安全协议与标准从Cryoki到CryoAI

安全协议与标准linfb@2009,10PKCS#11andmoreOverview ↓APIUsage:Session ↓FunctionsSummary ↓FunctionsDetail/Example ↓Mechanisms:Algorithm,Protocol ↓Comparison

↓Implementation ↓GSS-API ↓GCS-API ↓CDSA ↓MS-CAPI ↓DEPOverviewIncryptography,PKCS#11isoneofthefamilyofstandardscalledPublic-KeyCryptographyStandards(PKCS),publishedbyRSALaboratories.Itdefinesaplatform-independentAPItocryptographictokens,suchasHardwareSecurityModulesandsmartcards.(ThePKCS#11standardnamestheAPI"Cryptoki",butisoftenusedtorefertotheAPIaswellasthestandardthatdefinesit.)Sincethereisn'tarealstandardforcryptographictokens,thisAPIhasbeendevelopedtobeanabstractionlayerforthegenericcryptographictoken.ThePKCS#11APIdefinesmostcommonlyusedcryptographicobjecttypes(RSAkeys,X.509Certificates,DES/TripleDESkeys,etc.)andallthefunctionsneededtouse,create/generate,modifyanddeletethoseobjects.-PKCS#11islargelyadoptedtoaccesssmartcardsandHSMs.MostcommercialCertificationAuthoritysoftwareusesPKCS#11toaccesstheCAsigningkeyortoenrollusercertificates.Cross-platformsoftwarethatneedstousesmartcardsusesPKCS#11,suchasMozillaFirefoxandOpenSSL(usinganextension).NSS(inFirefox)“pkcs-11v2-20.doc”BackgroundPortablecomputingdevicessuchassmartcards,PCMCIAcards,andsmartdiskettesareidealtoolsforimplementingpublic-keycryptography,astheyprovideawaytostore

theprivate-keycomponentofapublic-key/private-keypairsecurely,underthecontrolofasingleuser.Withsuchadevice,acryptographicapplication,ratherthanperformingcryptographicoperationsitself,utilizesthedevicetoperformtheoperations,withsensitiveinformationsuchasprivatekeysneverbeingrevealed.Asmoreapplicationsaredevelopedforpublic-keycryptography,astandardprogramminginterfaceforthesedevicesbecomesincreasinglyvaluable.Thisstandardaddressesthisneed.kaMemorycardSmartcardPCMCIA/CardBusUSBflashdriveUSBKeyExpressCardPCIExpress口令之外口令登录指纹登录智能卡登录登录次数的限制PIN和lock功能SSO其他生物识别认证技术

抽象：TokenTheprimarygoalofCryptokiwasalower-levelprogramminginterfacethatabstractsthedetailsofthedevices,andpresentstotheapplicationacommonmodelofthecryptographicdevice,calleda“cryptographictoken”(orsimply“token”).Atokenisadevicethatstoresobjectsandcanperformcryptographicfunctions.（cryptoki是token的接口）GeneralCryptokiModelObjectHierarchyCryptokidefinesthreeclassesofobjectUsersThisversionofCryptokirecognizestwotokenusertypes.OnetypeisaSecurityOfficer(SO).Theothertypeisthenormaluser.TheroleoftheSOistoinitializeatokenandtosetthenormaluser’sPIN,andpossiblytomanipulatesomepublicobjects.Onlythenormaluserisallowedaccesstoprivateobjectsonthetoken,andthataccessisgrantedonlyafterthenormaluserhasbeenauthenticated.SessionCryptokirequiresthatanapplicationopenoneormoresessionswithatokentogainaccesstothetoken’’sobjectsandfunctions.Asessionprovidesalogicalconnectionbetweentheapplicationandthetoken.Cryptokisupportsmultiplesessionsonmultipletokens.Asessioncanbearead/write(R/W)sessionoraread-only(R/O)session.SessioneventsSessioneventscausethesessionstatetochange.Thefollowingtabledescribestheevents:EventOccurswhen...LogInSOtheSOisauthenticatedtothetoken.LogInUserthenormaluserisauthenticatedtothetoken.LogOuttheapplicationlogsoutthecurrentuser(SOornormaluser).CloseSessiontheapplicationclosesthesessionorclosesallsessions.DeviceRemovedthedeviceunderlyingthetokenhasbeenremovedfromitsslot.Read-OnlySessionStatesRead/WriteSessionStatesAccesstoDifferentTypesObjectsbyDifferentTypesofSessionsTypeofsessionTypeofobjectR/OPublicR/WPublicR/OUserR/WUserR/WSOPublicsessionobjectR/WR/WR/WR/WR/WPrivatesessionobjectR/WR/WPublictokenobjectR/OR/WR/OR/WR/WPrivatetokenobjectR/OR/Wwithfork()ConsideraUNIXprocessPwhichbecomesaCryptokiapplicationbycallingC_Initialize,andthenusesthefork()systemcalltocreateachildprocessC.ifCneedstouseCryptoki,itneedstoperformitsownC_Initializecall.(andthenC_Finalizeaftersomeotheroperations)ifithasnoneedtouseCryptoki,itshouldimmediatelycallC_InitializeandthencallC_Finalize.withmulti-threadCryptokienablesapplicationstoprovideinformationtolibrariessothattheycangiveappropriatesupportformulti-threading.Inparticular,whenanapplicationinitializesaCryptokilibrarywithacalltoC_Initialize,itcanspecifyoneoffourpossiblemulti-threadingbehaviorsforthelibrary:SummaryofCryptokiFunctionsCategoryFunctionDescriptionGeneralpurposeFunctionsC_InitializeinitializesCryptokiC_FinalizecleanupmiscellaneousCryptoki-associatedresourcesC_GetInfoobtainsgeneralinformationaboutCryptokiC_GetFunctionListobtainsentrypointsofCryptokilibraryfunctionsSlotandtokenanagementfunctionsSlotandtokenmanagementfunctionsC_GetSlotListobtainsalistofslotsinthesystemC_GetSlotInfoobtainsinformationaboutaparticularslotC_GetTokenInfoobtainsinformationaboutaparticulartokenC_WaitForSlotEventwaitsforaslotevent(tokeninsertion,removal,etc.)tooccurC_GetMechanismListobtainsalistofmechanismssupportedbyatokenC_GetMechanismInfoobtainsinformationaboutaparticularmechanismC_InitTokeninitializesatokenC_InitPINinitializesthenormaluser’sPINC_SetPINmodifiesthePINofthecurrentuserSessionManagementFunctionsSession

managementFunctionsC_OpenSessionopensaconnectionbetweenanapplicationandaparticulartokenorsetsupanapplicationcallbackfortokeninsertionC_CloseSessionclosesasessionC_CloseAllSessionsclosesallsessionswithatokenC_GetSessionInfoobtainsinformationaboutthesessionC_GetOperationStateobtainsthecryptographicoperationsstateofasessionC_SetOperationStatesetsthecryptographicoperationsstateofasessionC_LoginlogsintoatokenC_LogoutlogsoutfromatokenObjectmanagementfunctionsObjectmanagementfunctionsC_CreateObjectcreatesanobjectC_CopyObjectcreatesacopyofanobjectC_DestroyObjectdestroysanobjectC_GetObjectSizeobtainsthesizeofanobjectinbytesC_GetAttributeValueobtainsanattributevalueofanobjectC_SetAttributeValuemodifiesanattributevalueofanobjectC_FindObjectsInitinitializesanobjectsearchoperationC_FindObjectscontinuesanobjectsearchoperationC_FindObjectsFinalfinishesanobjectsearchoperationEncryption/DecryptionfunctionsEncryptionfunctionsC_EncryptInitinitializesanencryptionoperationC_Encryptencryptssingle-partdataC_EncryptUpdatecontinuesamultiple-partencryptionoperationC_EncryptFinalfinishesamultiple-partencryptionoperationDecryptionfunctionsC_DecryptInitinitializesadecryptionoperationC_Decryptdecryptssingle-partencrypteddataC_DecryptUpdatecontinuesamultiple-partdecryptionoperationC_DecryptFinalfinishesamultiple-partdecryptionoperationMessagedigestingfunctionsMessagedigestingfunctionsC_DigestInitinitializesamessage-digestingoperationC_Digestdigestssingle-partdataC_DigestUpdatecontinuesamultiple-partdigestingoperationC_DigestKeydigestsakeyC_DigestFinalfinishesamultiple-partdigestingoperationSigningandMACingfunctionsSigningandMACingfunctionsC_SignInitinitializesasignatureoperationC_Signsignssingle-partdataC_SignUpdatecontinuesamultiple-partsignatureoperationC_SignFinalfinishesamultiple-partsignatureoperationC_SignRecoverInitinitializesasignatureoperation,wherethedatacanberecoveredfromthesignatureC_SignRecoversignssingle-partdata,wherethedatacanberecoveredfromthesignatureFunctionsforverifyingsignaturesandMACsFunctionsforverifyingsignaturesandMACsC_VerifyInitinitializesaverificationoperationC_Verifyverifiesasignatureonsingle-partdataC_VerifyUpdatecontinuesamultiple-partverificationoperationC_VerifyFinalfinishesamultiple-partverificationoperationC_VerifyRecoverInitinitializesaverificationoperationwherethedataisrecoveredfromthesignatureC_VerifyRecoververifiesasignatureonsingle-partdata,wherethedataisrecoveredfromthesignatureDual-purposecryptographicfunctionsDual-purposecryptographicfunctionsC_DigestEncryptUpdatecontinuessimultaneousmultiple-partdigestingandencryptionoperationsC_DecryptDigestUpdatecontinuessimultaneousmultiple-partdecryptionanddigestingoperationsC_SignEncryptUpdatecontinuessimultaneousmultiple-partsignatureandencryptionoperationsC_DecryptVerifyUpdatecontinuessimultaneousmultiple-partdecryptionandverificationoperationsKeymanagementfunctionsKeymanagementfunctionsC_GenerateKeygeneratesasecretkeyC_GenerateKeyPairgeneratesapublic-key/private-keypairC_WrapKeywraps(encrypts)akeyC_UnwrapKeyunwraps(decrypts)akeyC_DeriveKeyderivesakeyfromabasekeyRandomnumbergenerationfunctionsRandomnumbergenerationfunctionsC_SeedRandommixesinadditionalseedmaterialtotherandomnumbergeneratorC_GenerateRandomgeneratesrandomdataParallelfunctionmanagementFunctionsParallelfunctionmanagementFunctionsC_GetFunctionStatuslegacyfunctionwhichalwaysreturnsCKR_FUNCTION_NOT_PARALLELC_CancelFunctionlegacyfunctionwhichalwaysreturnsCKR_FUNCTION_NOT_PARALLELCallbackfunctionCallbackfunctionapplication-suppliedfunctiontoprocessnotificationsfromCryptokiFunctionsdetailCK_DEFINE_FUNCTION(CK_RV,C_Initialize)(CK_VOID_PTRpInitArgs);CK_DEFINE_FUNCTION(CK_RV,C_Finalize)(CK_VOID_PTRpReserved

);…ExampleCK_INFOinfo;CK_RVrv;CK_C_INITIALIZE_ARGSInitArgs;InitArgs.CreateMutex=&MyCreateMutex;InitArgs.DestroyMutex=&MyDestroyMutex;InitArgs.LockMutex=&MyLockMutex;InitArgs.UnlockMutex=&MyUnlockMutex;InitArgs.flags=CKF_OS_LOCKING_OK;InitArgs.pReserved=NULL_PTR;rv=C_Initialize((CK_VOID_PTR)&InitArgs);assert(rv==CKR_OK);rv=C_GetInfo(&info);assert(rv==CKR_OK);if(info.version.major==2){/*Dolotsofinterestingcryptographicthingswiththetoken*/..}rv=C_Finalize(NULL_PTR);assert(rv==CKR_OK);Mechanisms:AlgorithmRSA/DSA/EC/D-HKEA/KeyderivationHMACRC2/RC4/RC5/AES/2/3DES/SKIPJACK/BATON/JUNIPER/Blowfish/TwofishMD2/MD5/SHA-1/SHA-256/SHA-384/SHA-512/FASTHASH/RIPE-MDPKCS#5/PKCS#12/LYNKSMechanisms:ProtocolSETSSL/TLS/WTLSCMSComparisonofCryptokiandotherAPIs:

