CNG Key Isolation

The CNG Key Isolation (xxx) service is hosted in the Local Security Authority (LSA) process as part of system cryptography support. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC).

Common Criteria is an international standard (ISO/IEC 15408) for computer security. It is based on a framework in which computer system users can specify their security requirements, vendors can then implement and make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. This provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous and standard manner.

The CNG Key Isolation service stores and uses long-lived keys in a secure process that complies with Common Criteria requirements. To comply with Common Criteria requirements, the long-lived keys must be isolated so that they are never present in the application process. Cryptography Next Generation (CNG) currently supports storing asymmetric private keys by using the Microsoft software key storage provider (KSP) that is included in Windows Server 2008 R2 and Windows 7, and installed by default.

Key isolation is enabled by default in Windows Server 2008 R2 and Windows 7. Also, non-Microsoft KSPs are not loaded in the key isolation service (which is the Local Security Authority, or LSA, process). Only the Microsoft KSP is loaded in the key isolation service.

The LSA process is used as the key isolation process to maximize performance. All access to private keys goes through the key storage router, which exposes a comprehensive set of functions for managing and using private keys.

CNG stores the public portion of the stored key separately from the private portion. The public portion of a key pair is maintained in the key isolation service, and it is accessed by using lightweight remote procedure call (LRPC). The key storage router uses LRPC when calling into the key isolation process. All access to private keys goes through the private key router, and it is audited by CNG.

This service is installed by default and its startup type is Manual.

When the CNG Key Isolation service is started in its default configuration, it logs on by using the Local System account.

The CNG Key Isolation service is dependent upon the following system components:

  • Remote Procedure Call (RPC)
  • DCOM Server Process Launcher
  • RPC Endpoint Mapper

The following components are dependent upon the CNG Key Isolation service:

  • Extensible Authentication Protocol
  • Wired AutoConfig
  • WLAN AutoConfig

Related content