Cryptographic Service Provider Modules

Cryptographic Service Providers (CSPs) are modules equipped to perform cryptographic operations and to securely store private keys. A CSP may implement one or more of these cryptographic functions:

• Bulk encryption algorithm
• Digital signature algorithm
• Cryptographic hash algorithm
• Unique identification number
• Random number generator
• Secure key storage
• Custom facilities unique to the CSP.

A CSP may be implemented in software, hardware, or both. Typically, CSPs provide encrypted storage for private keys and variables. CSPs must also deliver key management services, including key escrow, if it is supported. As a minimum, CSPs do not reveal key material unless it has been wrapped, but they must support importing, exporting, and generating keys. The key generation module of a CSP should be made tamper-resistant.

CSPs typically provide secured storage of private keys and variables. Applications may query the CSP to retrieve private keys stored within the CSP. The CSP is responsible for controlling access to the private keys it secures. A callback function implemented by the requester is invoked by the CSP (or the CSP's adaptation layer) to obtain the identity and authorization of the user or process requesting the private key. Most CSPs are capable of importing private keys created by other CSPs and providing secured storage for such keys.