tags:

views:

157

answers:

1
+1  Q: 

openssl versus windows capi

Which is better to use openssl or windows capi for ecnryption issues what is the pro and con list for both. and if it possible to write my encryptor program on openssl and decrypt it with windows capi with no problem or there are some problem with this.

+3  A: 

For cryptographic purposes, I find it easier to think about key management first. Where keys are stored, how they are created, who uses them, and how they are to be securely destroyed. In my experience, key management is what constrains most the application structure.

CryptoAPI offers an API to access keys which are stored in arbitrary places, through a driver (a "CSP") registered in the operating system. OpenSSL may offer something similar with the help of OpenSC, but the driver shall then support the PKCS#11 API. Either way, the driver is some kind of DLL provided by whoever built the storage device (assuming that the key is stored and used in a hardware device).

If you want to be able to use keys stored in hardware devices (where the device may be a smartcard, a HSM,... anything which can do some crypto but will refuse to give the key itself) then you will have to go through either CryptoAPI or PKCS#11. CryptoAPI is, by nature, Windows-only, so PKCS#11 is the way to go if you want your code to potentially run on non-Windows systems (MacOS, Linux, Solaris...). If you go the PKCS#11 way, you may want to try NSS instead of OpenSSL. NSS is the library used in the Netscape-derived browser (e.g. Firefox). It is open-source.

On the other hand, if you target only Windows systems, then CryptoAPI eases distribution, since it is already there, no need for an extra DLL.

If you are ready to forfeit hardware, and want to use software-only cryptography, with keys held in RAM, then you will probably not want to use CryptoAPI, which is quite underpowered in the number of algorithms it implements and the variations it accepts (e.g. CryptoAPI insists on RSA public exponents to be smaller than 32 bits -- this is the normal case, but the limitation is still arbitrary and potentially irksome). There are many cryptographic libraries out there; apart from OpenSSL and NSS, you might want to investigate Crypto++, which is quite mature and supposedly C++-friendly.

Thomas Pornin  2010-03-12 13:26:04

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS