCreateMultiHash
BCr yptDecr ypt
BCr yptDeriveKey
BCr yptDestroyHash
BCr yptDestroyKey
BCr yptDestroySecret
BCr yptDuplicateHash
BCr yptDuplicateKey
BCr yptEncr ypt
BCr yptExpor tKey
BCr yptFinalizeKeyPair
BCr yptFinishHash
BCr yptFreeBuffer
BCr yptGenerateKeyPair
BCr yptGenerateSymmetricKey
BCr yptGenRandom
BCr yptGetProper ty
BCr yptHash
BCr yptHashData
BCr yptImpor tKey
BCr yptImpor tKeyPair
BCr yptKeyDerivation
BCr yptOpenAlgorithmProvider
BCr yptProcessMultiOperations
BCr yptSecretAgreement
BCr yptSetProper ty
BCr yptSignHash
BCr yptVerifySignature
minutes to read • Edit Online
Cryptography API: Next Generation (CNG) defines the following functions for the CNG Data Protection API.
NCr yptCreateProtectionDescriptor
NCr yptCloseProtectionDescriptor
NCr yptGetProtectionDescriptorInfo
NCr yptProtectSecret
NCr yptQuer yProtectionDescriptorName
NCr yptRegisterProtectionDescriptorName
NCr yptStreamClose
NCr yptStreamOpenToProtect
NCr yptStreamOpenToUnprotect
NCr yptStreamUpdate
NCr yptUnprotectSecret
PFNCr yptStreamOutputCallback
minutes to read • Edit Online
Cryptography API: Next Generation (CNG) defines the following helper functions that are used for performing
cryptographic operations.
BCr yptDeriveKeyCapi
BCr yptDeriveKeyPBKDF2
BCRYPT_INIT_AUTH_MODE_INFO
SystemPrng
minutes to read • Edit Online
[SystemPrng is available for use in the operating systems specified in the Requirements section. It may be altered
or unavailable in subsequent versions. Instead, use BCr yptGenRandom .]
The SystemPrng function retrieves a specified number of random bytes from the system random number
generator.
NOTE
This function has no associated header file or import library. To call this function, you must create a user-defined header file.
Syntax
BOOL SystemPrng(
_Out_ unsigned char pbRandomData,
_In_ size_t cbRandomData
);
Parameters
p A pointer to a buffer that receives the retrieved bytes.
b
R
a
n
d
o
m
D
a
t
a
[
o
u
t
]
Return value
Always returns TRUE .
Requirements
Minimum supported client Windows Vista with SP1 [desktop apps only]
DLL
Ksec
dd.s
ys
on
Win
dow
s
Serv
er
200
8
and
Win
dow
s
Vist
a
with
SP1;
Cng.
sys
on
Win
dow
s7
and
Win
dow
s
Serv
er
200
8 R2
minutes to read • Edit Online
Cryptography API: Next Generation (CNG) defines the following functions which are used to perform CNG key
storage operations.
NCr yptCreatePersistedKey
NCr yptDecr ypt
NCr yptDeleteKey
NCr yptDeriveKey
NCr yptEncr ypt
NCr yptEnumAlgorithms
NCr yptEnumKeys
NCr yptEnumStorageProviders
NCr yptExpor tKey
NCr yptFinalizeKey
NCr yptFreeBuffer
NCr yptFreeObject
NCr yptGetProper ty
NCr yptImpor tKey
NCr yptIsAlgSuppor ted
NCr yptIsKeyHandle
NCr yptNotifyChangeKey
NCr yptOpenKey
NCr yptOpenStorageProvider
NCr yptSecretAgreement
NCr yptSetProper ty
NCr yptSignHash
NCr yptTranslateHandle
NCr yptVerifySignature
minutes to read • Edit Online
CNG provides the following functions that are used by or with a CNG SSL provider:
SslChangeNotify
SslComputeClientAuthHash
SslComputeEapKeyBlock
SslComputeFinishedHash
SslCreateClientAuthHash
SslCreateEphemeralKey
SslCreateHandshakeHash
SslDecrementProviderReferenceCount
SslDecr yptPacket
SslEncr yptPacket
SslEnumCipherSuites
SslEnumProtocolProviders
SslExpor tKey
SslExpor tKeyingMaterial
SslFreeBuffer
SslFreeObject
SslGenerateMasterKey
SslGenerateSessionKeys
SslGetCipherSuitePRFHashAlgorithm
SslGetKeyProper ty
SslGetProviderProper ty
SslHashHandshake
SslImpor tKey
SslImpor tMasterKey
SslIncrementProviderReferenceCount
SslLookupCipherLengths
SslLookupCipherSuiteInfo
SslOpenPrivateKey
SslOpenProvider
SslSignHash
SslVerifySignature
minutes to read • Edit Online
Syntax
SECURITY_STATUS WINAPI SslChangeNotify(
_In_ HANDLE hEvent,
_In_ DWORD dwFlags
);
Parameters
h This parameter is reserved for future use.
