TE
Ž
AVNOST: 200
New Cryptography
Raf
a
l L
ukawiecki
Strategic Consultant
rafal@projectbotticelli.co.uk
Project Botticelli Ltd
This presentation is based on work from MSDN.
TE
Ž
AVNOST: 200
2
Objectives
•
Explain the status and some of the
problems of today’s cryptography
•
Discuss solutions for the problems
•
Introduce the new APIs for using
newer forms of cryptography
TE
Ž
AVNOST: 200
3
Agenda
•
Cryptography of Present
•
Cryptography of Tomorrow
•
Cryptography in Windows Vista and
Longhorn
TE
Ž
AVNOST: 200
12
Cryptography of
Present
TE
Ž
AVNOST: 200
13
Today’s Recommendation
•
At present (June 2006), consider
using the following cryptographic
mechanisms available in Windows in
preference to others:
–
AES

128 (or AES

192, or AES

256)
–
RSA 2048 (or longer)
–
“SHA

2” (i.e. SHA

256, or SHA

512)
–
DSA (or SHA

2/RSA signatures)
TE
Ž
AVNOST: 200
14
DES, IDEA, RC2, RC5, Twofish
Not Recommended
•
Symmetric
•
DES (Data Encryption Standard) is popular
–
DO NOT USE DES!
–
Keys very short: 56 bits
–
Brute

force attack took 3.5 hours on a machine costing US$1m
in 1993. Today it is done real

time
–
Triple DES (3DES) more secure, but better options exist
•
IDEA (International Data Encryption Standard)
–
Deceptively similar to DES, and “not” from NSA
–
128 bit keys, OK but we have better ones
•
RC2 & RC5 (by R. Rivest)
–
RC2 is older and RC5 newer (1994)

similar to DES and IDEA
•
Blowfish, Twofish
–
OK, but not a standard
–
B. Schneier’s replacement for DES, followed by Twofish, one of
the NIST competition finalists
TE
Ž
AVNOST: 200
15
Rijndael (AES)
Recommended
•
Current US standard
–
Winner of the AES (Advanced Encryption Standard)
competition run by NIST (National Institute of Standards
and Technology in US) in 1997

2000
–
Comes from Europe (Belgium) by Joan Daemen and
Vincent Rijmen. “X

files” stories less likely (unlike DES).
•
Symmetric block

cipher (128, 192 or 256 bits)
with variable keys (128, 192 or 256 bits, too)
•
Fast and a lot of good properties, such as good
immunity from timing and power (electric)
analysis
•
Construction, again, deceptively similar to DES
(S

boxes, XORs etc.) but really different
TE
Ž
AVNOST: 200
16
CAST and GOST
Not used widely anymore
–
avoid
•
CAST
–
Canadians Carlisle Adams & Stafford Tavares
–
64 bit key and 64 bit of data
–
Chose your S

boxes
–
Seems resistant to differential & linear cryptanalysis and
only way to break is brute force (but key is a bit short!)
•
GOST
–
Soviet Union’s “version” of DES but with a clearer design
and many more repetitions of the process
–
256 bit key but really 610 bits of secret, so pretty much
“tank quality”
–
Backdoor? Who knows…
TE
Ž
AVNOST: 200
17
Rely on Cryptosystems
•
Indeed: never use just an algorithm, but an
entire
cryptosystem
•
For example:
–
If you use DES etc. in a simple “loop” to encrypt a
stream of data you literally lose all security
–
Instead: use a technique designed for adapting an
algorithm to a streams of data, such as CBC (Cipher
Block Chaining)
•
Microsoft never implement just an algorithm
–
always a complete cryptosystem, e.g. RSA

OAEP
etc.
•
Do it just by using built

in cryptographic
systems, such as various Microsoft CSPs etc.
TE
Ž
AVNOST: 200
18
Dangerous Implementations
•
Cryptographic applications from not

well

known sources
•
“Just downloaded libraries” used by your
in

house developers
•
Insist on using built

in systems where
possible:
–
Microsoft OS: CAPI, CAPICOM, MS CSP etc.
–
Smartcards: certified CSPs
–
Elsewhere: FIPS

140

2 compliant
implementations
•
See csrc.nist.gov/cryptval
TE
Ž
AVNOST: 200
19
RC4
Generally Not Recommended
•
Symmetric
–
Fast, streaming encryption
•
R. Rivest in 1994
–
Originally secret, but “published” on sci.crypt
•
Related to “one

time pad”, theoretically most
secure
•
But!
•
It relies on a really good random number
generator
–
And that is the problem
•
Nowadays, we tend to use block ciphers in modes
of operation that work for streams
TE
Ž
AVNOST: 200
20
RSA, DSA, ElGamal
•
Asymmetric
–
Slow and computationally expensive
–
need a computer
–
Security increasingly being questioned
•
Rivest, Shamir, Adleman
–
1978
–
Popular and well researched
–
Strength in today’s inefficiency to factorise into prime
numbers
–
Some worries about key generation process in some
implementations
•
DSA (Digital Signature Algorithm)
–
Mainly for digital signing, not for encryption, used in US
–
Variant of Schnorr and ElGamal signature algorithm
•
ElGamal
–
Relies on complexity of discrete logarithms
TE
Ž
AVNOST: 200
21
MD5, SHA
•
Hash functions
–
part of the digital signature
•
Goals:
–
Not reversible: can’t obtain the message from its hash
–
Hash much shorter than original message
–
Two messages won’t have the same hash
•
MD5 (R. Rivest)
–
512 bits hashed into 128
–
Mathematical model still unknown
–
Recently (July 2004) broken, do not use on its own
•
SHA (Secure Hash Algorithm)
–
US standard based on MD5
–
SHA

0 broken (July 2004), SHA

1 probably too weak
(partly broken, full break alleged by Chinese recently),
use SHA

256 at least
TE
Ž
AVNOST: 200
22
Diffie

Hellman, “SSL”, Certs
•
Methods for key exchange and transport
•
DH (1976) always generates a new “key

pair” for each asymmetric session
•
Certificates are the most common way to
exchange public keys
–
Foundation of Public Key Infrastructure (PKI)
•
SSL uses a protocol to exchange keys
safely, but also requires PKI
TE
Ž
AVNOST: 200
23
APIs of Today
•
Microsoft CryptoAPI (CAPI) 2.0 is the
interface to all CSPs
–
Cryptographic Service Providers
•
Built

in or smartcard

based
•
.NET Framework 1.1 and 2.0 wraps most
of the functionality of CAPI in classes:
–
System.Security.Cryptography and its
subclasses:
•
.Pkcs
•
.X509Certificates
•
.XML
•
Or you can use the CAPICOM library
TE
Ž
AVNOST: 200
24
Cryptography of
Tomorrow
TE
Ž
AVNOST: 200
25
Quantum Cryptography?
•
Method for generating and passing a secret key or a
random stream
–
Not for passing the actual data, but that’s irrelevant
•
Polarisation of light (photons) can be detected only in a way
that destroys the “direction” (basis)
–
So if someone other than you observes it, you receive nothing
useful and you know you were bugged
•
Perfectly doable over up

to

120km
dedicated
fibre

optic
link
–
Seems pretty perfect, if a bit tedious and slow
–
Practical implementations still use AES/DES etc. for actual
encryption
•
Magiq QPN:
http://www.magiqtech.com/press/qpn.pdf
•
Don’t confuse it with quantum computing, which won’t be
with us for at least another 50 years or so, or maybe
longer…
TE
Ž
AVNOST: 200
26
More Practical Solution
•
US NSA and NIST recommendation as of
Feb 2005 is to implement “Suite

B”
protocols
•
This is very rarely done in today’s
software
•
Good news: Microsoft supports Suite

B in
Windows Vista (and Longhorn Server)
–
For all internal implementations Microsoft will
not use weaker algorithms than Suite

B
•
But, of course, they will support your choice to do so
if you wish
TE
Ž
AVNOST: 200
27
Vista Supports NSA Suite B
www.nsa.gov/ia/industry/crypto_suite_b.cfm
•
Required cryptographic algorithms
for all US non

classified and
classified (SECRET and TOP

SECRET)
needs
–
Except a small area of special

security
needs (e.g. nuclear security)
–
guided
by Suite A (definition is classified)
–
Announced by NSA at RSA conference in
Feb 2005
TE
Ž
AVNOST: 200
28
Mathematical Designs
•
Many cryptographic algorithms (e.g. DSA)
rely on a class of mathematical designs
related to the concept of
discrete
logarithms
•
These can be implemented over the
finite
field
of any
abelian group
–
Normally, this means using integers modulo a
prime number
•
Alternatively,
elliptic curve
groups could
be used
–
This leads to ECC
TE
Ž
AVNOST: 200
29
Elliptic Curve Cryptography
ECC
•
More efficient design, using fewer
bits of key for the same strength
•
Breaking these designs seems even
harder than traditional ones
•
Leads to faster algorithms with fewer
problems
•
Primarily used to enhance algorithms
of existing design, such as DSA
TE
Ž
AVNOST: 200
30
Suite

