New Cryptography - Microsoft

innocentsickAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)

342 views

TE
Ž
AVNOST: 200

New Cryptography

Raf
a
l L
ukawiecki

Strategic Consultant

rafal@projectbotticelli.co.uk

Project Botticelli Ltd

This presentation is based on work from MSDN.

TE
Ž
AVNOST: 200

2

Objectives


Explain the status and some of the
problems of today’s cryptography


Discuss solutions for the problems


Introduce the new APIs for using
newer forms of cryptography

TE
Ž
AVNOST: 200

3

Agenda


Cryptography of Present


Cryptography of Tomorrow


Cryptography in Windows Vista and
Longhorn

TE
Ž
AVNOST: 200

12

Cryptography of
Present

TE
Ž
AVNOST: 200

13

Today’s Recommendation


At present (June 2006), consider
using the following cryptographic
mechanisms available in Windows in
preference to others:


AES
-
128 (or AES
-
192, or AES
-
256)


RSA 2048 (or longer)


“SHA
-
2” (i.e. SHA
-
256, or SHA
-
512)


DSA (or SHA
-
2/RSA signatures)

TE
Ž
AVNOST: 200

14

DES, IDEA, RC2, RC5, Twofish

Not Recommended


Symmetric


DES (Data Encryption Standard) is popular


DO NOT USE DES!


Keys very short: 56 bits


Brute
-
force attack took 3.5 hours on a machine costing US$1m
in 1993. Today it is done real
-
time


Triple DES (3DES) more secure, but better options exist


IDEA (International Data Encryption Standard)


Deceptively similar to DES, and “not” from NSA


128 bit keys, OK but we have better ones


RC2 & RC5 (by R. Rivest)


RC2 is older and RC5 newer (1994)
-

similar to DES and IDEA


Blowfish, Twofish


OK, but not a standard


B. Schneier’s replacement for DES, followed by Twofish, one of
the NIST competition finalists

TE
Ž
AVNOST: 200

15

Rijndael (AES)

Recommended


Current US standard


Winner of the AES (Advanced Encryption Standard)
competition run by NIST (National Institute of Standards
and Technology in US) in 1997
-
2000


Comes from Europe (Belgium) by Joan Daemen and
Vincent Rijmen. “X
-
files” stories less likely (unlike DES).


Symmetric block
-
cipher (128, 192 or 256 bits)
with variable keys (128, 192 or 256 bits, too)


Fast and a lot of good properties, such as good
immunity from timing and power (electric)
analysis


Construction, again, deceptively similar to DES
(S
-
boxes, XORs etc.) but really different

TE
Ž
AVNOST: 200

16

CAST and GOST

Not used widely anymore


avoid


CAST


Canadians Carlisle Adams & Stafford Tavares


64 bit key and 64 bit of data


Chose your S
-
boxes


Seems resistant to differential & linear cryptanalysis and
only way to break is brute force (but key is a bit short!)


GOST


Soviet Union’s “version” of DES but with a clearer design
and many more repetitions of the process


256 bit key but really 610 bits of secret, so pretty much
“tank quality”


Backdoor? Who knows…

TE
Ž
AVNOST: 200

17

Rely on Cryptosystems


Indeed: never use just an algorithm, but an
entire
cryptosystem


For example:


If you use DES etc. in a simple “loop” to encrypt a
stream of data you literally lose all security


Instead: use a technique designed for adapting an
algorithm to a streams of data, such as CBC (Cipher
Block Chaining)


Microsoft never implement just an algorithm


always a complete cryptosystem, e.g. RSA
-
OAEP
etc.


Do it just by using built
-
in cryptographic
systems, such as various Microsoft CSPs etc.

TE
Ž
AVNOST: 200

18

Dangerous Implementations


Cryptographic applications from not
-
well
-
known sources


“Just downloaded libraries” used by your
in
-
house developers



Insist on using built
-
in systems where
possible:


Microsoft OS: CAPI, CAPICOM, MS CSP etc.


Smartcards: certified CSPs


Elsewhere: FIPS
-
140
-
2 compliant
implementations


See csrc.nist.gov/cryptval

TE
Ž
AVNOST: 200

19

RC4

Generally Not Recommended


Symmetric


Fast, streaming encryption


R. Rivest in 1994


Originally secret, but “published” on sci.crypt


Related to “one
-
time pad”, theoretically most
secure


But!


