Transcript Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd Session Code: ARC303 Objectives And Agenda Outline data protection requirements Explain the status of today’s cryptography Introduce the cryptography.

1
Rafal Lukawiecki
Strategic Consultant
Project Botticelli Ltd
Session Code: ARC303
2
Objectives And Agenda
Outline data protection requirements
Explain the status of today’s cryptography
Introduce the cryptography APIs for Windows 7
and Windows Server 2008 R2
The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The
material presented is not certain and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the
information in this presentation.
© 2009 Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually
attributed. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or
trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of
Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of
any information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. E&OE.
3
Agenda
Data Protection Goals
State of Today’s Cryptography
Cryptography in Windows 7, Vista, and
Windows Server 2008 and R2
Demo: simple but fully working CNG code using
.NET Framework 3.5
Hidden Section {Crypto Primer}
4
Why We Need This Session?
Crypto is still cryptic, with lots of new stuff
You need Data Protection badly
For every good crypto choice apps make several
bad ones
Good crypto starts in the architecture
5
Data Protection Goals
6
Defense in Depth
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
Cryptography
Application hardening
OS hardening, updates, BitLocker,
strong authentication, secure startup
Compartments, IPSec, IDS
Firewalls, VPN quarantine
Guards, locks, tracking devices,
HSM, TPM
User education against social
engineering
7
Data Protection is Important
DP is at the heart of all defence
It has to work when everything failed
DP is typically the only defence when physical
security has been broken
You need Data Protection in your application’s
architecture!
8
Essence of Data Protection
Protect secrets, customer data, private
information...
...by encrypting it with keys
Then, protect the keys:
Human memory (passwords + DPAPI)
Devices (smartcards, TPMs)
Paper (and a good safe)
Obfuscation (temporary protection)
9
Easiest Crypto, Please?
Just use DPAPI
System.Security.Cryptography
ProtectedData.Protect
ProtectedMemory.Protect
Takes care of looking after keys
Or, if you are brave enough – stay with us!
10
Advanced DP in .NET Frameworks
System.Security.Cryptography:
Rijndael, RSA, and DSA Managed providers and
CryptoStream
Full crypto, not FIPS-certified - .NET Fx 2.0, 3.0, 3.5
CNG Wrappers for full cryptography FIPS-certified .NET Fx
3.5 and same in 4.0
System.Security.Cryptography.Xml
W3C XML Encryption and XML Signature standards
System.Security.Cryptography.Pkcs
PKCS#7 and Cryptographic Message Syntax (CMS) standards
11
Cryptography of Past, Present
and its Problems
12
XP Recommendation
If you cannot use Windows 7, Windows Server
2008, R2, or even Vista…
At present (Nov 2009), consider:
Rijndael or AES-128 (or AES-192, or AES-256)
RSA 4096 (arguably 3072 or longer)
“SHA-2” (i.e. SHA-256, or SHA-512)
DSA (or SHA-2/RSA signatures)
13
DES, IDEA, RC2, RC5, Twofish
Not Recommended
These are all symmetric non-recommendations
DES (Data Encryption Standard)
DO NOT USE DES!
Triple DES (3DES) more secure, but better options exist
IDEA (International Data Encryption Standard)
128 bit keys but designer weak by today’s standards
RC2 & RC5 (by R. Rivest)
RC2 is older and RC5 newer (1994) - similar to DES and IDEA
Blowfish, Twofish – Good, but not a standard
14
Rijndael & AES
Recommended
Present standard
Winner of AES (Advanced Encryption Standard) competition
NIST (US National Institute of Standards and Technology) 1997-2000
Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen
Recommended by NSA CNSSP-15 policy
Symmetric block-cipher (128, 192 or 256 bits) with
variable keys (128, 192 or 256 bits, too)
AES is a specific way of using Rijndael
.NET Fx 3.0 RijndaelManaged is a full Rijndael
.NET Fx 3.5 AesManaged is a standards-compliant version
of Rijndael
15
CAST and GOST
Not used widely anymore – avoid
CAST
Canadians Carlisle Adams & Stafford Tavares
64 bit key and 64 bit of data – not enough
GOST
Soviet Union’s “version” of DES but with a clearer
design and many more repetitions of the process
256 bit key but really 610 bits of secret, so pretty
much “tank quality”
Backdoor? Who knows… 
16
Rely on Cryptosystems
Never use just an algorithm
Always use entire cryptosystem
E.g.
AES used in a simple “loop” to encrypt a stream of data
destroys security
Use a block chaining mode
CNG supports CBC, CFB, and as of Vista SP1/WS08 also CCM, and
GCM
Easiest way: .NET Fx CryptoStream applies your
chosen symmetric algorithm correctly
17
Dangerous Implementations
Cryptographic applications from not-wellknown sources
I “just downloaded this library”
Insist on using built-in systems where possible:
Microsoft OS: CNG, CAPI, CAPICOM etc.
