Windows Internals
intermediate

CNG, Schannel & crypto plumbing

How Windows centralizes algorithms, keys, and TLS for services and applications.

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Cryptography API: Next Generation

learn.microsoft.com

Microsoft Learn

Schannel and TLS

learn.microsoft.com

Why it matters

LSASS, IIS, browsers, and VPN clients depend on CNG/BCrypt and Schannel rather than shipping their own crypto.

Mental model

CNG provides algorithm providers and key storage. Schannel plugs TLS into the Windows security stack for many services.

How it works

  1. 1Applications call CNG/BCrypt APIs for hashing, signing, and encryption.
  2. 2Keys may live in software stores or hardware (TPM).
  3. 3Schannel implements SSL/TLS for components that use the SSPI model.

Key terms

CNG
Cryptography Next Generation; modern Windows crypto API set.
Schannel
Security Support Provider implementing TLS for Windows components.

TLS to a domain controller

LDAP/S channel bindings and Kerberos-adjacent traffic often flow through Schannel and system trust stores.

Common misconception

OpenSSL bundled in an app is separate from system Schannel. Many Windows services use the built-in stack.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Next step in your guided path

intermediate

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

Related topic

intermediate

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

Related topic

Related topics

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

TCP/IP stack

The core protocol machinery behind Windows network communication.

Previous

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

Next

Executable loading & runtime

PE images, DLL loading, runtime data structures, and compatibility layers such as WOW64.