It relies on a really good random number
generator


And that is the problem


Nowadays, we tend to use block ciphers in modes
of operation that work for streams

TE
Ž
AVNOST: 200

20

RSA, DSA, ElGamal


Asymmetric


Slow and computationally expensive


need a computer


Security increasingly being questioned


Rivest, Shamir, Adleman


1978


Popular and well researched


Strength in today’s inefficiency to factorise into prime
numbers


Some worries about key generation process in some
implementations


DSA (Digital Signature Algorithm)


Mainly for digital signing, not for encryption, used in US


Variant of Schnorr and ElGamal signature algorithm


ElGamal


Relies on complexity of discrete logarithms

TE
Ž
AVNOST: 200

21

MD5, SHA


Hash functions


part of the digital signature


Goals:


Not reversible: can’t obtain the message from its hash


Hash much shorter than original message


Two messages won’t have the same hash


MD5 (R. Rivest)


512 bits hashed into 128


Mathematical model still unknown


Recently (July 2004) broken, do not use on its own


SHA (Secure Hash Algorithm)


US standard based on MD5


SHA
-
0 broken (July 2004), SHA
-
1 probably too weak
(partly broken, full break alleged by Chinese recently),
use SHA
-
256 at least

TE
Ž
AVNOST: 200

22

Diffie
-
Hellman, “SSL”, Certs


Methods for key exchange and transport


DH (1976) always generates a new “key
-
pair” for each asymmetric session


Certificates are the most common way to
exchange public keys


Foundation of Public Key Infrastructure (PKI)


SSL uses a protocol to exchange keys
safely, but also requires PKI

TE
Ž
AVNOST: 200

23

APIs of Today


Microsoft CryptoAPI (CAPI) 2.0 is the
interface to all CSPs


Cryptographic Service Providers


Built
-
in or smartcard
-
based


.NET Framework 1.1 and 2.0 wraps most
of the functionality of CAPI in classes:


System.Security.Cryptography and its
subclasses:


.Pkcs


.X509Certificates


.XML


Or you can use the CAPICOM library

TE
Ž
AVNOST: 200

24

Cryptography of
Tomorrow

TE
Ž
AVNOST: 200

25

Quantum Cryptography?


Method for generating and passing a secret key or a
random stream


Not for passing the actual data, but that’s irrelevant


Polarisation of light (photons) can be detected only in a way
that destroys the “direction” (basis)


So if someone other than you observes it, you receive nothing
useful and you know you were bugged


Perfectly doable over up
-
to
-
120km
dedicated

fibre
-
optic
link


Seems pretty perfect, if a bit tedious and slow


Practical implementations still use AES/DES etc. for actual
encryption


Magiq QPN:
http://www.magiqtech.com/press/qpn.pdf




Don’t confuse it with quantum computing, which won’t be
with us for at least another 50 years or so, or maybe
longer…

TE
Ž
AVNOST: 200

26

More Practical Solution


US NSA and NIST recommendation as of
Feb 2005 is to implement “Suite
-
B”
protocols


This is very rarely done in today’s
software


Good news: Microsoft supports Suite
-
B in
Windows Vista (and Longhorn Server)


For all internal implementations Microsoft will
not use weaker algorithms than Suite
-
B


But, of course, they will support your choice to do so
if you wish

TE
Ž
AVNOST: 200

27

Vista Supports NSA Suite B

www.nsa.gov/ia/industry/crypto_suite_b.cfm



Required cryptographic algorithms
for all US non
-
classified and
classified (SECRET and TOP
-
SECRET)
needs


Except a small area of special
-
security
needs (e.g. nuclear security)


guided
by Suite A (definition is classified)


Announced by NSA at RSA conference in
Feb 2005

TE
Ž
AVNOST: 200

28

Mathematical Designs


Many cryptographic algorithms (e.g. DSA)
rely on a class of mathematical designs
related to the concept of
discrete
logarithms


These can be implemented over the
finite
field
of any
abelian group


Normally, this means using integers modulo a
prime number


Alternatively,
elliptic curve
groups could
be used


This leads to ECC

TE
Ž
AVNOST: 200

29

Elliptic Curve Cryptography

ECC


More efficient design, using fewer
bits of key for the same strength


Breaking these designs seems even
harder than traditional ones


Leads to faster algorithms with fewer
problems


Primarily used to enhance algorithms
of existing design, such as DSA

TE
Ž
AVNOST: 200

30

Suite
-
B Algorithms


Encryption: AES


Digital Signature: EC
-
DSA


Key Exchange: EC
-
DH or EC
-
MQV


Hashing: SHA
-
2

TE
Ž
AVNOST: 200

31

Suite
-
B Encryption


AES


FIPS 197 (with keys sizes of 128 and 256 bits)