E
v
e
n
t
[
i
n
]
Return value
Returns NTE_NOT_SUPPORTED .
Requirements
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Syntax
SECURITY_STATUS WINAPI SslComputeClientAuthHash(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hMasterKey,
_In_ NCRYPT_HASH_HANDLE hHandshakeHash,
_In_ LPCWSTR pszAlgId,
_Out_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_Out_ DWORD *pcbResult,
_In_ DWORD dwFlags
);
Parameters
h The handle of the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
s
z
A
l
g
I
d
[
i
n
]
A pointer to a null-terminated Unicode string that identifies the requested cryptographic algorithm. This can
be one of the standard CNG Algorithm Identifiers or the identifier for another registered algorithm.
p
b
O
u
t
p
u
t
[
o
u
t
]
The address of a buffer that receives the key BLOB. The cbOutput parameter contains the size of this buffer. If
this parameter is NULL , this function will place the required size, in bytes, in the DWORD pointed to by the
pcbResult parameter.
c The length, in bytes, of the pbOutput buffer.
b
O
u
t
p
u
t
[
i
n
]
p
c
b
R
e
s
u
l
t
[
o
u
t
]
A pointer to a DWORD value that specifies the length, in bytes, of the hash written to the pbOutput buffer.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Remarks
The SslComputeClientAuthHash function computes the hash that is sent in the certificate verification message
of the SSL handshake. The hash value is computed by creating a hash that contains the master secret with a hash of
all previous handshake messages sent or received. For more information about the SSL handshake sequence, see
Description of the Secure Sockets Layer (SSL) Handshake.
The manner in which the hash is computed depends on the protocol and cipher suite used. In addition, the hash
depends on the type of client authentication key used; the pszAlgId parameter indicates the type of key used for
client authentication.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslComputeEapKeyBlock function computes the key block used by the Extensible Authentication Protocol
(EAP).
Syntax
SECURITY_STATUS WINAPI SslComputeEapKeyBlock(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hMasterKey,
_In_ PBYTE pbRandoms,
_In_ DWORD cbRandoms,
_Out_opt_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_Out_ DWORD *pcbResult,
_In_ DWORD dwFlags
);
Parameters
h The handle of the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
b
R
a
n
d
o
m
s
[
i
n
]
A pointer to a buffer that contains a concatenation of the client_random and server_random values of the SSL
session.
p
b
O
u
t
p
u
t
[
o
u
t
,
o
p
t
i
o
n
a
l
]
The address of a buffer that receives the key BLOB. The cbOutput parameter contains the size of this buffer. If
this parameter is NULL , this function will place the required size, in bytes, in the DWORD pointed to by the
pcbResult parameter.
c The length, in bytes, of the pbOutput buffer.
b
O
u
t
p
u
t
[
i
n
]
p
c
b
R
e
s
u
l
t
[
o
u
t
]
A pointer to a DWORD value that specifies the length, in bytes, of the hash written to the pbOutput buffer.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslComputeFinishedHash function computes the hash sent in the finished message of the Secure Sockets
Layer protocol (SSL) handshake. For more information about the SSL handshake sequence, see Description of the
Secure Sockets Layer (SSL) Handshake.
Syntax
SECURITY_STATUS WINAPI SslComputeFinishedHash(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hMasterKey,
_In_ NCRYPT_HASH_HANDLE hHandshakeHash,
_Out_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_In_ DWORD dwFlags
);
Parameters
h The handle of the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p A pointer to a buffer that receives the hash for the finish message.
b
O
u
t
p
u
t
[
o
u
t
]
Specifies that
NC this is a server
RYP call.
T_S
SL_
SER
VER
_FL
AG
0x0
000
000
2
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Remarks
The SslComputeFinishedHash function is one of three functions used to generate a hash to use during the SSL
handshake.
1. The SslCreateHandshakeHash function is called to obtain a hash handle.
2. The SslHashHandshake function is called any number of times with the hash handle to add data to the hash.
3. The SslComputeFinishedHash function is called with the hash handle to obtain the digest of the hashed data.
The hash value is computed by hashing the master secret with a hash of all previous handshake messages sent or
received.
The value of cbOutput determines the length of the hash data. When the Transport Layer Security protocol (TLS)
1.0 protocol is used, this should always be 12 (bytes). For more information, see The TLS Protocol Version 1.0.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslCreateClientAuthHash function retrieves a handle to the handshake hash that is used for client
authentication.