Smartcards: certified CSPs/KSPs
Elsewhere: FIPS-140-2 compliant implementations
See csrc.nist.gov/cryptval
18
RC4
Generally Not Recommended
Symmetric
Fast, streaming encryption
R. Rivest in 1994
Originally secret, but “published” on sci.crypt
Related to “one-time pad”, theoretically most secure
But!
It relies on a really good random number generator
And that is a problem
Nowadays: use AES with a chaining mode
19
XP/2003 Era of Crypto APIs
Still used and supported
Microsoft CryptoAPI (CAPI) 2.0 was the interface
to all CSPs
Cryptographic Service Providers
Built-in or smartcard-based
.NET Framework 1.1 and 2.0, and 3.0 wraps
most of the functionality of CAPI in namespace
System.Security.Cryptography
Or you could use the CAPICOM library
23
Contemporary Cryptography
24
The Golden Standard
US NSA and NIST recommended “Suite-B”
protocols
Microsoft supports Suite-B only in Windows 7,
Windows Server 2008 and R2, and Vista
Internally Windows does not use weaker
algorithms than Suite-B
But, of course, you can if you wish – please don’t except
for backwards compatibility
26
Suite B
www.nsa.gov/ia/industry/crypto_suite_b.cfm
Mandatory set of cryptographic algorithms for
non-classified and classified (SECRET and TOPSECRET) USG needs since 2008
Except a small area of special-security needs (e.g.
nuclear security) – guided by Suite A (definition is,
naturally, classified)
Widely used world-wide, as of 2009
27
Mathematical Designs
Many cryptographic algorithms (e.g. DSA) rely
on a class of mathematical designs related to
the concept of discrete logarithms
These can be implemented over the finite field
of any abelian group
Normally, this means using integers modulo a
prime number
Alternatively, elliptic curve groups could be used
28
Elliptic Curve Cryptography
ECC
More efficient design,
fewer bits of key
Harder to break
Significantly faster
algorithms
Used to enhance existing
algorithms, such as DH or
DSA
29
Suite-B Algorithms
Encryption: AES
Digital Signature: EC-DSA
Key Exchange: EC-DH or EC-MQV
Hashing: SHA-2
30
Suite-B Encryption
AES
FIPS 197 (with keys sizes of 128 and 256 bits)
Rijndael with 128 bit data blocks only
Keys of 192 bits not used
Most 256 bit implementations much slower
than 128
Anything of 84 bits or more in this class considered
“good enough” commercially (Nov 2009)
31
Suite-B Digital Signatures
Elliptic Curve Digital Signature Algorithm (ECDSA)
FIPS 186-2 (using the curves with 256 and 384-bit
prime moduli)
Microsoft also supports 521-bit keys
Classical DSA applied over the algebra of finite
fields of elliptic curves
32
Suite-B Key Exchange
The Best Bit of Suite-B
Elliptic Curve Diffie-Hellman (or Elliptic Curve
MQV)
Curves with 256 and 384-bit prime moduli
Microsoft also supports 521-bits
Susceptible to man-in-the-middle attack
So requires authentication
Using digital signatures, certificates, or pre-shared
secrets
33
Diffie-Hellman Conceptually
This is non-EC, normal DH
1.
Alice and Bob openly agree on a (large) prime number p and a base integer g
p = 83, g = 8
2.
Alice chooses a private secret integer a = 9, and then sends Bob public
(ga) mod p
(89) mod 83 = 5
3.
Bob chooses a private secret integer b = 21, and then sends Alice public
(gb) mod p
(821) mod 83 = 18
4.
Alice computes (((gb) mod p)a) mod p
(189) mod 83 = 24
5.
Bob computes (((ga) mod p)b) mod p
(521) mod 83 = 24
24 is the shared secret – never sent over the network!
34
Suite-B Hashing
Secure Hash Algorithm “2”
FIPS 180-2 (using SHA-256 and SHA-384)
MD5 and SHA-0 have been broken and SHA-1
has been theoretically and allegedly practically
broken
SHA-2 should suffice for a few years, but
ultimately it must be replaced
SHA-2 allows: 224, 256, 384, and 512 bit lengths
36
APIs for Suite-B Today?
That’s what we have been waiting for
37
Cryptography APIs for Suite-B
38
Cryptographic Next Generation API
CNG
CAPI 1.0 has been deprecated
May be dropped in future Windows
CNG
Open cryptographic API for Windows 7, Server
2008 and R2, and Vista
Plug in kernel or user mode algorithms
Enables policy-based enterprise crypto
configuration
39
Main CNG Features
1. Cryptography agnostic
2. Kernel-mode for performance and security (better performance
than CAPI 1.0)
3. Aim for FIPS-140 Certification
140-2 and Common Criteria (CC) on selected platforms
140-1 everywhere
Aim for CC compliance for long-term key storage and audit
4. Suite-B of course, but also supports all existing algorithms
available through CryptoAPI 1.0
5. Key Isolation and Storage using TPMs
6. Developer-friendly model for plug-ins
40
Other APIs
In addition to CNG:
.NET Framework
System.Security.Cryptography
3.0 does not manage CNG
3.5 and 4.0 manage CNG
TBS: TPM Base Services
For interaction with Trusted Platform Modules
Certificate Enrolment API
42
CNG: Cryptographic Primitives
Architecture
43
So, Who Encrypts?