GCS-APIvs.CryptokiGCS-APICryptokiimplementationretrieve_CCrelease_CCgenerate_hashC_DigestInit,C_Digestgenerate_random_numberC_GenerateRandomgenerate_checkvalueC_SignInit,C_Sign,C_SignUpdate,C_SignFinalverify_checkvalueC_VerifyInit,C_Verify,C_VerifyUpdate,C_VerifyFinaldata_encipherC_EncryptInit,C_Encrypt,C_EncryptUpdate,C_EncryptFinaldata_decipherC_DecryptInit,C_Decrypt,C_DecryptUpdate,C_DecryptFinalcreate_CCderive_keyC_DeriveKeygenerate_keyC_GenerateKeystore_CCdelete_CCreplicate_CCexport_keyC_WrapKeyimport_keyC_UnwrapKeyarchive_CCC_WrapKeyrestore_CCC_UnwrapKeyset_key_stategenerate_key_patternverify_key_patternderive_clear_keyC_DeriveKeygenerate_clear_keyC_GenerateKeyload_key_partsclear_key_encipherC_WrapKeyclear_key_decipherC_UnwrapKeychange_key_contextload_initial_keygenerate_initial_keyset_current_master_keyprotect_under_new_master_keyprotect_under_current_master_keyinitialise_random_number_generatorC_SeedRandominstall_algorithmde_install_algorithmdisable_algorithmenable_algorithmset_defaultsImplementationPKCS#11ProviderPKCS#11WrapperImplementationFirefox+opencryptokiinubuntuNSSNSS:ProvenApplicationSecurityArchitectureNSSprovidesacompleteopen-sourceimplementationofthecryptolibrariesusedbyAOL,RedHat,Sun,andothercompaniesinavarietyofproducts,includingthefollowing:TheMozillaclientproducts,includingMozillaSuite,Firefox,andThunderbird.TheNetscapebrowsersAOLCommunicatorandAOLInstantMessenger(AIM)OpensourceclientapplicationssuchasEvolution,Gaim,andOpenOffice.ServerproductsfromRedHat:RedHatDirectoryServer,RedHatCertificateSystem,andthemod_nssSSLmodulefortheApachewebserver.ServerproductsfromtheSunJavaEnterpriseSystem,includingSunJavaSystem(SJS)WebServer,SJSDirectoryServer,SJSPortalServer,SJSMessagingServer,andSJSApplicationServer.BuildFirefoxwithNSSWindowsXPVisualStudio6/7.1/8MozillaBuildMozilla/FirefoxSourceCode\mozilla\security\nss\制作配配置文文件.mozconfig（备注注行））运行start-msvc71.bat$make-fclient.mkbuild耗时编译好好的在在.\ff-opt-static\dist\bin绿色版版PKCS#11wrappersSincePKCS#11isacomplexCAPImanywrappersexistthatletthedeveloperusetheAPIfromvariouslanguages.PyKCS11-AwrapperforPythonPythonobject-orientedwrapperforPKCS11(Cryptoki)Java5.0includesawrapperforPKCS#11APIpkcs11-helper-AsimpleopensourceCinterfacetohandlePKCS#11tokens.GSS-APIbyIETFGenericSecurityServicesApplicationProgrammingInterfaceGSS-APIisanapplicationprogramminginterfaceforprogramstoaccesssecurityservices.TheGSSAPIisanIETFstandardthataddressestheproblemofmanysimilarbutincompatiblesecurityservicesinusetoday.