Syntax
SECURITY_STATUS WINAPI SslCreateClientAuthHash(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Out_ NCRYPT_HASH_HANDLE *phHandshakeHash,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ LPCWSTR pszHashAlgId,
_In_ DWORD dwFlags
);
Parameters
h The handle of the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
d This parameter is reserved for future use and must be set to zero.
w
F
l
a
g
s
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
The SslCreateClientAuthHash function is called for Transport Layer Security protocol (TLS) 1.2 or later
conversations to create hash objects that are used to hash handshake messages. It is called once for each possible
hashing algorithm that can be used in the client authentication signature.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslCreateEphemeralKey function creates an ephemeral key for use during the authentication that occurs
during the Secure Sockets Layer protocol (SSL) handshake.
Syntax
SECURITY_STATUS WINAPI SslCreateEphemeralKey(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Out_ NCRYPT_KEY_HANDLE *phEphemeralKey,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ DWORD dwKeyType,
_In_ DWORD dwKeyBitLen,
_In_ PBYTE pbParams,
_In_ DWORD cbParams,
_In_ DWORD dwFlags
);
Parameters
h The handle of the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
d
w
K
e
y
T
y
p
e
[
i
n
]
One of the CNG SSL Provider Key Type Identifier values. Set this parameter to zero for key types that are
not elliptic curve cryptography (ECC).
p
b
P
a
r
a
m
s
[
i
n
]
A pointer to a buffer to contain parameters for the key that is to be created. If a Diffie-Hellman (ephemeral)
key-exchange algorithm (DHE) cipher suite is not used, set the pbParams parameter to NULL and the
cbParams parameter to zero.
c The length, in bytes, of the data in the pbParams buffer.
b
P
a
r
a
m
s
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslCreateHandshakeHash function obtains a hash handle that is used to hash handshake messages.
Syntax
SECURITY_STATUS WINAPI SslCreateHandshakeHash(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Out_ NCRYPT_HASH_HANDLE *phHandshakeHash,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ DWORD dwFlags
);
Parameters
h The handle of the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
The SslCreateHandshakeHash function is one of three functions used to generate a hash to use during the SSL
handshake.
1. The SslCreateHandshakeHash function is called to obtain a hash handle.
2. The SslHashHandshake function is called any number of times with the hash handle to add data to the hash.
3. The SslComputeFinishedHash function is called with the hash handle to obtain the digest of the hashed data.
Requirements
Minimum supported client Windows Vista [desktop apps only]
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslDecrementProviderReferenceCount function decrements the references to the Secure Sockets Layer
protocol (SSL) provider.
Syntax
SECURITY_STATUS WINAPI SslDecrementProviderReferenceCount(
_In_ NCRYPT_PROV_HANDLE hSslProvider
);
Parameters
h The handle of the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
the SslDecr yptPacket function decrypts a single Secure Sockets Layer protocol (SSL) packet.
Syntax
SECURITY_STATUS WINAPI SslDecryptPacket(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Inout_ NCRYPT_KEY_HANDLE hKey,
_In_ PBYTE *pbInput,
_In_ DWORD cbInput,
_Out_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_Out_ DWORD *pcbResult,
_In_ ULONGLONG SequenceNumber,
_In_ DWORD dwFlags
);
Parameters
h The handle of the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Remarks
The length of the packet can be zero, such as when a "HelloRequest" message is decrypted.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslEncr yptPacket function encrypts a single Secure Sockets Layer protocol (SSL) packet.
Syntax
SECURITY_STATUS WINAPI SslEncryptPacket(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Inout_ NCRYPT_KEY_HANDLE hKey,
_In_ PBYTE *pbInput,
_In_ DWORD cbInput,
_Out_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_Out_ DWORD *pcbResult,
_In_ ULONGLONG SequenceNumber,
_In_ DWORD dwContentType,
_In_ DWORD dwFlags
);
Parameters
h The handle of the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
d
w
C
o
n
t
e
n
t
T
y
p
e
[
i
n
]
The content type that corresponds to this packet, which specifies the higher level protocol used to process the
enclosed packet.
VA L UE M EA N IN G
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslEnumCipherSuites function enumerates the cipher suites supported by a Secure Sockets Layer protocol
(SSL) protocol provider.
Syntax
SECURITY_STATUS WINAPI SslEnumCipherSuites(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_opt_ NCRYPT_KEY_HANDLE hPrivateKey,
_Out_ NCRYPT_SSL_CIPHER_SUITE **ppCipherSuite,
_Inout_ PVOID *ppEnumState,
_In_ DWORD dwFlags
);
Parameters
h The handle of the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
h
P
r
i
v
a
t
e
K
e
y
[
i
n
,
o
p
t
i
o
n
a
l
]
The handle of a private key. When a private key is specified, SslEnumCipherSuites enumerates the cipher
suites that are compatible with the private key. For example, if the private key is a DSS key, then only the
DSS_DHE cipher suites are returned. If the private key is an RSA key, but it does not support raw decryption
operations, then the SSL2 cipher suites are not returned.
