Because NT is an application platform, it gives applications access to a full range of security services through two application program interfaces: the Cryptographic Application Programming Interface (CryptoAPI) and Security Services Provider Interface (SSPI). CryptoAPI provides a standardized way to invoke such security services as certificate generation, digital signatures, and data encryption and decryption regardless of the provider. Microsoft shipped the latest version of CryptoAPI (version 2) in July 1997, and it's available for NT 4.0. So-called Cryptographic Service Providers (CSPs) provide security services, operating through a separately defined interface, the Service Provider Interface (SPI). Separating the API and SPI allows applications to make use of different service implementations without any modifications. For example, an application can invoke Digital Encryption Standard (DES) data encryption through CryptoAPI and obtain the services of either a software encryption module or a hardware accelerator. (We describe several CSP products later in this report.) While applications can use CryptoAPI to invoke detailed security services, these applications can also use the SSPI, a higher-level interface, to invoke more generalized security services without getting involved in the mechanics of such services. For example, an application can ask SSPI to create a signature without having to specify the individual steps of generating, encrypting, and packaging message hashes, as would be necessary with CryptoAPI. But like CryptoAPI, SSPI shields the calling application from the implementation details of the provider. Figure 7 shows the relationship between SSPI and CryptoAPI.