B Algorithms
•
Encryption: AES
•
Digital Signature: EC

DSA
•
Key Exchange: EC

DH or EC

MQV
•
Hashing: SHA

2
TE
Ž
AVNOST: 200
31
Suite

B Encryption
•
AES
–
FIPS 197 (with keys sizes of 128 and 256 bits)
–
This is a specific implementation of Rijndael algorithm
allowing use of 128 bit data blocks only
–
Keys of 192 bits are not used (although FIPS specifies
them)
•
Please note that most 256 bit implementations
are much slower than 128 bits
•
In general, anything of 81 bits or more in this
class of cryptography is considered “good
enough” for typical commercial applications
TE
Ž
AVNOST: 200
32
Suite

B Digital Signatures
•
Elliptic Curve Digital Signature
Algorithm (EC

DSA)
–
FIPS 186

2 (using the curves with 256
and 384

bit prime moduli)
•
Microsoft also supports 521

bit keys
•
This is a classical DSA algorithm
applied over the algebra of finite
fields of elliptic curves
TE
Ž
AVNOST: 200
33
Suite

B Key Exchange (1 of 2)
•
Elliptic Curve Diffie

Hellman or Elliptic Curve MQV
–
Draft NIST Special Publication 800

56 (using the curves
with 256 and 384

bit prime moduli)
–
Microsoft will also support 521

bit keys
•
Recall: DH allows two parties to generate and
communicate a secret key to each other
(removing the need for key transport)
•
It is susceptible to man

in

the

middle attacks, so
it requires authentication in most applications
–
Usually done (not very efficiently) with digital signatures
TE
Ž
AVNOST: 200
34
Suite

B Key Exchange (2 of 2)
•
EC

MQV: Menezes, Qu, and Vanstone
protocol
•
Authenticated key exchange
•
Design similar to DH
–
Uses the discrete logarithm concept
–
Also requires a pre

existing, verified and
trusted long

term public/private keypair
•
Which is only used for trust establishment, not for
actual encryption or signing
•
This gives it an important forward

secrecy property
•
Suite

B uses the EC implementation of
MQV
TE
Ž
AVNOST: 200
35
Suite

B Hashing
•
Secure Hash Algorithm
–
FIPS 180

2 (using SHA

256 and SHA

384)
•
As MD5 and SHA

0 have been broken and
SHA

1 has been allegedly broken we do
not have much choice
–
Almost no alternatives exist
•
SHA

2 should suffice for a few years, but
ultimately it must be replaced
–
SHA

2 allows: 224, 256, 384, and 512 bit
lengths
TE
Ž
AVNOST: 200
36
APIs for Suite

B Today?
•
There are no widely used or
supported libraries or APIs for Suite

B and most operating systems of
today
•
However…
TE
Ž
AVNOST: 200
37
Cryptography in
Widows Vista and
Longhorn
NB: All Information Subject to Last

Minute Changes
TE
Ž
AVNOST: 200
38
Trusted Platform Module
TPM Chip Version 1.2
•
Hardware present in the computer, e.g.
a chip on the motherboard
•
Securely stores credentials, such as a
private key of a machine certificate and
is crypto

enabled
–
Effectively, the essence of a smart
smartcard
•
TPM can be used to request digital
signing of code and files and for mutual
authentication of devices
•
See www.trustedcomputinggroup.org
TE
Ž
AVNOST: 200
39
BitLocker™
Windows Vista Full Volume Encryption
•
BitLocker strongly encrypts and signs the entire hard drive
using Suite

B
–
TPM chip (see later) provides key management
–
Can use additional protection factors such as a USB dongle,
PIN or password
•
Any unauthorised off

line modification to your data or OS is
discovered and no access is granted
–
Prevents attacks which use utilities that access the hard drive
while Windows is not running and enforces Windows boot
process
•
Protection against data loss when machine (laptop) has
been stolen
•
Essential part of the Secure Startup
–
Plan data recovery strategy carefully
–
three scenarios
supported (escrow, recovery agent, backup)
TE
Ž
AVNOST: 200
40
New Cryptography: CNG
•
CAPI 1.0 is deprecated
–
May be dropped altogether in future Windows
releases
•
CNG: Cryptography Next Generation
–
Open cryptographic API for Windows
Vista/Longhorn
–
Ability to plug in kernel or user mode
implementations for:
•
Proprietary cryptographic algorithms
•
Replacements for standard cryptographic algorithms
•
Key Storage Providers (KSP)
–
Enables cryptography configuration at
enterprise and machine levels
TE
Ž
AVNOST: 200
41
Regulatory Compliance
•
Windows Vista CNG cryptography will
comply with:
–
Common Criteria (CC)
•
csrc.nist.gov/cc
•
Currently in version 3
–
FIPS requirements for strong isolation
and auditing
–
US NSA (National Security Agency) CSS
(Central Security Service) Suite B
TE
Ž
AVNOST: 200
42
Main CNG Features
•
Cryptography agnostic
•
Kernel

