Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Beginning in Windows 10, CNG (Cryptography API: Next Generation) provides pre-defined algorithm handles for cryptographic operations. These algorithm handles simplify development by eliminating the need to manually create handles for common cryptographic algorithms including hash functions, encryption algorithms, digital signatures, and key derivation functions.
Hash and Message Authentication Code (MAC) algorithms
| Constant | Description | Standards |
|---|---|---|
| BCRYPT_MD2_ALG_HANDLE 0x00000001 |
A handle for the MD2 hash algorithm. | RFC 1319 |
| BCRYPT_MD4_ALG_HANDLE 0x00000011 |
A handle for the MD4 hash algorithm. | RFC 1320 |
| BCRYPT_MD5_ALG_HANDLE 0x00000021 |
A handle for the MD5 hash algorithm. | RFC 1321 |
| BCRYPT_SHA1_ALG_HANDLE 0x00000031 |
A handle for the 160-bit secure hash algorithm. | FIPS 180-4 |
| BCRYPT_SHA256_ALG_HANDLE 0x00000041 |
A handle for the 256-bit secure hash algorithm. | FIPS 180-4 |
| BCRYPT_SHA384_ALG_HANDLE 0x00000051 |
A handle for the 384-bit secure hash algorithm. | FIPS 180-4 |
| BCRYPT_SHA512_ALG_HANDLE 0x00000061 |
A handle for the 512-bit secure hash algorithm. | FIPS 180-4 |
| BCRYPT_HMAC_SHA1_ALG_HANDLE 0x000000A1 |
A handle for the hash-based message authentication code using the 160-bit secure hash algorithm. | FIPS 180-4, FIPS 198-1 |
| BCRYPT_HMAC_SHA256_ALG_HANDLE 0x000000B1 |
A handle for the hash-based message authentication code using the 256-bit secure hash algorithm. | FIPS 180-4, FIPS 198-1 |
| BCRYPT_HMAC_SHA384_ALG_HANDLE 0x000000C1 |
A handle for the hash-based message authentication code using the 384-bit secure hash algorithm. | FIPS 180-4, FIPS 198-1 |
| BCRYPT_HMAC_SHA512_ALG_HANDLE 0x000000D1 |
A handle for the hash-based message authentication code using the 512-bit secure hash algorithm. | FIPS 180-4, FIPS 198-1 |
| BCRYPT_HMAC_MD2_ALG_HANDLE 0x00000121 |
A handle for the hash-based message authentication code using the MD2 hash algorithm. | RFC 1319, RFC 2104 |
| BCRYPT_HMAC_MD4_ALG_HANDLE 0x00000131 |
A handle for the hash-based message authentication code using the MD4 hash algorithm. | RFC 1320, RFC 2104 |
| BCRYPT_HMAC_MD5_ALG_HANDLE 0x00000091 |
A handle for the hash-based message authentication code using the MD4 hash algorithm. | RFC 1321, RFC 2104 |
| Available in Windows 11, version 23H2 | ||
| BCRYPT_SHA3_256_ALG_HANDLE 0x000003B1 |
A handle for the SHA3 256-bit secure hash algorithm. | FIPS 202 |
| BCRYPT_SHA3_384_ALG_HANDLE 0x000003C1 |
A handle for the SHA3 384-bit secure hash algorithm. | FIPS 202 |
| BCRYPT_SHA3_512_ALG_HANDLE 0x000003D1 |
A handle for the SHA3 512-bit secure hash algorithm. | FIPS 202 |
| BCRYPT_HMAC_SHA3_256_ALG_HANDLE 0x000003E1 |
A handle for the hash-based message authentication code using the SHA3 256-bit secure hash algorithm. | FIPS 202, FIPS 198-1 |
| BCRYPT_HMAC_SHA3_384_ALG_HANDLE 0x000003F1 |
A handle for the hash-based message authentication code using the SHA3 384-bit secure hash algorithm. | FIPS 202, FIPS 198-1 |
| BCRYPT_HMAC_SHA3_512_ALG_HANDLE 0x00000401 |
A handle for the hash-based message authentication code using the SHA3 512-bit secure hash algorithm. | FIPS 202, FIPS 198-1 |
| BCRYPT_CSHAKE128_ALG_HANDLE 0x00000411 |
A handle for the SHA3 derived cSHAKE 128-bit XOF (extendable-output function) hash algorithm. | SP 800-185 |
| BCRYPT_CSHAKE256_ALG_HANDLE 0x00000421 |
A handle for the SHA3 derived cSHAKE 256-bit XOF (extendable-output function) hash algorithm. | SP 800-185 |
| BCRYPT_KMAC128_ALG_HANDLE 0x00000431 |
A handle for the SHA3 derived Keccak message authentication code (KMAC) built on cSHAKE128. | SP 800-185 |
| BCRYPT_KMAC256_ALG_HANDLE 0x00000441 |
A handle for the SHA3 derived Keccak message authentication code (KMAC) built on cSHAKE256. | SP 800-185 |
PQ digital signature algorithms
Note
The PQDSA handles in this section relate to a prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The feature described in this section is available in pre-release versions of the Windows Insider Preview.