Set this parameter to NULL when you are not specifying a private key.
NOTE
A hPrivateKey handle is obtained by calling the SslOpenPrivateKey function. Handles obtained from the
NCr yptOpenKey function are not supported.
p
p
C
i
p
h
e
r
S
u
i
t
e
[
o
u
t
]
A pointer to a NCRYPT_SSL_CIPHER_SUITE structure to receive the address of the next cipher suite in the
list.
p
p
E
n
u
m
S
t
a
t
e
[
i
n
,
o
u
t
]
A pointer to a buffer that indicates the current position in the list of cipher suites.
Set the pointer to NULL on the first call to SslEnumCipherSuites . On each subsequent call, pass the
unmodified value back to SslEnumCipherSuites .
When there are no more cipher suites available, you should free ppEnumState by calling the SslFreeBuffer
function.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
To enumerate all cipher suites supported by the SSL provider, call the SslEnumCipherSuites function in a loop
until NTE_NO_MORE_ITEMS is returned.
Requirements
Header
Sslp
rovi
der.
h
Library
Ncry
pt.li
b
DLL
Ncry
pt.dl
l
See also
N
C
R
Y
P
T
_
S
S
L
_
C
I
P
H
E
R
_
S
U
I
T
E
minutes to read • Edit Online
The SslEnumProtocolProviders function returns an array of installed Secure Sockets Layer protocol (SSL)
protocol providers.
Syntax
SECURITY_STATUS WINAPI SslEnumProtocolProviders(
_Out_ DWORD *pdwProviderCount,
_Out_ NCryptProviderName **ppProviderList,
_In_ DWORD dwFlags
);
Parameters
p A pointer to a DWORD value to receive the number of protocol providers returned.
d
w
P
r
o
v
i
d
e
r
C
o
u
n
t
[
o
u
t
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
When you have finished using the array of NCr yptProviderName structures, call the SslFreeBuffer function to
free the array.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslExpor tKey function returns an Secure Sockets Layer protocol (SSL) session key or public ephemeral key
into a serialized BLOB.
Syntax
SECURITY_STATUS WINAPI SslExportKey(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hKey,
_In_ LPCWSTR pszBlobType,
_Out_opt_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_Out_ DWORD *pcbResult,
_In_ DWORD dwFlags
);
Parameters
h The handle of the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
h
K
e
y
[
i
n
]
p
s
z
B
l
o
b
T
y
p
e
[
i
n
]
A null-terminated Unicode string that contains an identifier that specifies the type of BLOB to export. This can
be one of the following values.
VA L UE M EA N IN G
p
b
O
u
t
p
u
t
[
o
u
t
,
o
p
t
i
o
n
a
l
]
The address of a buffer that receives the key BLOB. The cbOutput parameter contains the size of this buffer. If
this parameter is NULL , this function will place the required size, in bytes, in the DWORD pointed to by the
pcbResult parameter.
c The size, in bytes, of the pbOutput buffer.
b
O
u
t
p
u
t
[
i
n
]
p
c
b
R
e
s
u
l
t
[
o
u
t
]
The address of a DWORD variable that receives the number of bytes copied to the pbOutput buffer. If the
pbOutput parameter is set to NULL when the function is called, the required size for the pbOutput buffer, in
bytes, is returned in the DWORD pointed to by this parameter.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
The SslExpor tKey function facilitates transporting session keys from one process to another as well as exporting
the public portion an ephemeral key.
When exporting session keys, the BLOB type is opaque, meaning that the format of the BLOB is irrelevant as long
as both the SslExpor tKey and SslImpor tKey functions can interpret it.
When exporting the public portion of an ephemeral key the BLOB type must be the appropriate type, such as
NCRYPT_DH_PUBLIC_BLOB or NCRYPT_ECCPUBLIC_BLOB .
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Exports keying material per the RFC 5705 standard. This function uses the TLS pseudorandom function to produce
a byte buffer of keying material. It takes a reference to the master secret, the disambiguating ASCII label, client and
server random values, and optionally the application context data.
Syntax
SECURITY_STATUS WINAPI SslExportKeyingMaterial(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hMasterKey,
_In_ PCHAR sLabel,
_In_ PBYTE pbRandoms,
_In_ DWORD cbRandoms,
_In_opt_ PBYTE pbContextValue,
_In_ WORD cbContextValue,
_Out_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_In_ DWORD dwFlags
);
Parameters
h The handle of the TLS protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
h The handle of the master key object that will be used to create the keying material to br exported.
