openssl versus windows capi
Asked Answered
B

1

6

Which is better to use openssl or windows capi for ecnryption issues what is the pro and con list for both. and if it possible to write my encryptor program on openssl and decrypt it with windows capi with no problem or there are some problem with this.

Bedlam answered 12/3, 2010 at 10:28 Comment(0)
L
11

For cryptographic purposes, I find it easier to think about key management first. Where keys are stored, how they are created, who uses them, and how they are to be securely destroyed. In my experience, key management is what constrains most the application structure.

CryptoAPI offers an API to access keys which are stored in arbitrary places, through a driver (a "CSP") registered in the operating system. OpenSSL may offer something similar with the help of OpenSC, but the driver shall then support the PKCS#11 API. Either way, the driver is some kind of DLL provided by whoever built the storage device (assuming that the key is stored and used in a hardware device).

If you want to be able to use keys stored in hardware devices (where the device may be a smartcard, a HSM,... anything which can do some crypto but will refuse to give the key itself) then you will have to go through either CryptoAPI or PKCS#11. CryptoAPI is, by nature, Windows-only, so PKCS#11 is the way to go if you want your code to potentially run on non-Windows systems (MacOS, Linux, Solaris...). If you go the PKCS#11 way, you may want to try NSS instead of OpenSSL. NSS is the library used in the Netscape-derived browser (e.g. Firefox). It is open-source.

On the other hand, if you target only Windows systems, then CryptoAPI eases distribution, since it is already there, no need for an extra DLL.

If you are ready to forfeit hardware, and want to use software-only cryptography, with keys held in RAM, then you will probably not want to use CryptoAPI, which is quite underpowered in the number of algorithms it implements and the variations it accepts (e.g. CryptoAPI insists on RSA public exponents to be smaller than 32 bits -- this is the normal case, but the limitation is still arbitrary and potentially irksome). There are many cryptographic libraries out there; apart from OpenSSL and NSS, you might want to investigate Crypto++, which is quite mature and supposedly C++-friendly.

Linkous answered 12/3, 2010 at 13:26 Comment(2)
I've been struggling to make OpenSSL on Windows work with an HSM for weeks now and I must say, your one simple answer here cleared the whole picture for me! You my friend, really know how to provide clear and relevant information. Thank you! Off I go now, trying the PKCS#11 way, possibly cross-platform now!Blount
CNG should be used insteadEnviable

© 2022 - 2024 — McMap. All rights reserved.