| Constant | Description | Standards |
|---|---|---|
| BCRYPT_LMS_ALG_HANDLE | A handle to the Leighton-Micali Hash-Based Signature (LMS) algorithm. | RFC 8554 |
| BCRYPT_MLDSA_ALG_HANDLE | A handle to the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). | FIPS 204 |
| BCRYPT_SLHDSA_ALG_HANDLE | A handle to the Stateless Hash-based Digital Signature Algorithm (SLH-DSA). | FIPS 205 |
| BCRYPT_XMSS_ALG_HANDLE | A handle to the eXtended Merkle Signature Scheme (XMSS) stateful hash-based algorithm. | RFC 8391 |
Stream cipher algorithms
| Constant | Description | Standards |
|---|---|---|
| BCRYPT_RC4_ALG_HANDLE 0x00000071 |
A handle for the RC4 stream cipher algorithm. | Various |
Random number generator algorithms
| Constant | Description | Standards |
|---|---|---|
| BCRYPT_RNG_ALG_HANDLE 0x00000081 |
A handle to the random-number generator algorithm. | Starting with Windows 10: The RNG algorithm used is AES CTR_DRBG, defined in SP 800-90A. |
Key derivation function (KDF) algorithms
| Constant | Description |
|---|---|
| BCRYPT_CAPI_KDF_ALG_HANDLE 0x00000321 |
A handle to the Crypto API (CAPI) key derivation function algorithm. Used by the BCryptKeyDerivation and NCryptKeyDerivation functions. |
| BCRYPT_PBKDF2_ALG_HANDLE 0x00000331 |
A handle to the Password-based key derivation function 2 (PBKDF2) algorithm. Used by the BCryptKeyDerivation and NCryptKeyDerivation functions. |
| BCRYPT_SP800108_CTR_HMAC_ALG_HANDLE 0x00000341 |
A handle to the Counter mode, hash-based message authentication code (HMAC) key derivation function algorithm. Used by the BCryptKeyDerivation and NCryptKeyDerivation functions. |
| BCRYPT_SP80056A_CONCAT_ALG_HANDLE 0x00000351 |
A handle to the SP800-56A key derivation function algorithm. Used by the BCryptKeyDerivation and NCryptKeyDerivation functions. |
| BCRYPT_HKDF_ALG_HANDLE 0x00000391 |
A handle to the HMAC-based Extract-and-Expand key derivation function. Used by the BCryptKeyDerivation and NCryptKeyDerivation functions. |
Key encapsulation mechanism (KEM) algorithms
Note
The ML-KEM handles in this section relate to a prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The feature described in this section is available in pre-release versions of the Windows Insider Preview.
| Constant | Description | Standards |
|---|---|---|
| BCRYPT_MLKEM_ALG_HANDLE | A handle to the Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) algorithm. | FIPS 203 |
Asymmetric algorithms
| Constant | Description | Standards |
|---|---|---|
| BCRYPT_DH_ALG_HANDLE 0x00000281 |
A handle to the Diffie-Hellman key exchange algorithm. | PKCS #3 |
| BCRYPT_DSA_ALG_HANDLE 0x000002D1 |
A handle to the Digital Signature Algorithm (DSA) digital signature algorithm. | FIPS 186-2 Beginning with Windows 8: This algorithm supports FIPS 186-3. Keys less than or equal to 1024 bits adhere to FIPS 186-2 and keys greater than 1024 to FIPS 186-3. |
| BCRYPT_ECDH_ALG_HANDLE 0x00000291 |
A handle to the generic prime elliptic curve Diffie-Hellman key exchange algorithm. | SP 800-56A |
| BCRYPT_ECDH_P256_ALG_HANDLE 0x000002A1 |
A handle to the 256-bit prime elliptic curve Diffie-Hellman key exchange algorithm. | SP 800-56A |
| BCRYPT_ECDH_P384_ALG_HANDLE 0x000002B1 |
A handle to the 384-bit prime elliptic curve Diffie-Hellman key exchange algorithm. | SP 800-56A |
| BCRYPT_ECDH_P521_ALG_HANDLE 0x000002C1 |
A handle to the 521-bit prime elliptic curve Diffie-Hellman key exchange algorithm. | SP 800-56A |
| BCRYPT_ECDSA_ALG_HANDLE 0x000000F1 |
A handle to the generic prime elliptic curve digital signature algorithm. | ANSI X9.62 |
| BCRYPT_ECDSA_P256_ALG_HANDLE 0x000002E1 |
A handle to the 256-bit prime elliptic curve digital signature algorithm. | FIPS 186-2, X9.62 |