M
a
s
t
e
r
K
e
y
[
i
n
]
s
L
a
b
e
l
[
i
n
]
a NUL-terminated ASCII label string. Schannel will remove the terminating NUL character before passing it to
the pseudorandom function.
p
b
R
a
n
d
o
m
s
[
i
n
]
A pointer to a buffer that contains a concatenation of the client_random and server_random values of the TLS
connection.
p
b
C
o
n
t
e
x
t
V
a
l
u
e
[
i
n
,
o
p
t
i
o
n
a
l
]
A pointer to a buffer that contains the application context. If pbContextValue is NULL , cbContextValue must
be zero.
p
b
O
u
t
p
u
t
[
o
u
t
]
The address of a buffer that receives the exported keying material. The cbOutput parameter contains the size
of this buffer. This value cannot be NULL .
c The length, in bytes, of the pbOutput buffer. Must be greater than zero.
b
O
u
t
p
u
t
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslFreeBuffer function is used to free memory that was allocated by one of the Secure Sockets Layer
protocol (SSL) provider functions.
Syntax
SECURITY_STATUS WINAPI SslFreeBuffer(
_In_ PVOID pvInput
);
Parameters
p A pointer to the memory buffer to be freed.
v
I
n
p
u
t
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Syntax
SECURITY_STATUS WINAPI SslFreeObject(
_In_ NCRYPT_HANDLE hObject,
_In_ DWORD dwFlags
);
Parameters
h The handle of the object to free.
O
b
j
e
c
t
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslGenerateMasterKey function computes the Secure Sockets Layer protocol (SSL) master secret key.
Syntax
SECURITY_STATUS WINAPI SslGenerateMasterKey(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hPrivateKey,
_In_ NCRYPT_KEY_HANDLE hPublicKey,
_Out_ NCRYPT_KEY_HANDLE *phMasterKey,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ PNCryptBufferDesc pParameterList,
_Out_ PBYTE pbOutput,
_In_ DWORD cbOutput,
_Out_ DWORD *pcbResult,
_In_ DWORD dwFlags
);
Parameters
h The handle to the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
P
a
r
a
m
e
t
e
r
L
i
s
t
[
i
n
]
A pointer to an array of NCr yptBuffer buffers that contain information used as part of the key exchange
operation. The precise set of buffers is dependent on the protocol and cipher suite that is used. At the
minimum, the list will contain buffers that contain the client and server supplied random values.
p
b
O
u
t
p
u
t
[
o
u
t
]
The address of a buffer that receives the premaster secret encrypted with the public key of the server. The
cbOutput parameter contains the size of this buffer. If this parameter is NULL , this function returns the
required size, in bytes, in the DWORD pointed to by the pcbResult parameter.
NOTE
This buffer is used when performing a RSA key exchange.
p A pointer to a DWORD value in which to place number of bytes written to the pbOutput buffer.
c
b
R
e
s
u
l
t
[
o
u
t
]
d Specifies whether this function is being used for client-side or server-side key exchange.
w
F VA L UE M EA N IN G
l
a Specifies a client-side key exchange.
NC
g RYP
s T_S
[ SL_
CLI
i ENT
n _FL
] AG
0x0
000
000
1
VA L UE M EA N IN G
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslGenerateSessionKeys function generates a set of Secure Sockets Layer protocol (SSL) session keys.
Syntax
SECURITY_STATUS WINAPI SslGenerateSessionKeys(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hMasterKey,
_Out_ NCRYPT_KEY_HANDLE *phReadKey,
_Out_ NCRYPT_KEY_HANDLE *phWriteKey,
_In_ PNCryptBufferDesc pParameterList,
_In_ DWORD dwFlags
);
Parameters
h The handle to the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
P
a
r
a
m
e
t
e
r
L
i
s
t
[
i
n
]
A pointer to an array of NCr yptBuffer buffers that contain information used as part of the key exchange
operation. The precise set of buffers is dependent on the protocol and cipher suite that is used. At the
minimum, the list will contain buffers that contain the client and server supplied random values.
d This parameter is reserved for future use.
w
F
l
a
g
s
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslGetCipherSuitePRFHashAlgorithm function returns the Cryptography API: Next Generation (CNG)
Algorithm Identifier of the hashing algorithm that is used for the Transport Layer Security protocol (TLS) pseudo-
random function (PRF) for the input protocol, cipher suite, and key type.