This is a specific implementation of Rijndael algorithm
allowing use of 128 bit data blocks only


Keys of 192 bits are not used (although FIPS specifies
them)


Please note that most 256 bit implementations
are much slower than 128 bits


In general, anything of 81 bits or more in this
class of cryptography is considered “good
enough” for typical commercial applications

TE
Ž
AVNOST: 200

32

Suite
-
B Digital Signatures


Elliptic Curve Digital Signature
Algorithm (EC
-
DSA)


FIPS 186
-
2 (using the curves with 256
and 384
-
bit prime moduli)


Microsoft also supports 521
-
bit keys


This is a classical DSA algorithm
applied over the algebra of finite
fields of elliptic curves

TE
Ž
AVNOST: 200

33

Suite
-
B Key Exchange (1 of 2)


Elliptic Curve Diffie
-
Hellman or Elliptic Curve MQV


Draft NIST Special Publication 800
-
56 (using the curves
with 256 and 384
-
bit prime moduli)


Microsoft will also support 521
-
bit keys


Recall: DH allows two parties to generate and
communicate a secret key to each other
(removing the need for key transport)


It is susceptible to man
-
in
-
the
-
middle attacks, so
it requires authentication in most applications


Usually done (not very efficiently) with digital signatures


TE
Ž
AVNOST: 200

34

Suite
-
B Key Exchange (2 of 2)


EC
-
MQV: Menezes, Qu, and Vanstone
protocol


Authenticated key exchange


Design similar to DH


Uses the discrete logarithm concept


Also requires a pre
-
existing, verified and
trusted long
-
term public/private keypair


Which is only used for trust establishment, not for
actual encryption or signing


This gives it an important forward
-
secrecy property


Suite
-
B uses the EC implementation of
MQV

TE
Ž
AVNOST: 200

35

Suite
-
B Hashing


Secure Hash Algorithm


FIPS 180
-
2 (using SHA
-
256 and SHA
-
384)


As MD5 and SHA
-
0 have been broken and
SHA
-
1 has been allegedly broken we do
not have much choice


Almost no alternatives exist


SHA
-
2 should suffice for a few years, but
ultimately it must be replaced


SHA
-
2 allows: 224, 256, 384, and 512 bit
lengths

TE
Ž
AVNOST: 200

36

APIs for Suite
-
B Today?


There are no widely used or
supported libraries or APIs for Suite
-
B and most operating systems of
today


However…

TE
Ž
AVNOST: 200

37

Cryptography in

Widows Vista and
Longhorn

NB: All Information Subject to Last
-
Minute Changes

TE
Ž
AVNOST: 200

38

Trusted Platform Module

TPM Chip Version 1.2


Hardware present in the computer, e.g.
a chip on the motherboard


Securely stores credentials, such as a
private key of a machine certificate and
is crypto
-
enabled


Effectively, the essence of a smart
smartcard


TPM can be used to request digital
signing of code and files and for mutual
authentication of devices


See www.trustedcomputinggroup.org

TE
Ž
AVNOST: 200

39

BitLocker™

Windows Vista Full Volume Encryption


BitLocker strongly encrypts and signs the entire hard drive
using Suite
-
B


TPM chip (see later) provides key management


Can use additional protection factors such as a USB dongle,
PIN or password


Any unauthorised off
-
line modification to your data or OS is
discovered and no access is granted


Prevents attacks which use utilities that access the hard drive
while Windows is not running and enforces Windows boot
process


Protection against data loss when machine (laptop) has
been stolen


Essential part of the Secure Startup


Plan data recovery strategy carefully


three scenarios
supported (escrow, recovery agent, backup)

TE
Ž
AVNOST: 200

40

New Cryptography: CNG


CAPI 1.0 is deprecated


May be dropped altogether in future Windows
releases


CNG: Cryptography Next Generation


Open cryptographic API for Windows
Vista/Longhorn


Ability to plug in kernel or user mode
implementations for:


Proprietary cryptographic algorithms


Replacements for standard cryptographic algorithms


Key Storage Providers (KSP)


Enables cryptography configuration at
enterprise and machine levels

TE
Ž
AVNOST: 200

41

Regulatory Compliance


Windows Vista CNG cryptography will
comply with:


Common Criteria (CC)


csrc.nist.gov/cc



Currently in version 3


FIPS requirements for strong isolation
and auditing


US NSA (National Security Agency) CSS
(Central Security Service) Suite B

TE
Ž
AVNOST: 200

42

Main CNG Features


Cryptography agnostic


Kernel
-
mode for performance and security
(better performance than CAPI 1.0)


