One of the most important changes in CNG is the inclusion of user mode and kernel mode APIs. In prior versions of Windows, technologies such as Cryptographic API (CAPI) were user mode only, and kernel mode cryptography required a totally different set of APIs, such as the Microsoft Kernel Mode Cryptographic Module (Microsoft 2000). This is a big boon for developers who create user-mode and kernel-mode code because there is only one set of APIs to remember.
You’ll also notice that CNG has two distinct sets of functions names. The NCrypt* functions deal with key management, key persistence and key isolation, and some public key cryptographic operations (because private keys cannot leave the cryptographic boundary if your application wants key isolation). The BCrypt* functions are the low-level cryptographic primitives that run inprocess with your applications, and keys are not stored, they are ephemeral.