Syntax
SECURITY_STATUS WINAPI SslGetCipherSuitePRFHashAlgorithm(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ DWORD dwKeyType,
_Out_ WCHAR szPRFHash[NCRYPT_SSL_MAX_NAME_SIZE],
_In_ DWORD dwFlags
);
Parameters
h The handle of the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
d
w
K
e
y
T
y
p
e
[
i
n
]
One of the CNG SSL Provider Key Type Identifier values. For key types that are not elliptic curve
cryptography (ECC), set this parameter to zero.
s One of the CNG Algorithm Identifiers for the hash that will be used for the TLS PRF.
z
P
R
F
H
a
s
h
[
o
u
t
]
d This parameter is reserved for future use and must be set to zero.
w
F
l
a
g
s
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
This SslGetCipherSuitePRFHashAlgorithm function is called for TLS 1.2 or later conversations to query the
hashing algorithm that will be used in the TLS PRF.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslGetKeyProper ty function retrieves the value of a named property for a Secure Sockets Layer protocol
(SSL) provider key object.
Syntax
SECURITY_STATUS WINAPI SslGetKeyProperty(
_In_ NCRYPT_KEY_HANDLE hKey,
_In_ LPCWSTR pszProperty,
_Out_ PBYTE ppbOutput,
_Out_ DWORD *pcbOutput,
_In_ DWORD dwFlags
);
Parameters
h The handle of the SSL provider.
K
e
y
[
i
n
]
p
s
z
P
r
o
p
e
r
t
y
[
i
n
]
A pointer to a null-terminated Unicode string that contains the name of the property to retrieve. This can be
one of the predefined Key Storage Proper ty Identifiers or a custom property identifier.
p
p
b
O
u
t
p
u
t
[
o
u
t
]
A pointer to a buffer that receives the property value. The caller of the function must free this buffer by
calling the SslFreeBuffer function.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Syntax
SECURITY_STATUS WINAPI SslGetProviderProperty(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ LPCWSTR pszProperty,
_Out_ PBYTE ppbOutput,
_Out_ DWORD *pcbOutput,
_Inout_ PVOID *ppEnumState,
_In_ DWORD dwFlags
);
Parameters
h The handle of the Secure Sockets Layer protocol (SSL) provider for which to retrieve the property.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p A pointer to a null-terminated Unicode string that contains the name of the property to retrieve.
s
z
P
r
o
p
e
r
t
y
[
i
n
]
p
p
E
n
u
m
S
t
a
t
e
[
i
n
,
o
u
t
]
The address of a VOID pointer that receives enumeration state information that is used in subsequent calls to
this function. This information only has meaning to the SSL provider and is opaque to the caller. The SSL
provider uses this information to determine which item is next in the enumeration. If the variable pointed to
by this parameter contains NULL , the enumeration is started from the beginning.
The caller of the function must free this memory by calling the SslFreeBuffer function.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Syntax
SECURITY_STATUS WINAPI SslHashHandshake(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Inout_ NCRYPT_HASH_HANDLE hHandshakeHash,
_Out_ PBYTE pbInput,
_In_ DWORD cbInput,
_In_ DWORD dwFlags
);
Parameters
h The handle to the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
Return value
If the function succeeds, it returns zero.
Remarks
The SslHashHandshake function is one of three functions used to generate a hash to use during the SSL
handshake.
1. The SslCreateHandshakeHash function is called to obtain a hash handle.
2. The SslHashHandshake function is called any number of times with the hash handle to add data to the hash.
3. The SslComputeFinishedHash function is called with the hash handle to obtain the digest of the hashed data.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslImpor tKey function imports a key into the Secure Sockets Layer protocol (SSL) protocol provider.
Syntax
SECURITY_STATUS WINAPI SslImportKey(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Out_ NCRYPT_KEY_HANDLE *phKey,
_In_ LPCWSTR pszBlobType,
_In_ PBYTE pbKeyBlob,
_In_ DWORD cbKeyBlob,
_In_ DWORD dwFlags
);
Parameters
h The handle to the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p A pointer to the handle of the cryptographic key to receive the imported key.
h
K
e
y
[
o
u
t
]
p
s
z
B
l
o
b
T
y
p
e
[
i
n
]
A null-terminated Unicode string that contains an identifier that specifies the type of BLOB that is contained
in the pbInput buffer. This can be one of the following values.
VA L UE M EA N IN G
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Remarks
You can use the SslImpor tKey function to import session keys as a part of the process of transferring session
keys from one process to another.
Requirements
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslImpor tMasterKey function performs a server-side Secure Sockets Layer protocol (SSL) key exchange
operation.