-compatibleinterfaceTheGSSAPI,byitself,doesnotprovideanysecurity.Instead,securityservicevendorsprovideGSSAPIimplementationsusuallyintheformoflibrariesinstalledwiththeirsecuritysoftware.TheselibrariespresentaGSSAPI-compatibleinterfacetoapplicationwriterswhocanwritetheirapplicationtouseonlythevendor-independentGSSAPI.Ifthesecurityimplementationeverneedsreplacing,theapplicationneednotberewritten.GSSAPItokensThedefinitivefeatureofGSSAPIapplicationsistheexchangeofopaquemessages(tokens)thathidetheimplementationdetailfromthehigherlevelapplication.TheclientandserversidesoftheapplicationarewrittentoconveythetokensgiventothembytheirrespectiveGSSAPIimplementations.GSSAPItokenscanbesentoveraninsecurenetworkbecausethemechanismsguaranteeinherentmessagesecurity.Aftersomenumberoftokenshavebeenexchanged,theGSSAPIatbothendsinformtheirlocalapplicationthatasecuritycontexthasbeenestablished.securitycontextOnceasecuritycontextisestablished,sensitiveapplicationmessagescanbewrapped(encrypted)bytheGSSAPIforsecurecommunicationbetweenclientandserver.TypicalprotectionsguaranteedbyGSSAPIwrappingincludeconfidentiality(secrecy)andintegrity(authenticity).TheGSSAPIcanalsoprovidelocalguaranteesabouttheidentityoftheremoteuserorremotehost.HistoryoftheGSS-APIJuly1991:IETFCommonAuthenticationTechnology(CAT)WorkingGroupmeetsinAtlanta,ledbyJohnLinnSeptember1993:GSSAPIversion1(RFC1508,RFC1509)May1995:WindowsNT3.51released,includesSSPIJune1996:KerberosmechanismforGSSAPI(RFC1964)January1997:GSSAPIversion2(RFC2078)October1997:SASLpublished,includesGSSAPImechanism(RFC2222)January2000:GSSAPIversion2update1(RFC2743,RFC2744)August2004:KITTENworkinggroupmeetstocontinueCATactivitiesMay2006:SecureShelluseofGSSAPIstandardised(RFC4462)GSS-APIinRFCRFC2743TheGenericSecurityServiceAPIVersion2update1RFC2744TheGenericSecurityServiceAPIVersion2:C-BindingsRFC1964TheKerberos5GSS-APImechanismRFC4121TheKerberos5GSS-APImechanism:Version2RFC4178TheSimpleandProtectedGSS-APINegotiationMechanism(SPNEGO)RFC2025TheSimplePublic-KeyGSS-APIMechanism(SPKM)RFC2847LIPKEY-ALowInfrastructurePublicKeyMechanismUsingSPKMKeyconceptsNameAbinarystringthatlabelsasecurityprincipal(i.e.userorserviceprogram)-seeaccesscontrolandidentity.Forexample,Kerberosusesnameslikeuser@REALMforusersandservice/hostname@REALMforprograms.CredentialsInformationthatprovesanidentity;usedbyanentitytoactasthenamedprincipal.Credentialstypicallyinvolveasecretcryptographickey.ContextThestateofoneendoftheauthenticating/authenticatedprotocol.Mayprovidemessageprotectionservices,whichcanbeusedtocomposeasecurechannel.TokensOpaquemessagesexchangedeitheraspartoftheinitialauthenticationprotocol(context-leveltokens),oraspartofaprotectedcommunication(per-messagetokens)MechanismAnunderlyingGSSAPIimplementationthatprovidesactualnames,tokensandcredentials.KnownmechanismsincludeKerberos,NTLM,DistributedComputingEnvironment(DCE),SESAME,SPKM,LIPKEY.Initiator/acceptorThepeerthatsendsthefirsttokenistheinitiator;theothertheacceptor.Generally,theclientprogramistheinitiatorwhiletheserveristheacceptor.about45procedurecallsSignificantonesinclude:GSS_Acquire_cred-obtainstheuser'sidentityproof,oftenasecretcryptographickeyGSS_Import_name-convertsausernameorhostnameintoaformthatidentifiesasecurityentityGSS_Init_sec_context-generatesaclienttokentosendtotheserver,usuallyachallengeGSS_Accept_sec_context-processesatokenfromGSS_Init_sec_contextandcangeneratearesponsetokentoreturnGSS_Wrap-convertsapplicationdataintoasecuremessagetoken(typicallyencrypted)GSS_Unwrap-convertsasecuremessagetokenbackintoapplicationdataStandardizeTheGSSAPIhasbeenstandardizedfortheCandJavalanguages.LimitationsoftheGSSAPIincludethatitstandardizesonlyauthentication,andnotauthorization,andthatitassumesaclient-serverarchitecture.Anticipatingnewsecuritymechanisms,theGSSAPIincludesanegotiatingpseudomechanism,SPNEGO,thatcandiscoverandusenewmechanismsnotpresentwhentheoriginalapplicationwasbuilt.GSS&KerberosThedominantGSSAPImechanismimplementationinuseisKerberos.UnliketheGSSAPI,theKerberosAPIhasnotbeenstandardizedandvariousexistingimplementationsuseincompatibleAPIs.TheGSSAPIallowsKerberosimplementationstobeAPIcompatible.GSSAPI成为不同Kerberos的APIImplementationNextGenerationGSS-APIGCS-APIbyX/OpenAPIGCS-APIimplementtheGCS-APIisdesignedforcryptographic-awareapplicationsGCS-APIisnotrecommendedforgeneralapplicationsCDSACDSA标准与与规范four-layerarchitectureCDSAdefinesahorizontal,four-layerarchitecture:1.Applications2.Layeredservicesandmiddleware3.CommonSecurityServicesManager(CSSM)infrastructure4.SecurityServiceProviderModulesCDSA：安全全体系架架构图TheCDSAv2.3isorganizedinto15parts1.TheCDSAarchitecture2.CommonSecurityServicesManager(CSSM)APIsforcoreservices

3.CryptographicServiceProviders(CSP)4.TrustPolicyServices(TP)5.AuthorizationComputationServices(AC)

6.CertificateLibraryServices(CL)7.DataStorageLibraryServices(DL)

8.ModuleDirectoryService(MDS)9.KeyRecoveryServices(KR)10.EmbeddedIntegrityServicesLibrary(EISL)11.SignedManifest12.ObjectIdentifiersforCertficateLibraryModules13.ElectiveModuleManager(EMM)14.Add-inModuleStructureandAdministration15.Appendices,Glossary,andIndexCDSA优缺点点工业标准准：通用用性、可可扩展性性、安全性：：单一模模式的安安全解决决方案，，不足性能：难难以适应应小环境境CDSA实现CDSA实现/projects/cdsa/cdsacode_314.zip/cdsadocs_314.zipcdsa_man.zip/cts_313.zipBuildCDSAinlinux建议Redhat9OpenSSLwithRC5./configenable-rc5--prefix=/usr/local/ssl#.configure（在cdsa目录make之前）还要修改几个个小bugvoidmain()，少include了sha.h等，真ftTheSecurityForuminX/Open(opengroup)WorkingGroupsAutoComplianceExpertCOAFrameworkCOAReferenceArch.EcosystemforSecurityRiskMgmt-FAIRSecureEnterprise2.0SecureMobileArch.SecurityArch(ESA)SecurityDesignPatternsSecurityGuidesSecurityStrategySOAandSecurityTrustMgmt&Class'nUpdate-XDASMS-CAPISoftwarewrittenforMicrosoftWindowsmayusetheplatformspecificMS-CAPIAPIinstead.MS-CAPITheCryptographicApplicationProgrammingInterface(alsoknownvariouslyasCryptoAPI,MicrosoftCryptographyAPI,orsimplyCAPI)isanapplicationprogramminginterfaceincludedwithMicrosoftWindowsoperatingsystemsthatprovidesservicestoenabledeveloperstosecureWindows-basedapplicationsusingcryptography.Itisasetofdynamically-linkedlibrariesthatprovidesanabstractionlayerwhichisolatesprogrammersfromthecodeusedtoencryptthedata.CryptoAPIsupportsbothpublic-keyandsymmetrickeycryptography.Itincludesfunctionalityforencryptinganddecryptingdataandforauthenticationusingdigitalcertificates.ItalsoincludesacryptographicallysecurepseudorandomnumbergeneratorfunctionCryptGenRandom.CryptoAPIworkswithanumberofCSPs(CryptographicServiceProviders)installedonthemachine.CSPsarethemodulesthatdotheactualworkofencodinganddecodingdatabyperformingthecryptographicfunctions.CSPCryptoAPIworkswithanumberofCSPs(CryptographicServiceProviders)installedonthemachine.CSPsarethemodulesthatdotheactualworkofencodinganddecodingdatabyperformingthecryptographicfunctions.CSP/DLLMS对CSP/DLL的签名CAPI结构图图CAPI例子程程序5003.exeMSDNexample5003.zip改正了一一个bug加密/解密一个个文件相关CAPI函数CryptAcquireContextCryptReleaseContextCryptEncryptCryptDecryptCryptographyAPI:NextGeneration(CNG)WindowsVistafeaturesanupdatetotheCryptoAPIknownasCryptographyAPI:NextGeneration(CNG).IthasbetterAPIfactoringtoallowthesamefunctionstoworkusingawiderangeofcryptographicalgorithms,andtheinclusionofanumberofneweralgorithmsthatarepartoftheNationalSecurityAgency(NSA)SuiteB.Itisalsoflexible,featuringsupportforpluggingincustomcryptographicAPIsintotheCNGruntime.CNGworksinbothuserandkernelmode,andalsosupportsallofthealgorithmsfromtheCryptoAPI.TheMicrosoftproviderthatimplementsCNGishousedinBcrypt.dll.CNGalsosupportsEllipticCurveCryptographywhichisalsosecureandusesshorterkeysthanRSA.TheCNGAPIintegrateswiththesmartcardsubsystembyincludingaBaseSmartCardCryptographicServiceProvider(BaseCSP)modulewhichencapsulatesthesmartcardAPI.Smartcardmanufacturersjusthavetomaketheirdevicescompatiblewiththis,ratherthanprovideafrom-scratchsolution.DPAPI:DataprotectionAPIDPAPIarelativelyeasy-to-usecryptographyAPIavailableasastandardcomponentinMicrosoftWindows2000andlaterversionsofWindowsoperatingsystems.示例程序序连接库““Crypt32.lib”DPAPI例子子main(){DATA_BLOBin,out,in2;in.pbData=(BYTE*)"myinputtextasifnone";in.cbData=strlen("myinputtextasifnone")+1;BOOLb=CryptProtectData(&in,NULL,NULL,NULL,NULL,0,&out);if(b){b=CryptUnprotectData(&out,NULL,NULL,NULL,NULL,0,&in2);if(b)puts((char*)(in2.pbData));elseputs("err");}return0;}DataExecutionPrevention(DEP)DEPasecurityfeatureincludedinmodernMicrosoftWindowsoperatingsystemsthatisintendedtopreventanapplicationorservicefromexecutingcodefromanon-executablememoryregion.Thishelpspreventcertainexploitsthatstorecodeviaabufferoverflow,forexample.DEPwasintroducedinWindowsXPSP2,alsoinWindowsServer2003SP1andWindowsVista.Laterversionsoftheoperatingsystemssupportthisfeatureaswell.XP：数据执执行保护boot.inimulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="MicrosoftWindowsXPPro"/noexecute=optin/fastdetectLinux中中的“DEP”,andmoreDataExecutionPrevention(DEP)inLinuxinCPUNX:NoeXecutebyAMDXD:eXecuteDisablebyIntel(Open)CryptographicLibrariesOpenSSL,NSS,POSSE,OpenSSH,GnuTLS,MatrixSSL,cryptlib,GNUCrypto,Crypto++,BeeCrypt,Cryptlib,Cryptix,LibTomCrypt,libgcrypt,MIRACL,Cryptix,borZoi,TrysomeoftheseCryptoinJava/JDK/JREJavaSESecurityhomepage/javase/technologies/security/JDK6Security-relatedAPIs&DeveloperGuides/javase/6/docs/technotes/guides/security/REFdebian:~#aptitudesearchcrypt|wc8063264