Cryptography API: Next Generation (CNG) is the long-term replacement for the CryptoAPI. CNG is designed to be extensible at many levels and cryptography agnostic in behavior. One of the key value propositions of CNG is cryptographic agility, sometimes called cryptographic agnosticism. Converting implementation of protocols like Secure Sockets Layer protocol (SSL) or transport layer security (TLS), CMS (S/MIME), IPsec, Kerberos, and so on, to CNG, however, was required to make this ability valuable. At the CNG level, it was necessary to provide substitution and discoverability for all the algorithm types (symmetric, asymmetric, hash functions), random number generation, and other utility functions.
CNG is intended for use by developers of applications that will enable users to create and exchange documents and other data in a secure environment, especially over non secure media such as the Internet. Developers should be familiar with the C and C++ programming languages and the Windows-based programming environment. Although not required, an understanding of cryptography or security-related subjects is advised. Some of the new features in CNG include:
A new crypto configuration system, supporting better cryptographic agility.
Finer-grained abstraction for key storage (and separation of storage from algorithm operations).
Process isolation for operations with long-term keys.
Replaceable random number generators.
Relief from export signing restrictions.
Thread-safety throughout the stack.
Kernel-mode cryptographic API.
Run-time requirements:
CNG is supported beginning with Windows Server 2008 and Windows Vista. It is positioned to replace existing uses of CryptoAPI throughout the Microsoft software stack. In addition, CNG includes support for all required Suite B algorithms, including elliptic curve cryptography (ECC). Existing CryptoAPI applications will continue to work as CNG becomes available.
CNG is validated to Federal Information Processing Standards (FIPS) 140-2 and is part of the Target of Evaluation for the Windows Common Criteria certification. CNG was designed to be usable as a component in a FIPS level 2 validated system. CNG complies with Common Criteria requirements by storing and using long lived keys in a secure process.
Suite B Support:
Another important feature of CNG is its support for the Suite B algorithms. In February of 2005, the National Security Agency (NSA) of the United States announced a coordinated set of symmetric encryption, asymmetric secret agreement (also known as key exchange), digital signature and hash functions for future U.S. government use called Suite B. The NSA has announced that certified Suite B implementations can and will be used for the protection of information designated as Top Secret, Secret, and private information that, in the past was described as Sensitive-But-Unclassified. Because of this, Suite B support is very important to application software vendors and system integrators as well as to Microsoft.
All Suite B algorithms are publicly known. They have been developed outside the scope of the government secrecy historically associated with cryptographic algorithm development. In this same time frame, some European countries and regions have also proposed the same Suite B requirements for protecting their information.
Suite B cryptography recommends use of elliptic curve Diffie-Hellman (ECDH) in many existing protocols such as the Internet Key Exchange (IKE, mainly used in IPsec), transport layer security (TLS), and Secure MIME (S/MIME).
CNG includes support for Suite B that extends to all required algorithms: AES (all key sizes), the SHA-2 family (SHA-256, SHA-384 and SHA-512) of hashing algorithms, ECDH, and elliptic curve DSA (ECDSA) over the NIST-standard prime curves P-256, P-384, and P-521. Binary curves, Koblitz curves, custom prime curves, and elliptic curve Menezes-Qu-Vanstone (ECMQV) are not supported by the Microsoft algorithm providers included with Windows Vista. Additional information on Suite B Cryptography can be found here.
Legacy Support
CNG provides support for the current set of algorithms in CryptoAPI 1.0. Every algorithm that is currently supported in CryptoAPI 1.0 will continue to be supported in CNG. A list of CNG Algorithm Identifiers can be found here.
For additional information on CNG please visit:
http://msdn.microsoft.com/en-us/library/bb204775.aspx
http://msdn.microsoft.com/en-us/library/aa376214.aspx
http://msdn.microsoft.com/en-us/library/aa376305.aspx