Syntax
SECURITY_STATUS WINAPI SslImportMasterKey(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hPrivateKey,
_Out_ NCRYPT_KEY_HANDLE *phMasterKey,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ PNCryptBufferDesc pParameterList,
_In_ PBYTE pbEncryptedKey,
_In_ DWORD cbEncryptedKey,
_In_ DWORD dwFlags
);
Parameters
h The handle to the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
P
a
r
a
m
e
t
e
r
L
i
s
t
[
i
n
]
A pointer to an array of NCr yptBuffer buffers that contain information used as part of the key exchange
operation. The precise set of buffers is dependent on the protocol and cipher suite that is used. At the
minimum, the list will contain buffers that contain the client and server supplied random values.
p
b
E
n
c
r
y
p
t
e
d
K
e
y
[
i
n
]
A pointer to a buffer that contains the encrypted premaster secret key encrypted with the public key of the
server.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
This function decrypts the premaster secret, computes the SSL master secret, and returns a handle to this object to
the caller. This master key can then be used to derive the SSL session key and finish the SSL handshake.
NOTE
This function is used when the RSA key exchange algorithm is being used. When DH is used, then the server code calls
SslGenerateMasterKey instead.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslIncrementProviderReferenceCount function increments the reference count to a Secure Sockets Layer
protocol (SSL) provider instance.
Syntax
SECURITY_STATUS WINAPI SslIncrementProviderReferenceCount(
_In_ NCRYPT_PROV_HANDLE hSslProvider
);
Parameters
h The handle to the SSL protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Syntax
SECURITY_STATUS WINAPI SslLookupCipherLengths(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ DWORD dwKeyType,
_Out_ NCRYPT_SSL_CIPHER_LENGTHS *pCipherLengths,
_In_ DWORD cbCipherLengths,
_In_ DWORD dwFlags
);
Parameters
h The handle of the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
d
w
K
e
y
T
y
p
e
[
i
n
]
One of the CNG SSL Provider Key Type Identifier values. For key types that are not elliptic curve
cryptography (ECC), set this parameter to zero.
p A pointer to a buffer to receive the NCRYPT_SSL_CIPHER_LENGTHS structure.
C
i
p
h
e
r
L
e
n
g
t
h
s
[
o
u
t
]
d This parameter is reserved for future use and must be set to zero.
w
F
l
a
g
s
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Remarks
The SslLookupCipherLengths function is called for Transport Layer Security protocol (TLS) 1.1 or later
conversations to query the header and trailer lengths for the requested protocol, cipher suite, and key type.
Requirements
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslLookupCipherSuiteInfo function retrieves the cipher suite information for a specified protocol, cipher
suite, and key type set.
Syntax
SECURITY_STATUS WINAPI SslLookupCipherSuiteInfo(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ DWORD dwProtocol,
_In_ DWORD dwCipherSuite,
_In_ DWORD dwKeyType,
_Out_ NCRYPT_SSL_CIPHER_SUITE *pCipherSuite,
_In_ DWORD dwFlags
);
Parameters
h The handle to the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
C
i
p
h
e
r
S
u
i
t
e
[
o
u
t
]
The address of a buffer that contains a NCRYPT_SSL_CIPHER_SUITE structure in which to write the cipher
suite information.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Syntax
SECURITY_STATUS WINAPI SslOpenPrivateKey(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_Out_ NCRYPT_KEY_HANDLE *phPrivateKey,
_In_ PCCERT_CONTEXT pCertContext,
_In_ DWORD dwFlags
);
Parameters
h The handle to the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
h
P
r
i
v
a
t
e
K
e
y
[
o
u
t
]
The address of a buffer in which to write the handle to the private key.
When you have finished using the key, you should free phPrivateKey by calling the SslFreeObject function.
p The address of the certificate from which to obtain the private key.
C
e
r
t
C
o
n
t
e
x
t
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
RET URN C O DE/ VA L UE DESC RIP T IO N
Remarks
The private key obtained is part of a public/private key pair within a certificate. This function merely extracts the
private key from the certificate specified by the pCertContext parameter.
Requirements
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslOpenProvider function opens a handle to the specified Secure Sockets Layer protocol (SSL) protocol
provider.
Syntax
SECURITY_STATUS WINAPI SslOpenProvider(
_Out_ NCRYPT_PROV_HANDLE *phSslProvider,
_In_ LPCWSTR pszProviderName,
_In_ DWORD dwFlags
);
Parameters
p The address of an NCRYPT_PROV_HANDLE in which to write the provider handle.
h
When you have finished using the handle, you should free it by calling the SslFreeObject function.
S
s
l
P
r
o
v
i
d
e
r
[
o
u
t
]
p
s
z
P
r
o
v
i
d
e
r
N
a
m
e
[
i
n
]
A pointer to a Unicode string that contains the provider name. If the value of this parameter is NULL , a
handle to the MS_SCHANNEL_PROVIDER is returned.
d This parameter is reserved for future use, and it must be set to zero.
w
F
l
a
g
s
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslSignHash function signs a hash by using the specified private key. The signing process is performed on the
server.