Reason for the Two APIs
“B-API” if
You want OS to do all the encryption, you use the
“B-API”
Microsoft implementation or one you have added
Realistically: use for symmetric encryption
“N-API” if
You have a smartcard, HSM (hardware security
module), a TPM, or a suitable CSP
All computations performed by the device
Realistically: use for key exchange only
Generally, OS has little or nothing to do
45
Using CNG – Encryption Steps
Follow this process:
1. Open a CNG Algorithm Provider
BCryptOpenAlgorithmProvider
2. Generate or import keys
3. Calculate the size of encrypted data
Call BCryptEncrypt with NULL for pbInput paramter
4. Encrypt data by calling BCryptEncrypt again
Repeat this step as needed using chaining (not loop)
5. Output the result
6. Close the provider, unless caching, and clean-up
BCryptCloseAlgorithmProvider
47
Randomness
Use BCryptGenRandom
The default generator at least FIPS-186-2 compliant
Uses entropy gathered over time
You can add your own entropy
You can also specify a different generator for all calls
Needless to say, do not use Rnd() etc. from your
favourite language 
48
CNG and .NET Fx 3.5 and 4.0
New algorithms:
AesCryptoServiceProvider,
ECDiffieHellmanCng, ECDSACng, SHA1Cng,
SHA256Cng, SHA384Cng, SHA512Cng
Avoid “old” (.NET 3.0 and earlier) providers
No FIPS certification
Harder to use
CngKey wraps “NCrypt”
And some functionality of “BCrypt”
Use CngUIPolicy to enforce user actions on
private keys
50
Using .NET Fx 3.5 and CNG
1. Sender and recipient use CngKey to access or
generate their private/public key-pairs
CngKey will use your security device if present
2. Parties exchange their public key (serialising and/or
wrapping it)
3. Sender and recipient use ECDiffieHellmanCng to
generate a shared secret key by deriving it from their
own and other party’s keys
4. Use AesCryptoServiceProvider and the
CryptoStream to encrypt data
51
Use of ECDiffieHellmanCng
// First, point CngKey to your security device or a CSP
ECDiffieHellmanCng sender = new ECDiffieHellmanCng();
sender.KeyDerivationFunction =
ECDiffieHellmanKeyDerivationFunction.Hash;
sender.HashAlgorithm = CngAlgorithm.Sha256;
ECDiffieHellmanCng recipient = new ECDiffieHellmanCng();
recipient.KeyDerivationFunction =
ECDiffieHellmanKeyDerivationFunction.Hash;
recipient.HashAlgorithm = CngAlgorithm.Sha256;
// Exchange the x.PublicKey by serialising and sending them
byte[] recipientKey =
recipient.DeriveKeyMaterial(sender.PublicKey);
byte[] senderKey =
sender.DeriveKeyMaterial(recipient.PublicKey);
52
Conceptual Use of AES with CNG
// Remember an IV (in plaintext) – can be random
AesCryptoServiceProvider myAES = new
AesCryptoServierProvider();
myAES.Key = sender.Key;
FileStream fsEncrypted = new FileStream(sOutputFilename,
FileMode.Create, FileAccess.Write);
ICryptoTransform aesencrypt = myAES.CreateEncryptor();
CryptoStream mycryptostream = new CryptoStream(fsEncrypted,
aesencrypt, CryptoStreamMode.Write);
// Now just write to myCryptoStream like a normal file
stream – the output will be encrypted
53
CNG in Action
54
References
Get a bigger CMG sample from:
http://msdn.microsoft.com/en-us/library/cc488018.aspx
My demo (and this PPT) at: http://projectbotticelli.com/downloads/public/
Read sci.crypt (incl. archives), subscribe to Cryptogram
For more detail, read:
Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7
Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3
Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5,
see http://www.esecurity.ch/Books/cryptography.html)
Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9
Handbook of Applied Cryptography, A.J. Menezes, CRC Press,
ISBN 0-8493-8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)
PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3
Foundations of Cryptography, O. Goldereich,
www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html
Cryptography in C and C++, M. Welschenbach, Apress,
ISBN 1-893115-95-X (includes code samples CD)
55
Summary
Today’s cryptography has just accelerated its
evolution
Windows Vista and Windows Server 2008 are at
the front of innovation in this field
Unleash the awesome power of Suite-B with
CNG by using .NET Framework 3.5!
56
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand &
Community
Microsoft Certification & Training
Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
57
Complete an evaluation
on CommNet and enter to
win an Xbox 360 Elite!
58
Please join us for the
Community Drinks this evening
In Halls 3 & 4
from 18:15 – 19:30
59
The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The material presented is not certain
and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the information in this presentation.
© 2009 Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually attributed. All rights reserved. Microsoft,
Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for
informational purposes only and represents the current view of Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of any
information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO THE INFORMATION IN THIS PRESENTATION. E&OE.
60