mode for performance and security
(better performance than CAPI 1.0)
•
FIPS

140 Certification
–
140

2 and Common Criteria (CC) on selected platforms
–
140

1 everywhere
•
CC compliance for long

term key storage and
audit
•
Suite

B of course, but also supports all existing
algorithms available through CryptoAPI 1.0
•
Key Isolation and Storage using TPMs
•
Developer

friendly model for plug

ins
TE
Ž
AVNOST: 200
43
CNG Design
•
Three APIs within CNG:
–
Cryptography Primitives
•
The “main” API: all algorithms are here
–
Key Storage and Retrieval
•
Allows interaction with the new Key Storage Providers
concept
–
Supports existing devices (smartcards) and future types of
tokens
•
Interface for all secure key creation, including the EC

DH
and EC

MQV* methods
•
Interface for import and export of keys using PKCS #7 and
#8
–
Cryptography Configuration
•
For use and installation of additional cryptographic
providers
Read:
msdn.microsoft.com/library/default.asp?url=/library/en

us/seccng/security/about_cng.asp?frame=true
TE
Ž
AVNOST: 200
44
Other APIs
•
In addition to CNG:
–
.NET Framework 2.0
•
Microsoft will extend the .NET Fx library to
cover CNG (not available at present)
–
TBS: TPM Base Services
•
For interaction with Trusted Platform
Modules
–
Certificate Enrollment API
TE
Ž
AVNOST: 200
45
CNG: Cryptography Primitives Architecture
TE
Ž
AVNOST: 200
46
Using CNG
–
Two Models
•
Depending on your needs, you use CNG
with:
–
Algorithms and keys provided by a Key
Storage provider (such as smartcards)
•
All function names begin with “N”, such as
NCryptOpenStorageProvider
–
Algorithms and keys generated by the
operating system’s software providers
•
All function names begin with “B”, such as
BCryptOpenAlgorithmProvider
•
I only explain “B” in next slides, but “N” is
very similar
TE
Ž
AVNOST: 200
47
Using CNG

Concepts
•
Designed as a Win32 library (work in .NET)
•
You don’t need to be aware of any specific
providers on your system (unlike in CryptoAPI)
•
Instead, you request an algorithm, and the
system offer you the default best available
–
Of course, you can always chose a specific provider if
you prefer, by enumerating them first
•
BCryptEnumRegisteredProviders
–
You can check properties of a provider before you use it
•
BCryptQueryProviderRegistration
–
You can register a specific provider
•
BCryptRegisterProvider
•
This solves the problem of updates, when better
implementations are found in the future
TE
Ž
AVNOST: 200
48
Using CNG
–
Encryption Steps
•
Generally, follow this process:
–
Open a CNG Algorithm Provider
•
BCryptOpenAlgorithmProvider
–
Generate or import keys
–
Calculate the size of encrypted data
•
Call
BCryptEncrypt
with NULL for pbInput paramter
–
Encrypt data by calling
BCryptEncrypt
again
•
Repeat this step as needed for all data, remembering
to use the correct form of operating mode (chaining)
–
Output or persist the result
–
Close the provider, unless you want to cache it
for later use
•
BCryptCloseAlgorithmProvider
TE
Ž
AVNOST: 200
49
Randomness
•
Use
BCryptGenRandom
•
You can use a specific algorithm,
otherwise the default is used, which
is FIPS

186

2 compliant
–
It uses entropy gathered by the
provider over the time
–
You can add your own entropy as a
parameter
TE
Ž
AVNOST: 200
50
Summary
•
Today’s cryptography has just accelerated
its evolution
•
Windows Vista and Longhorn Servers will
be at the front of innovation in this field
•
You can benefit from the increased
security by using BitLocker or the APIs
such as CNG
•
It is an exciting time to be using
cryptography!
TE
Ž
AVNOST: 200
51
References
•
Visit
msdn.microsoft.com/security
and
www.microsoft.com/technet/security
•
Read sci.crypt (incl. archives)
•
For more detail, read:
–
Cryptography: An Introduction, N. Smart, McGraw

Hill, ISBN 0

07

709987

7
–
Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0

471

22357

3
–
Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1

58053

642

5 (to be published May 2005, see
http://www.esecurity.ch/Books/cryptography.html
)
–
Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0

471

11709

9
–
Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0

8493

8523

7,
www.cacr.math.uwaterloo.ca/hac
(free PDF)
–
PKI, A. Nash et al., RSA Press, ISBN 0

07

213123

3
–
Foundations of Cryptography, O. Goldereich,
www.eccc.uni

trier.de/eccc

local/ECCC

Books/oded_book_readme.html
–
Cryptography in C and C++, M. Welschenbach, Apress,
ISBN 1

893115

95

X (includes code samples CD)
Comments 0
Log in to post a comment