Microsoft base cryptographic provider v1 0

Remember Me. No 3DES support. Communicates with Smart Card Modules minidriver. Derivative of Microsoft Enchanced Cryptographic Provider. Supports all the same key lengths, but lacks configurable Salt length for RC encryption algorithms.

The Enhanced Provider supports stronger security through longer keys and additional algorithms. Mario Alvares on March 9, at pm. Thanks for your insight, Mark.

Thanks, Mario. Mario Alvares on March 12, at pm. Mario Alvares on March 19, at pm. SS on July 12, at am.

Mark B. ND on October 29, at am. Thank you, ND. Luke on April 1, at pm. Thanks, actually it was row 3 that was the incorrect line item so I removed it. Ruchita on September 23, at pm.

Thanks Mark. Sheikh Azharuddin on July 29, at am. Bob on October 9, at pm. Venkat on December 5, at am. Kashif Ansari on November 2, at am. Kashif Ansari on November 4, at am. Tej on May 18, at am. CyrAz on January 7, at am. Let me try to recreate the issue you are seeing in my lab and get back to you. Richard B on April 2, at am.

Aleksey on March 29, at am. Everett Hubble on July 19, at pm. Everett Hubble on July 26, at am. CXMelga on September 20, at am. Tim on September 21, at am. Hi I came across your post and I am trying to understand something here, can you help? This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No.

The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools.

These other volumes are used infrequently enough that they do not need to be visible to users. In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential.

When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions.

If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device.

BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:. Hardware root of trust for measurement. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value.

Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. However, measurements are erased when the system is restarted. The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information.

Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements.

At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. Key used only when boot measurements are accurate.

BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive.

Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted.

If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume.

As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value.

This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors.

The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows.

The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.

For software measurements, Device Encryption relies on measurements of the authority providing software components based on code signing from manufacturers such as OEMs or Microsoft instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. The key lengths shown are the default key lengths. The default length for the Base Provider is 40 bits.

The default length for the Enhanced Provider is bits. Thus the Enhanced Provider cannot create keys with Base Provider-compatible key lengths. Therefore, the Enhanced Provider can import and use 40 bit keys generated using the Base Provider.