| BCRYPT_ECDSA_P384_ALG_HANDLE 0x000002F1 |
A handle to the 384-bit prime elliptic curve digital signature algorithm. | FIPS 186-2, X9.62 |
| BCRYPT_ECDSA_P521_ALG_HANDLE 0x00000301 |
A handle to the 521-bit prime elliptic curve digital signature algorithm. | FIPS 186-2, X9.62 |
| BCRYPT_RSA_ALG_HANDLE 0x000000E1 |
A handle to the RSA public key algorithm. | PKCS #1 v1.5 and v2.0 |
| BCRYPT_RSA_SIGN_ALG_HANDLE 0x00000311 |
A handle to the RSA signature algorithm. This algorithm is not currently supported. You can use the BCRYPT_RSA_ALG_HANDLE algorithm to perform RSA signing operations. | PKCS #1 v1.5 and v2.0. |
Block cipher and cipher-based message authentication code algorithms
| Constant | Description | Standards |
|---|---|---|
| BCRYPT_AES_CMAC_ALG_HANDLE 0x00000101 |
A handle for the Advanced Encryption Standard (AES) cipher based message authentication code (CMAC) symmetric encryption algorithm. | SP 800-38B |
| BCRYPT_AES_GMAC_ALG_HANDLE 0x00000111 |
A handle for the Advanced Encryption Standard (AES) Galois message authentication code (GMAC) symmetric encryption algorithm. SP800-38D | |
| BCRYPT_3DES_CBC_ALG_HANDLE 0x00000141 |
A handle for the triple Data Encryption Standard algorithm using Cipher Block Chaining mode (CBC). | SP 800-67, SP 800-38A |
| BCRYPT_3DES_ECB_ALG_HANDLE 0x00000151 |
A handle for the triple Data Encryption Standard algorithm using Electronic Codebook mode (ECB). | SP 800-67, SP 800-38A |
| BCRYPT_3DES_CFB_ALG_HANDLE 0x00000161 |
A handle for the triple Data Encryption Standard algorithm using Cipher Feedback mode (CFB). | SP 800-67, SP 800-38A |
| BCRYPT_3DES_112_CBC_ALG_HANDLE 0x00000171 |
A handle for the 112-bit triple Data Encryption Standard algorithm using Cipher Block Chaining mode (CBC). | SP 800-67, SP 800-38A |
| BCRYPT_3DES_112_ECB_ALG_HANDLE 0x00000181 |
A handle for the 112-bit triple Data Encryption Standard algorithm using Electronic Codebook mode (ECB). | SP 800-67, SP 800-38A |
| BCRYPT_3DES_112_CFB_ALG_HANDLE 0x00000191 |
A handle for the 112-bit triple Data Encryption Standard algorithm using Cipher Feedback mode (CFB). | SP 800-67, SP 800-38A |
| BCRYPT_AES_CBC_ALG_HANDLE 0x000001A1 |
A handle for the Advanced Encryption Standard (AES) algorithm using Cipher Block Chaining Mode (CBC). | FIPS 197 |
| BCRYPT_AES_ECB_ALG_HANDLE 0x000001B1 |
A handle for the Advanced Encryption Standard (AES) algorithm using Electronic Codebook Mode (ECB). | FIPS 197 |
| BCRYPT_AES_CFB_ALG_HANDLE 0x000001C1 |
A handle for the Advanced Encryption Standard (AES) algorithm using Cipher Feedback Mode (CFB). | FIPS 197 |
| BCRYPT_AES_CCM_ALG_HANDLE 0x000001D1 |
A handle for the Advanced Encryption Standard (AES) algorithm using Counter with CBC-MAC Mode (CCM). | FIPS 197 |
| BCRYPT_AES_GCM_ALG_HANDLE 0x000001E1 |
A handle for the Advanced Encryption Standard (AES) algorithm using Galois Counter Mode (GCM). | FIPS 197 |
| BCRYPT_DES_CBC_ALG_HANDLE 0x000001F1 |
A handle for the Data Encryption Standard (DES) algorithm using Cipher Block Chaining Mode (GCM). | FIPS 46-3, FIPS 81 |
| BCRYPT_DES_ECB_ALG_HANDLE 0x00000201 |
A handle for the Data Encryption Standard (DES) algorithm using Electronic Codebook Mode (ECB). | FIPS 46-3, FIPS 81 |
| BCRYPT_DES_CFB_ALG_HANDLE 0x00000211 |
A handle for the Data Encryption Standard (DES) algorithm using Cipher Feedback Mode (CFB). | FIPS 46-3, FIPS 81 |
Remarks
You can use these handles in any situation that requires an algorithm handle. However, any call to BCryptSetProperty fails as the algorithm handle is shared and cannot be modified. In addition, these handles cannot be used at IRQL=DISPATCH in kernel mode.