Syntax
SECURITY_STATUS WINAPI SslSignHash(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hPrivateKey,
_In_ PBYTE pbHashValue,
_In_ DWORD cbHashValue,
_Out_ PBYTE pbSignature,
_In_ DWORD cbSignature,
_Out_ DWORD *pcbResult,
_In_ DWORD dwFlags
);
Parameters
h The handle to the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
p
b
S
i
g
n
a
t
u
r
e
[
o
u
t
]
The address of a buffer that receives the signature of the hash. The cbSignature parameter contains the size
of this buffer. To determine the required sized size of the buffer, set the pbSignature parameter to NULL . The
required size of the buffer will be returned in the pcbResult parameter.
p
c
b
R
e
s
u
l
t
[
o
u
t
]
A pointer to a value that, upon completion, contains the actual number of bytes written to the pbSignature
buffer.
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
The SslVerifySignature function verifies the specified signature by using the supplied hash and the public key.
Syntax
SECURITY_STATUS WINAPI SslVerifySignature(
_In_ NCRYPT_PROV_HANDLE hSslProvider,
_In_ NCRYPT_KEY_HANDLE hPublicKey,
_In_ PBYTE pbHashValue,
_In_ DWORD cbHashValue,
_In_ PBYTE pbSignature,
_In_ DWORD cbSignature,
_In_ DWORD dwFlags
);
Parameters
h The handle to the Secure Sockets Layer protocol (SSL) protocol provider instance.
S
s
l
P
r
o
v
i
d
e
r
[
i
n
]
Return value
If the function succeeds, it returns zero.
If the function fails, it returns a nonzero error value.
Possible return codes include, but are not limited to, the following.
Remarks
The SslVerifySignature function is not currently called by Windows. This function is a required part of the SSL
Provider interface and should be fully implemented to ensure forward compatibility.
Current implementations of the server side of the Transport Layer Security protocol (TLS) connection call the
NCr yptVerifySignature function during the client authentication to process the certificate verify message.
Requirements
Header
Sslp
rovi
der.
h
DLL
Ncry
pt.dl
l
minutes to read • Edit Online
Cryptography API: Next Generation (CNG) defines the following functions which are used to perform CNG Token
Binding operations.
TokenBindingDeleteBinding
TokenBindingGenerateBinding
TokenBindingGenerateMessage
TokenBindingGetKeyTypesClient
TokenBindingGetKeyTypesSer ver
TokenBindingVerifyMessage
minutes to read • Edit Online
Syntax
typedef struct __NCRYPT_UI_POLICY_BLOB {
DWORD dwVersion;
DWORD dwFlags;
DWORD cbCreationTitle;
DWORD cbFriendlyName;
DWORD cbDescription;
} NCRYPT_UI_POLICY_BLOB;
Members
d The version number of the structure. This member must contain 1.
w
V
e
r
s
i
o
n
c
b
C
r
e
a
t
i
o
n
T
i
t
l
e
The length, in bytes, of the creation title. The creation title is a null-terminated Unicode string that specifies
the text that is used as the title of the strong key dialog box when the key is completed. The creation title must
be placed immediately following the NCRYPT_UI_POLICY_BLOB structure. If the value of the
cbCreationTitle member is set to 0, a default creation title is used for the title of the strong key dialog box.
This member is only used on key finalization.
c
b
F
r
i
e
n
d
l
y
N
a
m
e
The length, in bytes, of the friendly name of the key. The friendly name is a null-terminated Unicode string
that contains the text that is displayed in the strong key dialog box as the name of the key. The friendly name
must be placed immediately following the creation title in this BLOB. If the value of the cbFriendlyName
member is set to 0, a default name is used in the strong key dialog box. This member is used both when the
key is completed and when the key is used.
c
b
D
e
s
c
r
i
p
t
i
o
n
The length, in bytes, of the key description. The key description is a null-terminated Unicode string that
contains the text that is displayed in the strong key dialog box as the description of the key. The description
value must be placed immediately following the friendly name in this BLOB. If the value of the
cbDescription member is set to 0, a default description is used in the strong key dialog box. This member is
used both when the key is completed and when the key is used.
Remarks
This structure is included in the Ncrypt_provider.h header. To use the structure, you must download the
Cryptographic Provider Development Kit from Microsoft Connect.
Requirements
Header
Ncry
pt_p
rovi
der.
h
minutes to read • Edit Online
Cryptography API: Next Generation (CNG) defines the following enumeration types.
BCRYPT_HASH_OPERATION_TYPE
BCRYPT_MULTI_OPERATION_TYPE
DSAFIPSVERSION_ENUM
HASHALGORITHM_ENUM
TOKENBINDING_EXTENSION_FORMAT
TOKENBINDING_TYPE