FIPS
-
140 Certification


140
-
2 and Common Criteria (CC) on selected platforms


140
-
1 everywhere


CC compliance for long
-
term key storage and
audit


Suite
-
B of course, but also supports all existing
algorithms available through CryptoAPI 1.0


Key Isolation and Storage using TPMs


Developer
-
friendly model for plug
-
ins

TE
Ž
AVNOST: 200

43

CNG Design


Three APIs within CNG:


Cryptography Primitives


The “main” API: all algorithms are here


Key Storage and Retrieval


Allows interaction with the new Key Storage Providers
concept


Supports existing devices (smartcards) and future types of
tokens


Interface for all secure key creation, including the EC
-
DH
and EC
-
MQV* methods


Interface for import and export of keys using PKCS #7 and
#8


Cryptography Configuration


For use and installation of additional cryptographic
providers

Read:
msdn.microsoft.com/library/default.asp?url=/library/en
-
us/seccng/security/about_cng.asp?frame=true

TE
Ž
AVNOST: 200

44

Other APIs


In addition to CNG:


.NET Framework 2.0


Microsoft will extend the .NET Fx library to
cover CNG (not available at present)


TBS: TPM Base Services


For interaction with Trusted Platform
Modules


Certificate Enrollment API

TE
Ž
AVNOST: 200

45

CNG: Cryptography Primitives Architecture

TE
Ž
AVNOST: 200

46

Using CNG


Two Models


Depending on your needs, you use CNG
with:


Algorithms and keys provided by a Key
Storage provider (such as smartcards)


All function names begin with “N”, such as
NCryptOpenStorageProvider


Algorithms and keys generated by the
operating system’s software providers


All function names begin with “B”, such as
BCryptOpenAlgorithmProvider


I only explain “B” in next slides, but “N” is
very similar

TE
Ž
AVNOST: 200

47

Using CNG
-

Concepts


Designed as a Win32 library (work in .NET)


You don’t need to be aware of any specific
providers on your system (unlike in CryptoAPI)


Instead, you request an algorithm, and the
system offer you the default best available


Of course, you can always chose a specific provider if
you prefer, by enumerating them first


BCryptEnumRegisteredProviders



You can check properties of a provider before you use it


BCryptQueryProviderRegistration



You can register a specific provider


BCryptRegisterProvider



This solves the problem of updates, when better
implementations are found in the future

TE
Ž
AVNOST: 200

48

Using CNG


Encryption Steps


Generally, follow this process:


Open a CNG Algorithm Provider


BCryptOpenAlgorithmProvider



Generate or import keys


Calculate the size of encrypted data


Call
BCryptEncrypt

with NULL for pbInput paramter


Encrypt data by calling
BCryptEncrypt

again


Repeat this step as needed for all data, remembering
to use the correct form of operating mode (chaining)


Output or persist the result


Close the provider, unless you want to cache it
for later use


BCryptCloseAlgorithmProvider


TE
Ž
AVNOST: 200

49

Randomness


Use
BCryptGenRandom


You can use a specific algorithm,
otherwise the default is used, which
is FIPS
-
186
-
2 compliant


It uses entropy gathered by the
provider over the time


You can add your own entropy as a
parameter

TE
Ž
AVNOST: 200

50

Summary


Today’s cryptography has just accelerated
its evolution


Windows Vista and Longhorn Servers will
be at the front of innovation in this field


You can benefit from the increased
security by using BitLocker or the APIs
such as CNG


It is an exciting time to be using
cryptography!

TE
Ž
AVNOST: 200

51

References


Visit
msdn.microsoft.com/security

and
www.microsoft.com/technet/security



Read sci.crypt (incl. archives)


For more detail, read:


Cryptography: An Introduction, N. Smart, McGraw
-
Hill, ISBN 0
-
07
-
709987
-
7


Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0
-
471
-
22357
-
3


Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1
-
58053
-
642
-
5 (to be published May 2005, see
http://www.esecurity.ch/Books/cryptography.html
)


Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0
-
471
-
11709
-
9


Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0
-
8493
-
8523
-
7,
www.cacr.math.uwaterloo.ca/hac

(free PDF)


PKI, A. Nash et al., RSA Press, ISBN 0
-
07
-
213123
-
3


Foundations of Cryptography, O. Goldereich,

www.eccc.uni
-
trier.de/eccc
-
local/ECCC
-
Books/oded_book_readme.html


Cryptography in C and C++, M. Welschenbach, Apress,

ISBN 1
-
893115
-
95
-
X (includes code samples CD)