microsoft/SymCrypt

Ask some project infomations

helloobaby opened this issue · 1 comments

helloobaby commented

What is the difference between the algorithm in this project and the algorithm in bcrypt.dll (usermode) and ksecdd.sys (kernelmode) (I guess it has better performance and more algorithms?)

mlindgren commented

Hi @helloobaby, SymCrypt is the low-level library that provides crypto implementations for other Windows components such as BCrypt, CNG and ksecdd. In other words, those components are built on top of SymCrypt. The primary differences are:

  • SymCrypt is now cross-platform, whereas the other components you mentioned are exclusive to Windows.
  • BCrypt and CNG offer extensibility (the ability to add additional algorithm providers) that SymCrypt does not.
  • API surface: SymCrypt is a low-level crypto library with an emphasis on performance, which means that some of the APIs are not as developer-friendly as their high-level counterparts. The details of the specific cryptographic algorithms are less abstracted compared to higher-level interfaces like BCrypt. We do aim to minimize the overhead of the higher-level APIs, though, so generally there should not be a significant performance difference except in highly specialized use-cases.
  • Additionally, while SymCrypt implements a variety of runtime algorithm self-tests and consistency tests on keys, as required by FIPS 140-3, it does not do as much input validation as some of the higher-level APIs; in some cases, the SymCrypt APIs are "garbage in, garbage out." The SymCrypt.h header file documents the assumptions of and appropriate calling patterns for SymCrypt APIs.
  • We generally do try to expose all of the algorithms that SymCrypt supports via the higher-level APIs as well. There are some exceptions, however, such as the IEEE 802.11 SAE implementations.

If your application is targeting Windows exclusively, generally we would still recommend using BCrypt or CNG for ease-of-use, and the convenience of having those shared libraries automatically serviced by Windows Update, meaning you don't have to worry about servicing the crypto code yourself. If you're working on an embedded or cross-platform application, then SymCrypt may be a good choice; in that case, you might also be interested in SCOSSL which is our OpenSSL engine that allows the use of SymCrypt via OpenSSL APIs.

Hope that helps - let us know if you have additional questions.